2.2.3

git-svn-id: http://svn.automattic.com/wordpress/tags/2.2.3@6063 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-ajax.php

@@ -286,7 +286,7 @@ case 'autosave-generate-nonces' :
 			die(wp_create_nonce('update-page_' . $ID));
 		}
 	}
-	die($_POST['post_type']);
+	die('0');
 break;
 default :
 	do_action( 'wp_ajax_' . $_POST['action'] );

wp-admin/admin-db.php

@@ -82,7 +82,7 @@ function get_nonauthor_user_ids() {
 function wp_insert_category($catarr) {
 	global $wpdb;
 
-	extract($catarr);
+	extract($catarr, EXTR_SKIP);
 
 	if( trim( $cat_name ) == '' )
 		return 0;
@@ -297,7 +297,7 @@ function wp_revoke_user($id) {
 function wp_insert_link($linkdata) {
 	global $wpdb, $current_user;
 
-	extract($linkdata);
+	extract($linkdata, EXTR_SKIP);
 
 	$update = false;
 
@@ -419,9 +419,11 @@ function wp_delete_link($link_id) {
 	}
 
 	$wpdb->query("DELETE FROM $wpdb->link2cat WHERE link_id = '$link_id'");
-	return $wpdb->query("DELETE FROM $wpdb->links WHERE link_id = '$link_id'");
+	$wpdb->query("DELETE FROM $wpdb->links WHERE link_id = '$link_id'");
 	
 	do_action('deleted_link', $link_id);
+
+	return true;
 }
 
 function wp_get_link_cats($link_ID = 0) {

wp-admin/admin-functions.php

@@ -105,6 +105,8 @@ function wp_write_post() {
 		$_POST['post_date'] = sprintf( "%04d-%02d-%02d %02d:%02d:%02d", $aa, $mm, $jj, $hh, $mn, $ss );
 		$_POST['post_date_gmt'] = get_gmt_from_date( $_POST['post_date'] );
 	}
+	
+	unset($_POST['no_filter']);
 
 	// Create the post.
 	$post_ID = wp_insert_post( $_POST );
@@ -283,6 +285,8 @@ function edit_post() {
 			delete_meta( $key );
 	}
 
+	unset($_POST['no_filter']);
+	
 	add_meta( $post_ID );
 
 	wp_update_post( $_POST );
@@ -347,6 +351,8 @@ function get_post_to_edit( $id ) {
 	$post->post_title = apply_filters( 'title_edit_pre', $post->post_title );
 
 	$post->post_password = format_to_edit( $post->post_password );
+	
+	$post->menu_order = (int) $post->menu_order;
 
 	if ( $post->post_type == 'page' )
 		$post->page_template = get_post_meta( $id, '_wp_page_template', true );
@@ -396,12 +402,16 @@ function get_default_post_to_edit() {
 
 function get_comment_to_edit( $id ) {
 	$comment = get_comment( $id );
+	
+	$comment->comment_ID = (int) $comment->comment_ID;
+	$comment->comment_post_ID = (int) $comment->comment_post_ID;
 
-	$comment->comment_content = format_to_edit( $comment->comment_content, user_can_richedit() );
+	$comment->comment_content = format_to_edit( $comment->comment_content );
 	$comment->comment_content = apply_filters( 'comment_edit_pre', $comment->comment_content);
 
 	$comment->comment_author = format_to_edit( $comment->comment_author );
 	$comment->comment_author_email = format_to_edit( $comment->comment_author_email );
+	$comment->comment_author_url = clean_url($comment->comment_author_url);
 	$comment->comment_author_url = format_to_edit( $comment->comment_author_url );
 
 	return $comment;
@@ -409,6 +419,9 @@ function get_comment_to_edit( $id ) {
 
 function get_category_to_edit( $id ) {
 	$category = get_category( $id );
+	
+	$category->term_id = (int) $category->term_id;
+	$category->parent = (int) $category->parent;
 
 	return $category;
 }
@@ -892,7 +905,7 @@ function user_row( $user_object, $style = '' ) {
 function _wp_get_comment_list( $s = false, $start, $num ) {
 	global $wpdb;
 
-	$start = (int) $start;
+	$start = abs( (int) $start );
 	$num = (int) $num;
 
 	if ( $s ) {
@@ -935,7 +948,7 @@ function _wp_comment_list_item( $id, $alt = 0 ) {
 <?php
 if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
 	echo " <a href='comment.php?action=editcomment&amp;c=".$comment->comment_ID."'>" .  __('Edit') . '</a>';
-	echo ' | <a href="' . wp_nonce_url('ocomment.php?action=deletecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . js_escape(sprintf(__("You are about to delete this comment by '%s'.\n'Cancel' to stop, 'OK' to delete."), $comment->comment_author)) . "', theCommentList );\">" . __('Delete') . '</a> ';
+	echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'delete-comment_' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . js_escape(sprintf(__("You are about to delete this comment by '%s'.\n'Cancel' to stop, 'OK' to delete."), $comment->comment_author)) . "', theCommentList );\">" . __('Delete') . '</a> ';
 	if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
 		echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'unapprove-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Unapprove') . '</a> </span>';
 		echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&amp;p=' . $comment->comment_post_ID . '&amp;c=' . $comment->comment_ID, 'approve-comment_' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\', theCommentList );">' . __('Approve') . '</a> </span>';
@@ -1026,6 +1039,7 @@ function list_meta( $meta ) {
 		$key_js = js_escape( $entry['meta_key'] );
 		$entry['meta_key']   = attribute_escape($entry['meta_key']);
 		$entry['meta_value'] = attribute_escape($entry['meta_value']);
+		$entry['meta_id'] = (int) $entry['meta_id'];
 		$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
 		$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
 		$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
@@ -1078,7 +1092,7 @@ function meta_form() {
 <?php
 
 	foreach ( $keys as $key ) {
-		$key = attribute_escape( $key);
+		$key = attribute_escape( $key );
 		echo "\n\t<option value='$key'>$key</option>";
 	}
 ?>
@@ -1099,6 +1113,8 @@ function add_meta( $post_ID ) {
 	global $wpdb;
 	$post_ID = (int) $post_ID;
 
+	$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
+
 	$metakeyselect = $wpdb->escape( stripslashes( trim( $_POST['metakeyselect'] ) ) );
 	$metakeyinput = $wpdb->escape( stripslashes( trim( $_POST['metakeyinput'] ) ) );
 	$metavalue = maybe_serialize( stripslashes( (trim( $_POST['metavalue'] ) ) ));
@@ -1114,6 +1130,9 @@ function add_meta( $post_ID ) {
 		if ( $metakeyinput)
 			$metakey = $metakeyinput; // default
 
+		if ( in_array($metakey, $protected) )
+			return false;
+
 		$result = $wpdb->query( "
 						INSERT INTO $wpdb->postmeta 
 						(post_id,meta_key,meta_value ) 
@@ -1133,6 +1152,12 @@ function delete_meta( $mid ) {
 
 function update_meta( $mid, $mkey, $mvalue ) {
 	global $wpdb;
+
+	$protected = array( '_wp_attached_file', '_wp_attachment_metadata', '_wp_old_slug', '_wp_page_template' );
+
+	if ( in_array($mkey, $protected) )
+		return false;
+
 	$mvalue = maybe_serialize( stripslashes( $mvalue ));
 	$mvalue = $wpdb->escape( $mvalue );
 	$mid = (int) $mid;

wp-admin/comment.php

@@ -39,7 +39,7 @@ case 'mac':
 	$nonce_action = 'cdc' == $action ? 'delete-comment_' : 'approve-comment_';
 	$nonce_action .= $comment;
 
-	if ( ! $comment = get_comment($comment) )
+	if ( ! $comment = get_comment_to_edit($comment) )
 		wp_die(__('Oops, no comment with this ID.').sprintf(' <a href="%s">'.__('Go back').'</a>!', 'edit.php'));
 
 	if ( !current_user_can('edit_post', $comment->comment_post_ID) )
@@ -96,7 +96,7 @@ case 'mac':
 <?php } ?>
 <tr>
 <th scope="row" valign="top"><p><?php _e('Comment:'); ?></p></th>
-<td><?php echo apply_filters( 'comment_text', $comment->comment_content ); ?></td>
+<td><?php echo $comment->comment_content; ?></td>
 </tr>
 </table>
 
@@ -155,7 +155,7 @@ case 'unapprovecomment':
 	if ((wp_get_referer() != "") && (false == $noredir)) {
 		wp_redirect(wp_get_referer());
 	} else {
-		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
+		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='. (int) $comment->comment_post_ID.'&c=1#comments');
 	}
 	exit();
 	break;
@@ -185,7 +185,7 @@ case 'approvecomment':
 	if ((wp_get_referer() != "") && (false == $noredir)) {
 		wp_redirect(wp_get_referer());
 	} else {
-		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
+		wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='. (int) $comment->comment_post_ID.'&c=1#comments');
 	}
 	exit();
 	break;

wp-admin/edit-comments.php

@@ -76,9 +76,10 @@ if ( !empty( $_POST['delete_comments'] ) ) :
 endif;
 
 if ( isset( $_GET['apage'] ) )
-	$page = (int) $_GET['apage'];
+	$page = abs( (int) $_GET['apage'] );
 else
 	$page = 1;
+
 $start = $offset = ( $page - 1 ) * 20;
 
 list($_comments, $total) = _wp_get_comment_list( isset($_GET['s']) ? $_GET['s'] : false, $start, 25 ); // Grab a few extra
@@ -87,8 +88,8 @@ $comments = array_slice($_comments, 0, 20);
 $extra_comments = array_slice($_comments, 20);
 
 $page_links = paginate_links( array(
-	'base' => 'edit-comments.php?%_%',
-	'format' => 'apage=%#%',
+	'base' => add_query_arg( 'apage', '%#%' ), 
+	'format' => '',
 	'total' => ceil($total / 20),
 	'current' => $page
 ));

wp-admin/edit-form-advanced.php

@@ -1,10 +1,12 @@
 <?php
+if ( isset($_GET['message']) )
+	  $_GET['message'] = (int) $_GET['message'];
 $messages[1] = __('Post updated');
 $messages[2] = __('Custom field updated');
 $messages[3] = __('Custom field deleted.');
 ?>
 <?php if (isset($_GET['message'])) : ?>
-<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
+<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
 <?php endif; ?>
 
 <form name="post" action="post.php" method="post" id="post">
@@ -21,16 +23,17 @@ if (0 == $post_ID) {
 	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
 	wp_nonce_field('add-post');
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 	wp_nonce_field('update-post_' .  $post_ID);
 }
 
-$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
+$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';
 
-$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
+$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';
 
-$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
+$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
 
 if ('' != $post->pinged) {
 	$pings = '<p>'. __('Already pinged:') . '</p><ul>';
@@ -41,16 +44,16 @@ if ('' != $post->pinged) {
 	$pings .= '</ul>';
 }
 
-$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
+$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape( __('Save and Continue Editing') ) . '" />';
 
 if (empty($post->post_status)) $post->post_status = 'draft';
 
 ?>
 
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" id="hiddenaction" name="action" value="<?php echo $form_action ?>" />
 <input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
-<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
+<input type="hidden" name="post_author" value="<?php echo attribute_escape( $post->post_author ); ?>" />
 <input type="hidden" id="post_type" name="post_type" value="post" />
 
 <?php echo $form_extra ?>
@@ -88,12 +91,12 @@ addLoadEvent(focusit);
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post Password') ?></h3> 
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
 </fieldset>
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post Slug') ?></h3> 
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
 </fieldset>
 
 <fieldset id="poststatusdiv" class="dbx-box">
@@ -125,7 +128,7 @@ foreach ($authors as $o) :
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
-echo "<option value='$o->ID' $selected>$o->display_name</option>";
+echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars( $o->display_name ) . "</option>";
 endforeach;
 ?>
 </select>
@@ -140,7 +143,7 @@ endforeach;
 
 <fieldset id="titlediv">
 	<legend><?php _e('Title') ?></legend>
-	<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+	<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
 </fieldset>
 
 <fieldset id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>">
@@ -168,7 +171,7 @@ endforeach;
 if ('publish' != $post->post_status || 0 == $post_ID) {
 ?>
 <?php if ( current_user_can('publish_posts') ) : ?>
-	<input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" /> 
+	<input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish'); ?>" /> 
 <?php endif; ?>
 <?php
 }
@@ -186,7 +189,7 @@ else
 
 <?php
 if (current_user_can('upload_files')) {
-	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
+	$uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
 	$uploading_iframe_src = wp_nonce_url("upload.php?style=inline&amp;tab=upload&amp;post_id=$uploading_iframe_ID", 'inlineuploading');
 	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
 	if ( false != $uploading_iframe_src )

wp-admin/edit-form-comment.php

@@ -2,13 +2,13 @@
 $submitbutton_text = __('Edit Comment »');
 $toprow_title = sprintf(__('Editing Comment # %s'), $comment->comment_ID);
 $form_action = 'editedcomment';
-$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='".$comment->comment_post_ID;
+$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='" . $comment->comment_post_ID;
 ?>
 
 <form name="post" action="comment.php" method="post" id="post">
 <?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
 <div class="wrap">
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
 
 <script type="text/javascript">
@@ -20,19 +20,19 @@ addLoadEvent(focusit);
 <fieldset id="namediv">
     <legend><label for="name"><?php _e('Name:') ?></label></legend>
 	<div>
-	  <input type="text" name="newcomment_author" size="25" value="<?php echo $comment->comment_author ?>" tabindex="1" id="name" />
+	  <input type="text" name="newcomment_author" size="25" value="<?php echo attribute_escape( $comment->comment_author ); ?>" tabindex="1" id="name" />
     </div>
 </fieldset>
 <fieldset id="emaildiv">
         <legend><label for="email"><?php _e('E-mail:') ?></label></legend>
 		<div>
-		  <input type="text" name="newcomment_author_email" size="20" value="<?php echo $comment->comment_author_email ?>" tabindex="2" id="email" />
+		  <input type="text" name="newcomment_author_email" size="20" value="<?php echo attribute_escape( $comment->comment_author_email ); ?>" tabindex="2" id="email" />
     </div>
 </fieldset>
 <fieldset id="uridiv">
         <legend><label for="newcomment_author_url"><?php _e('URL:') ?></label></legend>
 		<div>
-		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo $comment->comment_author_url ?>" tabindex="3" />
+		  <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo attribute_escape( $comment->comment_author_url ); ?>" tabindex="3" />
     </div>
 </fieldset>
 

wp-admin/edit-form.php

@@ -6,7 +6,7 @@
 <?php if (isset($mode) && 'bookmarklet' == $mode) : ?>
 <input type="hidden" name="mode" value="bookmarklet" />
 <?php endif; ?>
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value='post' />
 
 <script type="text/javascript">
@@ -21,7 +21,7 @@ addLoadEvent(focusit);
 <div id="poststuff">
     <fieldset id="titlediv">
       <legend><a href="http://wordpress.org/docs/reference/post/#title" title="<?php _e('Help on titles') ?>"><?php _e('Title') ?></a></legend> 
-	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+	  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
     </fieldset>
 
     <fieldset id="categorydiv">
@@ -49,7 +49,7 @@ edCanvas = document.getElementById('content');
 //-->
 </script>
 
-<input type="hidden" name="post_pingback" value="<?php echo get_option('default_pingback_flag') ?>" id="post_pingback" />
+<input type="hidden" name="post_pingback" value="<?php echo (int) get_option('default_pingback_flag') ?>" id="post_pingback" />
 
 <p><label for="trackback"> <?php printf(__('<a href="%s" title="Help on trackbacks"><strong>TrackBack</strong> a <abbr title="Universal Resource Locator">URL</abbr></a>:</label> (Separate multiple <abbr title="Universal Resource Locator">URL</abbr>s with spaces.)'), 'http://wordpress.org/docs/reference/post/#trackback'); echo '<br />'; ?>
 	<input type="text" name="trackback_url" style="width: 360px" id="trackback" tabindex="7" /></p>
@@ -64,7 +64,7 @@ edCanvas = document.getElementById('content');
 <?php if ('bookmarklet' != $mode) {
 		echo '<input name="advanced" type="submit" id="advancededit" tabindex="7" value="' .  __('Advanced Editing &raquo;') . '" />';
 	} ?>
-	<input name="referredby" type="hidden" id="referredby" value="<?php if ( wp_get_referer() ) echo urlencode(wp_get_referer()); ?>" />
+	<input name="referredby" type="hidden" id="referredby" value="<?php if ( $refby = wp_get_referer() ) echo urlencode($refby); ?>" />
 </p>
 
 <?php do_action('simple_edit_form', ''); ?>

wp-admin/edit-page-form.php

@@ -2,17 +2,22 @@
 <div class="wrap">
 <h2 id="write-post"><?php _e('Write Page'); ?></h2>
 <?php
+
 if (0 == $post_ID) {
 	$form_action = 'post';
 	$nonce_action = 'add-page';
 	$temp_ID = -1 * time(); // don't change this formula without looking at wp_write_post()
 	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
 } else {
+	$post_ID = (int) $post_ID;
 	$form_action = 'editpost';
 	$nonce_action = 'update-page_' . $post_ID;
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 }
 
+$temp_ID = (int) $temp_ID;
+$user_ID = (int) $user_ID;
+
 $sendto = clean_url(stripslashes(wp_get_referer()));
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
@@ -68,7 +73,7 @@ addLoadEvent(focusit);
 
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Page Password') ?></h3>
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
 </fieldset>
 
 <fieldset id="pageparent" class="dbx-box">
@@ -93,7 +98,7 @@ addLoadEvent(focusit);
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Page Slug') ?></h3>
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
 </fieldset>
 
 <?php if ( $authors = get_editable_authors( $current_user->id ) ) : // TODO: ROLE SYSTEM ?>
@@ -106,6 +111,8 @@ foreach ($authors as $o) :
 $o = get_userdata( $o->ID );
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
+$o->ID = (int) $o->ID;
+$o->display_name = wp_specialchars( $o->display_name );
 echo "<option value='$o->ID' $selected>$o->display_name</option>";
 endforeach;
 ?>
@@ -126,7 +133,7 @@ endforeach;
 
 <fieldset id="titlediv">
   <legend><?php _e('Page Title') ?></legend>
-  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
 </fieldset>
 
 

wp-admin/export.php

@@ -147,7 +147,7 @@ print '<?xml version="1.0" encoding="' . get_bloginfo('charset') . '"?' . ">\n";
 		contained in this file onto your blog.
 -->
 
-<!-- generator="wordpress/<?php bloginfo_rss('version') ?>" created="<?php echo date('Y-m-d H:m'); ?>"-->
+<!-- generator="wordpress/<?php bloginfo_rss('version') ?>" created="<?php echo date('Y-m-d H:i'); ?>"-->
 <rss version="2.0"
 	xmlns:content="http://purl.org/rss/1.0/modules/content/"
 	xmlns:wfw="http://wellformedweb.org/CommentAPI/"

wp-admin/import/wordpress.php

@@ -37,7 +37,8 @@ class WP_Import {
 	function get_tag( $string, $tag ) {
 		global $wpdb;
 		preg_match("|<$tag.*?>(.*?)</$tag>|is", $string, $return);
-		$return = $wpdb->escape( trim( $return[1] ) );
+		$return = preg_replace('|^<!\[CDATA\[(.*)\]\]>$|s', '$1', $return[1]);
+		$return = $wpdb->escape( trim( $return ) );
 		return $return;
 	}
 
@@ -215,7 +216,7 @@ class WP_Import {
 		$cat_names = (array) $wpdb->get_col("SELECT cat_name FROM $wpdb->categories");
 
 		while ( $c = array_shift($this->categories) ) {
-			$cat_name = trim(str_replace(array ('<![CDATA[', ']]>'), '', $this->get_tag( $c, 'wp:cat_name' )));
+			$cat_name = trim($this->get_tag( $c, 'wp:cat_name' ));
 
 			// If the category exists we leave it alone
 			if ( in_array($cat_name, $cat_names) )
@@ -274,7 +275,6 @@ class WP_Import {
 		$post_author    = $this->get_tag( $post, 'dc:creator' );
 
 		$post_content = $this->get_tag( $post, 'content:encoded' );
-		$post_content = str_replace(array ('<![CDATA[', ']]>'), '', $post_content);
 		$post_content = preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
 		$post_content = str_replace('<br>', '<br />', $post_content);
 		$post_content = str_replace('<hr>', '<hr />', $post_content);

wp-admin/install-rtl.css

@@ -1,5 +1,15 @@
-body { font-family: Tahoma, Georgia, "Times New Roman", Times, serif; }
+body { font: 13px Tahoma, Georgia, "Times New Roman", Times, serif; }
 
 ul, ol { padding: 5px 20px 5px 5px; }
 
-.step, th { text-align: left; }
+h1, h2, h3 { font-family: "Times New Roman", Times, serif; font-weight: 700 }
+
+.step, th { text-align: left }
+
+input { font-family: "Times New Roman", Times, serif; padding: 1px }
+
+#logo {	background: url(../wp-content/plugins/WP-Jalali/wp-fa-logo.png) center right no-repeat;	text-align: left; }
+
+#admin_email {direction: ltr; text-align: left; }
+
+#footer { font-style: normal; }

wp-admin/install.php

@@ -82,7 +82,7 @@ switch($step) {
 
 <?php
 	$result = wp_install($weblog_title, 'admin', $admin_email, $public);
-	extract($result);
+	extract($result, EXTR_SKIP);
 ?>
 
 <p><em><?php _e('Finished!'); ?></em></p>

wp-admin/link-import.php

@@ -73,8 +73,8 @@ foreach ($categories as $category) {
 
 <h2><?php _e('Importing...') ?></h2>
 <?php
-		$cat_id = $_POST['cat_id'];
-		if ( $cat_id == '' || $cat_id == 0 )
+		$cat_id = abs( (int) $_POST['cat_id'] );
+		if ( $cat_id < 1 )
 			$cat_id  = 1;
 
 		$opml_url = $_POST['opml_url'];

wp-admin/options.php

@@ -10,77 +10,6 @@ wp_reset_vars(array('action'));
 if ( !current_user_can('manage_options') )
 	wp_die(__('Cheatin’ uh?'));
 
-function sanitize_option($option, $value) { // Remember to call stripslashes!
-
-	switch ($option) {
-		case 'admin_email':
-			$value = stripslashes($value);
-			$value = sanitize_email($value);
-			break;
-
-		case 'default_post_edit_rows':
-		case 'mailserver_port':
-		case 'comment_max_links':
-			$value = stripslashes($value);
-			$value = abs((int) $value);
-			break;
-
-		case 'posts_per_page':
-		case 'posts_per_rss':
-			$value = stripslashes($value);
-			$value = (int) $value;
-			if ( empty($value) ) $value = 1;
-			if ( $value < -1 ) $value = abs($value);
-			break;
-
-		case 'default_ping_status':
-		case 'default_comment_status':
-			$value = stripslashes($value);
-			// Options that if not there have 0 value but need to be something like "closed"
-			if ( $value == '0' || $value == '')
-				$value = 'closed';
-			break;
-
-		case 'blogdescription':
-		case 'blogname':
-			if (current_user_can('unfiltered_html') == false)
-				$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
-			$value = stripslashes($value);
-			break;
-
-		case 'blog_charset':
-			$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
-			break;
-
-		case 'date_format':
-		case 'time_format':
-		case 'mailserver_url':
-		case 'mailserver_login':
-		case 'mailserver_pass':
-		case 'ping_sites':
-		case 'upload_path':
-			$value = strip_tags($value);
-			$value = wp_filter_kses($value); // calls stripslashes then addslashes
-			$value = stripslashes($value);
-			break;
-
-		case 'gmt_offset':
-			$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
-			break;
-
-		case 'siteurl':
-		case 'home':
-			$value = stripslashes($value);
-			$value = clean_url($value);
-			break;
-		default :
-			$value = stripslashes($value);
-			break;
-	}
-
-	return $value;
-}
-
 switch($action) {
 
 case 'update':
@@ -127,10 +56,11 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name
 
 foreach ( (array) $options as $option) :
 	$disabled = '';
+	$option->option_name = attribute_escape($option->option_name);
 	if ( is_serialized($option->option_value) ) {
 		if ( is_serialized_string($option->option_value) ) {
 			// this is a serialized string, so we should display it
-			$value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
+			$value = maybe_unserialize($option->option_value);
 			$options_to_update[] = $option->option_name;
 			$class = 'all-options';
 		} else {
@@ -139,7 +69,7 @@ foreach ( (array) $options as $option) :
 			$class = 'all-options disabled';
 		}
 	} else {
-		$value = wp_specialchars($option->option_value, 'single');
+		$value = $option->option_value;
 		$options_to_update[] = $option->option_name;
 		$class = 'all-options';
 	}
@@ -148,8 +78,8 @@ foreach ( (array) $options as $option) :
 	<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
 <td>";
 
-	if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
-	else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
+	if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
+	else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
 
 	echo "</td>
 	<td>$option->option_description</td>
@@ -158,7 +88,7 @@ endforeach;
 ?>
   </table>
 <?php $options_to_update = implode(',', $options_to_update); ?>
-<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
   </form>
 </div>
 

wp-admin/rtl.css

@@ -1,205 +1,247 @@
-#viewarc, #viewcat, #namediv, #emaildiv, #uridiv, #planetnews li, #login ul li, #your-profile fieldset, 
-	#footer .logo, .alignleft .available-theme { float: right; }
+#viewarc, #viewcat, #namediv, #emaildiv, #uridiv, #planetnews li, #login ul li, #your-profile fieldset, #footer .logo, .alignleft .available-theme {
+	float: right;
+	}
 
-#templateside, .alignright { float: left; }
+#templateside, .alignright {
+	float: left;
+	}
 
-#login #send, .readmore, .widefat th { text-align: right; }
+#login #send, .readmore, .widefat th {
+	text-align: right;
+	}
 
-#postcustomsubmit, form#upload th, .submit, .editform th { text-align: left; }
+#postcustomsubmit, form#upload th, .submit, .editform th {
+	text-align: left;
+	}
 
-#devnews h4, #wphead h1, #your-profile legend, fieldset.options legend, 
-	#planetnews li .post { font-family: Tahoma, Georgia, "Times New Roman", Times, serif; }
+#devnews h4, #wphead h1, #your-profile legend, fieldset.options legend, #planetnews li .post {
+	font-family: Tahoma, Georgia, "Times New Roman", Times, serif;
+	}
 
-#wphead { padding: .8em 2em .8em 19em; }
+#wphead {
+	padding: .8em 2em .8em 19em;
+	}
 
-#wphead h1 { font-size: 2.4em; }
+#wphead h1 {
+	font-size: 2.4em;
+	}
 
-#postdiv, #titlediv, #guiddiv, #tagdiv { margin: 0 0 0 8px; }
+#postdiv, #titlediv, #guiddiv, #tagdiv {
+	margin: 0 0 0 8px;
+	}
 
-#ed_toolbar input { margin: 3px 0 2px 2px; }
+#ed_toolbar input {
+	margin: 3px 0 2px 2px;
+	}
 
-#edButtons input, #edButtons input:active { margin: 0px 0 -1px 2px; }
+#edButtons input, #edButtons input:active {
+	margin: 0px 0 -1px 2px;
+	}
 
-body, td { font: 13px Tahoma, "Lucida Grande", "Lucida Sans Unicode", Verdana; }
+body, td {
+	font: 13px Tahoma, "Lucida Grande", "Lucida Sans Unicode", Verdana;
+	}
 
-h2 { font: normal 32px/5px serif; }
+h1, h2, h3, h4, h5 {
+	font-family: "Times New Roman", Times, serif;
+	}
+h3.dbx-handle {
+	font-family: tahoma, Verdana, Arial, Helvetica, sans-serif;
+	}
 
-textarea, input, select { font:  13px Tahoma, Verdana, Arial, Helvetica, sans-serif; }
+textarea, input, select {
+	font:  13px Tahoma, Verdana, Arial, Helvetica, sans-serif;
+	}
 
-.quicktags, .search { font: 12px Tahoma, Georgia, "Times New Roman", Times, serif; }
+.quicktags, .search {
+	font: 12px Tahoma, Georgia, "Times New Roman", Times, serif;
+	}
 
-.updated, .confirm { padding: 0 3em 0 1em; }
+.updated, .confirm {
+	padding: 0 3em 0 1em;
+	}
 
 .submit input, .submit input:focus, .button, .button:focus {
 	border-left-color: #999;
 	border-right-color: #ccc;
-}
+	}
 
 .submit input:active, .button:active {
 	border-left-color: #ccc;
 	border-right-color: #999;
-}
+	}
 
 #adminmenu {
 	padding: .2em 2em .3em .2em;
 	height: 28px;
-}
-
-#adminmenu li { line-height: 160%; }
+	}
 
 #adminmenu a {
 	margin: 0 0 0 10px;
 	display: block;
 	float: right;
-}
+	font: 700 16px/130% "Times New Roman", Times, serif;
+	}
 
 #adminmenu a.current {
 	border-right: 0;
 	border-left: 2px solid #4f96c8;
-}
+	}
 
-#submenu, #minisub { padding: 1px 3em 0 2em; }
+#submenu, #minisub {
+	padding: 1px 3em 0 2em;
+	}
 
-#submenu { height: 28px; }
-
-#submenu li { line-height: 160%; }
+#submenu {
+	height: 28px;
+	}
 
 #submenu a {
 	margin: 0 0 0 10px;
 	display: block;
 	float: right;
-}
+	line-height: 155%;
+	}
 
 #submenu .current {
 	border-right: 0;
 	border-left: 2px solid #045290;
-}
+	}
 
 #currenttheme img {
 	float: right;
 	margin-right: auto;
 	margin-left: 1em;
-}
+	}
 
 #postdiv #quicktags {
 	padding-right: 0;
 	padding-left: 6px;
-}
+	}
 
 .readmore {
 	margin-right: auto;
 	margin-left: 5em;
-}
+	}
 
 #postexcerpt div, #attachmentlinks div {
 	margin-right: auto;
 	margin-left: 8px;
-}
+	}
 
 * html #postexcerpt .dbx-toggle-open {
 	padding-right: 0;
 	padding-left: 8px;
-}
+	}
 
 #searchform {
 	float: right;
 	margin-right: auto;
 	margin-left: 1em;
-}
+	}
 
 #poststuff {
 	margin-right: auto;
 	margin-left: 16em;
-}
+	}
 
 #template div {
 	margin-right: auto;
 	margin-left: 190px;
-}
+	}
 
 * html #template div {
 	margin-right: auto;
 	margin-left: 0px;
-}
+	}
 
 #user_info {
 	right: auto;
 	left: 1em;
-}
-
+	}
+	
 #zeitgeist {
 	float: left;
 	margin-left: auto;
 	margin-right: 1em;
-}
+	}
 
 #zeitgeist ul {
 	margin: 0 .6em .3em 0;
 	padding: 0 .6em 0 0;
-}
+	}
+
+.wrap ul {
+	margin-left: 500px;
+	}
 
 #categorydiv ul {
 	margin-left: auto;
 	margin-right: 10px;
-}
-
-#moremeta fieldset div { margin: 2px 0px 0 0; }
+	}
 
 #moremeta {
-	margin-right: auto;
+	margin-right: 0;
 	margin-left: 15px;
 	right: auto;
-	left: 5%;
-}
-
+	left: 6%;
+	}
+	
 #moremeta .dbx-content {
 	background: url(images/box-butt.gif) no-repeat bottom left;
-	padding-right: 0;
-	padding-left: 2px;
-}
+	padding-right: 10px;
+	padding-left: 0;
+	text-align: right;
+	}
+	
+#moremeta .dbx-handle {
+	background: #2685af url(images/box-head.gif) no-repeat left;
+	margin-top: -2px;
+	}
 
-#moremeta .dbx-handle { background: #2685af url(images/box-head.gif) no-repeat left; }
-
-#moremeta .dbx-box { background: url(images/box-bg.gif) repeat-y left; }
+#moremeta .dbx-box {
+	background: url(images/box-bg.gif) repeat-y left;
+	padding-bottom: 0;
+	}
 
 a.dbx-toggle, a.dbx-toggle:visited {
 	right: auto;
 	left: 2px;
-}
+	}
 
-#advancedstuff a.dbx-toggle, #advancedstuff a.dbx-toggle-open:visited {
-	right: auto;
-	left: 5px;
-}
-
-#advancedstuff a.dbx-toggle-open, #advancedstuff a.dbx-toggle-open:visited {
-	right: auto;
-	left: 5px;
-}
 
 #categorychecklist {
 	margin-right: auto;
 	margin-left: 6px;
-}
+	}
 
 #ajax-response.alignleft {
 	margin-left: auto;
 	margin-right: 2em;
-}
+	}
 
 #postdivrich #edButtons {
 	padding-left: 0;
 	padding-right: 3px;
-}
+	}
 
 .page-numbers {
 	margin-right: auto;
 	margin-left: 3px;
-}
+	}
 
 a.view-link {
 	right:auto;
 	left:5%;
 	margin-right:0;
 	margin-left:220px;
-}
+	}
+#advancedstuff {
+	direction: ltr;
+	}
+#advancedstuff .dbx-handle {
+	text-align: right;
+	}
+#advancedstuff .dbx-content * {
+	direction: rtl;
+	}

wp-admin/upload-functions.php

@@ -105,8 +105,9 @@ function wp_upload_form() {
 	$id = get_the_ID();
 	global $post_id, $tab, $style;
 	$enctype = $id ? '' : ' enctype="multipart/form-data"';
+	$post_id = (int) $post_id;
 ?>
-	<form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=upload&amp;post_id=$post_id"; ?>">
+	<form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&amp;tab=upload&amp;post_id=' . $post_id); ?>">
 <?php
 	if ( $id ) :
 		$attachment = get_post_to_edit( $id );
@@ -201,7 +202,7 @@ function wp_upload_tab_upload_action() {
 
 		if ( !current_user_can( 'upload_files' ) )
 			wp_die( __('You are not allowed to upload files.')
-				. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=browse-all&amp;post_id=$post_id'>"
+				. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=browse-all&amp;post_id=$post_id") . "'>"
 				. __('Browse Files') . '</a>'
 			);
 
@@ -211,7 +212,7 @@ function wp_upload_tab_upload_action() {
 
 		if ( isset($file['error']) )
 			wp_die($file['error'] . "<br /><a href='" . get_option('siteurl')
-			. "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>" . __('Back to Image Uploading') . '</a>'
+			. "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>'
 		);
 
 		$url = $file['url'];
@@ -258,7 +259,7 @@ function wp_upload_tab_upload_action() {
 
 		if ( !current_user_can('edit_post', (int) $ID) )
 			wp_die( __('You are not allowed to delete this attachment.')
-				. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>"
+				. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>"
 				. __('Go back') . '</a>'
 			);
 

wp-admin/user-edit.php

@@ -76,7 +76,7 @@ include ('admin-header.php');
 <form name="profile" id="your-profile" action="user-edit.php" method="post">
 <?php wp_nonce_field('update-user_' . $user_id) ?>
 <?php if ( $wp_http_referer ) : ?>
-	<input type="hidden" name="wp_http_referer" value="<?php echo wp_specialchars($wp_http_referer); ?>" />
+	<input type="hidden" name="wp_http_referer" value="<?php echo clean_url($wp_http_referer); ?>" />
 <?php endif; ?>
 <p>
 <input type="hidden" name="from" value="profile" />

wp-admin/users.php

@@ -381,7 +381,7 @@ foreach($roleclasses as $role => $roleclass) {
 <?php if ( !empty($role) ) : ?>
 	<th colspan="7"><h3><?php echo $wp_roles->role_names[$role]; ?></h3></th>
 <?php else : ?>
-	<th colspan="7"><h3><em><?php _e('No role for this blog'); ?></h3></th>
+	<th colspan="7"><h3><em><?php _e('No role for this blog'); ?></em></h3></th>
 <?php endif; ?>
 </tr>
 <tr class="thead">

wp-admin/widgets-rtl.css

@@ -4,7 +4,8 @@
 
 * html #palettediv ul { padding: 0 10px 0 0; }
 
-#palettediv ul { padding: 0 10px 0 0; }
+#palettediv ul { padding: 0 10px 0 0;
+ margin-left: 1px!important;}
 
 * .handle, #lastmodule span {
 	border-right: 1px solid #f2f2f2;

wp-admin/widgets.css

@@ -84,11 +84,11 @@ body {
 }
 
 .placematt {
-	position: absolute;
 	cursor: default;
 	margin: 10px 0 0;
 	padding: 0;
 	width: 238px;
+	float:left;
 	background-color: #ffe;
 }
 
@@ -106,10 +106,11 @@ body {
 	text-align: justify;
 }
 
+
 #palettediv {
 	border: 1px solid #bbb;
 	background-color: #f0f8ff;
-	height: 180px;
+	height:auto;
 	margin-top: 10px;
 }
 

wp-admin/widgets.php

@@ -2,7 +2,7 @@
 
 require_once 'admin.php';
 
-if ( ! current_user_can('edit_themes') )
+if ( ! current_user_can('switch_themes') )
 	wp_die( __( 'Cheatin’ uh?' ));
 
 wp_enqueue_script( 'scriptaculous-effects' );
@@ -15,6 +15,11 @@ function wp_widgets_admin_head() {
 	define( 'WP_WIDGETS_HEIGHT', 35 * ( count( $wp_registered_widgets ) ) );
 ?>
 	<link rel="stylesheet" href="widgets.css?version=<?php bloginfo('version'); ?>" type="text/css" />
+	<!--[if IE 7]>
+	<style type="text/css">
+	#palette {float:left;}
+	</style>
+	<![endif]-->
 	<style type="text/css">
 		.dropzone ul { height: <?php echo constant( 'WP_WIDGETS_HEIGHT' ); ?>px; }
 		#sbadmin #zones { width: <?php echo constant( 'WP_WIDGETS_WIDTH' ); ?>px; }
@@ -61,10 +66,13 @@ function wp_widgets_admin_head() {
 		new Effect.Opacity('shadow', {to:0.0});
 		widgets.map(function(o) {o='widgetprefix-'+o; Position.absolutize(o); Position.relativize(o);} );
 		$A(Draggables.drags).map(function(o) {o.startDrag(null); o.finishDrag(null);});
-		for ( var n in Draggables.drags ) {
-			if ( Draggables.drags[n].element.id == 'lastmodule' ) {
-				Draggables.drags[n].destroy();
-				break;
+		//for ( var n in Draggables.drags ) {
+		for ( n=0; n<=Draggables.drags.length; n++ ) {
+			if ( parseInt( n ) ) {
+				if ( Draggables.drags[n].element.id == 'lastmodule' ) {
+					Draggables.drags[n].destroy();
+					break;
+				}
 			}
 		}
 		resetPaletteHeight();
@@ -145,7 +153,7 @@ function wp_widgets_admin_head() {
 			var pm = $(o+'placematt');
 			if ( $(o).childNodes.length == 0 ) {
 				pm.style.display = 'block';
-				Position.absolutize(o+'placematt');
+				//Position.absolutize(o+'placematt');
 			} else {
 				pm.style.display = 'none';
 			}
@@ -293,6 +301,9 @@ if ( isset( $_POST['action'] ) ) {
 		<p><?php _e( 'You can drag and drop widgets onto your sidebar below.' ); ?></p>
 		
 		<form id="sbadmin" method="post" onsubmit="serializeAll();">
+			<p class="submit">
+				<input type="submit" value="<?php _e( 'Save Changes &raquo;' ); ?>" />
+			</p>
 			<div id="zones">
 			<?php
 				foreach ( $wp_registered_sidebars as $index => $sidebar ) {
@@ -302,7 +313,7 @@ if ( isset( $_POST['action'] ) ) {
 				<div class="dropzone">
 					<h3><?php echo $sidebar['name']; ?></h3>
 					
-					<div id="<?php echo $index; ?>placematt" class="module placematt">
+					<div id="<?php echo $index; ?>placematt" class="module placemat">
 						<span class="handle">
 							<h4><?php _e( 'Default Sidebar' ); ?></h4>
 							<?php _e( 'Your theme will display its usual sidebar when this box is empty. Dragging widgets into this box will replace the usual sidebar with your customized sidebar.' ); ?>

wp-app.php

@@ -673,8 +673,9 @@ EOD;
 		}
 
 		$location = get_post_meta($entry['ID'], '_wp_attached_file', true);
+		$filetype = wp_check_filetype($location);
 
-		if(!isset($location))
+		if(!isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext']))
 			$this->internal_error(__('Error ocurred while accessing post metadata for file location.'));
 
 		header('Content-Type: ' . $entry['post_mime_type']);
@@ -707,8 +708,9 @@ EOD;
 		}
 
 		$location = get_post_meta($entry['ID'], '_wp_attached_file', true);
+		$filetype = wp_check_filetype($location);
 
-		if(!isset($location))
+		if(!isset($location) || 'attachment' != $entry['post_type'] || empty($filetype['ext']))
 			$this->internal_error(__('Error ocurred while accessing post metadata for file location.'));
 
 		$fp = fopen("php://input", "rb");

wp-content/themes/default/functions.php

@@ -384,7 +384,7 @@ function kubrick_theme_page() {
 			</form>
 		</div>
 		<div id="jsForm">
-			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo $_SERVER['REQUEST_URI']; ?>">
+			<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo attribute_escape($_SERVER['REQUEST_URI']); ?>">
 				<?php wp_nonce_field('kubrick-header'); ?>
 	<input type="button" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="<?php echo attribute_escape(__('Font Color')); ?>"></input>
 		<input type="button" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="<?php echo attribute_escape(__('Upper Color')); ?>"></input>

wp-includes/author-template.php

@@ -183,7 +183,7 @@ function wp_list_authors($args = '') {
 	$defaults = array('optioncount' => false, 'exclude_admin' => true, 'show_fullname' => false, 'hide_empty' => true,
 		'feed' => '', 'feed_image' => '');
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 	
 	// TODO:  Move select to get_authors().
 	$authors = $wpdb->get_results("SELECT ID, user_nicename from $wpdb->users " . ($exclude_admin ? "WHERE user_login <> 'admin' " : '') . "ORDER BY display_name");

wp-includes/bookmark-template.php

@@ -253,7 +253,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
 	$defaults = array('show_updated' => 0, 'show_description' => 0, 'show_images' => 1, 'before' => '<li>',
 		'after' => '</li>', 'between' => "\n");
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	foreach ( (array) $bookmarks as $bookmark ) {
 		if ( !isset($bookmark->recently_updated) )
@@ -331,7 +331,7 @@ function wp_list_bookmarks($args = '') {
 		'category_orderby' => 'name', 'category_order' => 'ASC', 'class' => 'linkcat',
 		'category_before' => '<li id="%id" class="%class">', 'category_after' => '</li>');
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$output = '';
 

wp-includes/bookmark.php

@@ -34,7 +34,7 @@ function get_bookmarks($args = '') {
 	$defaults = array('orderby' => 'name', 'order' => 'ASC', 'limit' => -1, 'category' => '',
 		'category_name' => '', 'hide_invisible' => 1, 'show_updated' => 0, 'include' => '', 'exclude' => '');
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$key = md5( serialize( $r ) );
 	if ( $cache = wp_cache_get( 'get_bookmarks', 'bookmark' ) )

wp-includes/category-template.php

@@ -83,6 +83,15 @@ function _get_the_category_usort($a, $b) {
 	return strcmp($a->category_name, $b->category_name);
 }
 
+function _get_the_category_usort_by_ID($a, $b) {
+	if ( $a->cat_ID > $b->cat_ID )
+		return 1;
+	elseif ( $a->cat_ID < $b->cat_ID )
+		return -1;
+	else
+		return 0;
+}
+
 function get_the_category_by_ID($cat_ID) {
 	$cat_ID = (int) $cat_ID;
 	$category = &get_category($cat_ID);
@@ -182,7 +191,7 @@ function wp_dropdown_categories($args = '') {
 	$defaults['selected'] = ( is_category() ) ? get_query_var('cat') : 0;
 	$r = array_merge($defaults, $r);
 	$r['include_last_update_time'] = $r['show_last_update'];
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$categories = get_categories($r);
 
@@ -233,7 +242,7 @@ function wp_list_categories($args = '') {
 		$r['pad_counts'] = true;
 	if ( isset($r['show_date']) )
 		$r['include_last_update_time'] = $r['show_date'];
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$categories = get_categories($r);
 

wp-includes/category.php

@@ -28,7 +28,7 @@ function &get_categories($args = '') {
 	else
 		$r['orderby'] = "cat_" . $r['orderby'];  // restricts order by to cat_ID and cat_name fields
 	$r['number'] = (int) $r['number'];
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$key = md5( serialize( $r ) );
 	if ( $cache = wp_cache_get( 'get_categories', 'category' ) )

wp-includes/class-phpmailer.php

@@ -390,7 +390,7 @@ class PHPMailer
      */
     function SendmailSend($header, $body) {
         if ($this->Sender != "")
-            $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, $this->Sender);
+            $sendmail = sprintf("%s -oi -f %s -t", $this->Sendmail, escapeshellarg($this->Sender));
         else
             $sendmail = sprintf("%s -oi -t", $this->Sendmail);
 

wp-includes/classes.php

@@ -506,7 +506,7 @@ class Walker_Page extends Walker {
 	function start_el($output, $page, $depth, $current_page, $args) {
 		if ( $depth )
 			$indent = str_repeat("\t", $depth);
-		extract($args);
+		extract($args, EXTR_SKIP);
 		$css_class = 'page_item';
 		$_current_page = get_page( $current_page );
 		if ( $page->ID == $current_page )
@@ -696,7 +696,7 @@ class WP_Ajax_Response {
 				'data' => '', 'supplemental' => array());
 
 		$r = array_merge($defaults, $r);
-		extract($r);
+		extract($r, EXTR_SKIP);
 
 		if ( is_wp_error($id) ) {
 			$data = $id;

wp-includes/comment-template.php

@@ -239,7 +239,7 @@ function trackback_url( $display = true ) {
 
 function trackback_rdf($timezone = 0) {
 	global $id;
-	if (strpos($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator') !== false) {
+	if (stripos($_SERVER['HTTP_USER_AGENT'], 'W3C_Validator') === false) {
 		echo '<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
 				xmlns:dc="http://purl.org/dc/elements/1.1/"
 				xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/">
@@ -285,7 +285,7 @@ function comments_template( $file = '/comments.php' ) {
 
 	$req = get_option('require_name_email');
 	$commenter = wp_get_current_commenter();
-	extract($commenter);
+	extract($commenter, EXTR_SKIP);
 
 	// TODO: Use API instead of SELECTs.
 	if ( $user_ID) {

wp-includes/comment.php

@@ -178,7 +178,7 @@ function sanitize_comment_cookies() {
 
 function wp_allow_comment($commentdata) {
 	global $wpdb;
-	extract($commentdata);
+	extract($commentdata, EXTR_SKIP);
 
 	// Simple duplicate check
 	$dupe = "SELECT comment_ID FROM $wpdb->comments WHERE comment_post_ID = '$comment_post_ID' AND ( comment_author = '$comment_author' ";
@@ -325,7 +325,7 @@ function wp_get_current_commenter() {
 
 function wp_insert_comment($commentdata) {
 	global $wpdb;
-	extract($commentdata);
+	extract($commentdata, EXTR_SKIP);
 
 	if ( ! isset($comment_author_IP) )
 		$comment_author_IP = preg_replace( '/[^0-9., ]/', '',$_SERVER['REMOTE_ADDR'] );
@@ -457,7 +457,7 @@ function wp_update_comment($commentarr) {
 	$commentarr = wp_filter_comment( $commentarr );
 
 	// Now extract the merged array.
-	extract($commentarr);
+	extract($commentarr, EXTR_SKIP);
 
 	$comment_content = apply_filters('comment_save_pre', $comment_content);
 
@@ -517,7 +517,7 @@ function discover_pingback_server_uri($url, $timeout_bytes = 2048) {
 	$x_pingback_str = 'x-pingback: ';
 	$pingback_href_original_pos = 27;
 
-	extract(parse_url($url));
+	extract(parse_url($url), EXTR_SKIP);
 
 	if ( !isset($host) ) // Not an URL. This should never happen.
 		return false;

wp-includes/default-filters.php

@@ -129,6 +129,8 @@ add_filter('get_the_excerpt', 'wp_trim_excerpt');
 
 add_filter('sanitize_title', 'sanitize_title_with_dashes');
 
+add_filter('wp_title', 'wp_specialchars');
+
 // RSS filters
 add_filter('the_title_rss', 'strip_tags');
 add_filter('the_title_rss', 'ent2ncr', 8);

wp-includes/feed-atom-comments.php

@@ -20,7 +20,7 @@ echo '<?xml version="1.0" encoding="' . get_option('blog_charset') . '" ?' . '>'
 	<updated><?php echo mysql2date('Y-m-d\TH:i:s\Z', get_lastcommentmodified('GMT')); ?></updated>
 	<generator uri="http://wordpress.org/" version="<?php bloginfo('version'); ?>">WordPress</generator>
 
-	<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" content="<?php bloginfo_rss('home'); ?>" />
+	<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php bloginfo_rss('home'); ?>" />
 	<link rel="self" type="application/atom+xml" href="<?php bloginfo_rss('comments_atom_url'); ?>" />
 	<id><?php bloginfo_rss('comments_atom_url'); ?></id>
 
@@ -40,7 +40,7 @@ if ( have_comments() ) : while ( have_comments() ) : the_comment();
 				printf(__('By: %s'), get_comment_author_rss());
 			}
 		?></title>
-		<link rel="alternate" href="<?php comment_link(); ?>" type="<?php bloginfo_rss('content_type'); ?>" />
+		<link rel="alternate" href="<?php comment_link(); ?>" type="<?php bloginfo_rss('html_type'); ?>" />
 
 		<author>
 			<name><?php comment_author_rss(); ?></name>
@@ -49,8 +49,8 @@ if ( have_comments() ) : while ( have_comments() ) : the_comment();
 		</author>
 
 		<id><?php comment_link(); ?></id>
-		<updated><?php echo mysql2date('D, d M Y H:i:s +0000', get_comment_time('Y-m-d H:i:s', true), false); ?></updated>
-		<published><?php echo mysql2date('D, d M Y H:i:s +0000', get_comment_time('Y-m-d H:i:s', true), false); ?></published>
+		<updated><?php echo mysql2date('Y-m-d\TH:i:s\Z', get_comment_time('Y-m-d H:i:s', true), false); ?></updated>
+		<published><?php echo mysql2date('Y-m-d\TH:i:s\Z', get_comment_time('Y-m-d H:i:s', true), false); ?></published>
 <?php if (!empty($comment_post->post_password) && $_COOKIE['wp-postpass'] != $comment_post->post_password) : ?>
 		<content type="html" xml:base="<?php comment_link(); ?>"><![CDATA[<?php echo get_the_password_form(); ?>]]></content>
 <?php else : // post pass ?>

wp-includes/feed-rss2-comments.php

@@ -5,7 +5,9 @@ echo '<?xml version="1.0" encoding="'.get_option('blog_charset').'"?'.'>';
 ?>
 <!-- generator="wordpress/<?php echo $wp_version ?>" -->
 <rss version="2.0" 
-	xmlns:content="http://purl.org/rss/1.0/modules/content/">
+	xmlns:content="http://purl.org/rss/1.0/modules/content/"
+	xmlns:dc="http://purl.org/dc/elements/1.1/"
+	>
 <channel>
 	<title><?php
 		if ( is_singular() )
@@ -37,7 +39,7 @@ if ( have_comments() ) : while ( have_comments() ) : the_comment();
 			}
 		?></title>
 		<link><?php comment_link() ?></link>
-		<author><?php echo get_comment_author_rss() ?></author>
+		<dc:creator><?php echo get_comment_author_rss() ?></dc:creator>
 		<pubDate><?php echo mysql2date('D, d M Y H:i:s +0000', get_comment_time('Y-m-d H:i:s', true), false); ?></pubDate>
 		<guid><?php comment_link() ?></guid>
 <?php if (!empty($comment_post->post_password) && $_COOKIE['wp-postpass'] != $comment_post->post_password) : ?>

wp-includes/feed.php

@@ -151,13 +151,13 @@ function get_the_category_rss($type = 'rss') {
 	$home = get_bloginfo_rss('home');
 	$the_list = '';
 	foreach ( (array) $categories as $category ) {
-		$category->cat_name = convert_chars($category->cat_name);
+		$cat_name = convert_chars($category->cat_name);
 		if ( 'rdf' == $type )
-			$the_list .= "\n\t\t<dc:subject><![CDATA[$category->cat_name]]></dc:subject>\n";
+			$the_list .= "\n\t\t<dc:subject><![CDATA[$cat_name]]></dc:subject>\n";
 		if ( 'atom' == $type )
-			$the_list .= "<category scheme='$home' term='$category->cat_name' />";
+			$the_list .= sprintf( '<category scheme="%1$s" term="%2$s" />', attribute_escape( apply_filters( 'get_bloginfo_rss', get_bloginfo( 'url' ) ) ), attribute_escape( $category->cat_name ) );
 		else
-			$the_list .= "\n\t\t<category><![CDATA[$category->cat_name]]></category>\n";
+			$the_list .= "\n\t\t<category><![CDATA[$cat_name]]></category>\n";
 	}
 	return apply_filters('the_category_rss', $the_list, $type);
 }

wp-includes/formatting.php

@@ -11,7 +11,7 @@ function wptexturize($text) {
 	// if a plugin has provided an autocorrect array, use it
 	if ( isset($wp_cockneyreplace) ) {
 		$cockney = array_keys($wp_cockneyreplace);
-		$cockney_replace = array_values($wp_cockneyreplace);
+		$cockneyreplace = array_values($wp_cockneyreplace);
 	} else {
 		$cockney = array("'tain't","'twere","'twas","'tis","'twill","'til","'bout","'nuff","'round","'cause");
 		$cockneyreplace = array("’tain’t","’twere","’twas","’tis","’twill","’til","’bout","’nuff","’round","’cause");
@@ -1103,7 +1103,7 @@ function htmlentities2($myHTML) {
 // Escape single quotes, specialchar double quotes, and fix line endings.
 function js_escape($text) {
 	$safe_text = wp_specialchars($text, 'double');
-	$safe_text = str_replace(''', "'", $safe_text);
+	$safe_text = preg_replace('/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes($safe_text));
 	$safe_text = preg_replace("/\r?\n/", "\\n", addslashes($safe_text));
 	return apply_filters('js_escape', $safe_text, $text);
 }
@@ -1118,4 +1118,84 @@ function wp_make_link_relative( $link ) {
 	return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );
 }
 
+function sanitize_option($option, $value) { // Remember to call stripslashes!
+
+	switch ($option) {
+		case 'admin_email':
+			$value = sanitize_email($value);
+			break;
+
+		case 'default_post_edit_rows':
+		case 'mailserver_port':
+		case 'comment_max_links':
+		case 'page_on_front':
+		case 'rss_excerpt_length':
+		case 'default_category':
+		case 'default_email_category':
+		case 'default_link_category':
+			$value = abs((int) $value);
+			break;
+
+		case 'posts_per_page':
+		case 'posts_per_rss':
+			$value = (int) $value;
+			if ( empty($value) ) $value = 1;
+			if ( $value < -1 ) $value = abs($value);
+			break;
+
+		case 'default_ping_status':
+		case 'default_comment_status':
+			// Options that if not there have 0 value but need to be something like "closed"
+			if ( $value == '0' || $value == '')
+				$value = 'closed';
+			break;
+
+		case 'blogdescription':
+		case 'blogname':
+			$value = addslashes($value);
+			$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
+			$value = stripslashes($value);
+			$value = wp_specialchars( $value );
+			break;
+
+		case 'blog_charset':
+			$value = preg_replace('/[^a-zA-Z0-9_-]/', '', $value); // strips slashes
+			break;
+
+		case 'date_format':
+		case 'time_format':
+		case 'mailserver_url':
+		case 'mailserver_login':
+		case 'mailserver_pass':
+		case 'ping_sites':
+		case 'upload_path':
+			$value = strip_tags($value);
+			$value = addslashes($value);
+			$value = wp_filter_kses($value); // calls stripslashes then addslashes
+			$value = stripslashes($value);
+			break;
+
+		case 'gmt_offset':
+			$value = preg_replace('/[^0-9:.-]/', '', $value); // strips slashes
+			break;
+
+		case 'siteurl':
+		case 'home':
+			$value = stripslashes($value);
+			$value = clean_url($value);
+			break;
+		default :
+			break;
+	}
+
+	return $value;
+}
+
+function wp_parse_str( $string, &$array ) {
+	parse_str( $string, $array );
+	if ( get_magic_quotes_gpc() )
+		$array = stripslashes_deep( $array ); // parse_str() adds slashes if magicquotes is on.  See: http://php.net/parse_str
+	$array = apply_filters( 'wp_parse_str', $array );
+}
+
 ?>

wp-includes/functions.php

@@ -203,6 +203,7 @@ function is_serialized_string($data) {
 
 /* Options functions */
 
+// expects $setting to already be SQL-escaped
 function get_option($setting) {
 	global $wpdb;
 
@@ -302,16 +303,19 @@ function wp_load_alloptions() {
 	return $alloptions;
 }
 
+// expects $option_name to NOT be SQL-escaped
 function update_option($option_name, $newvalue) {
 	global $wpdb;
 
 	wp_protect_special_option($option_name);
 
+	$safe_option_name = $wpdb->escape($option_name);
+
 	if ( is_string($newvalue) )
 		$newvalue = trim($newvalue);
 
 	// If the new and old values are the same, no need to update.
-	$oldvalue = get_option($option_name);
+	$oldvalue = get_option($safe_option_name);
 	if ( $newvalue === $oldvalue ) {
 		return false;
 	}
@@ -322,7 +326,7 @@ function update_option($option_name, $newvalue) {
 	}
 
 	$notoptions = wp_cache_get('notoptions', 'options');
-	if ( isset($notoptions[$option_name]) ) {
+	if ( is_array($notoptions) && isset($notoptions[$option_name]) ) {
 		unset($notoptions[$option_name]);
 		wp_cache_set('notoptions', $notoptions, 'options');
 	}
@@ -349,21 +353,21 @@ function update_option($option_name, $newvalue) {
 }
 
 // thx Alex Stapleton, http://alex.vort-x.net/blog/
+// expects $name to NOT be SQL-escaped
 function add_option($name, $value = '', $description = '', $autoload = 'yes') {
 	global $wpdb;
 
 	wp_protect_special_option($name);
+	$safe_name = $wpdb->escape($name);
 
-	// Make sure the option doesn't already exist we can check the cache before we ask for a db query
+	// Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
 	$notoptions = wp_cache_get('notoptions', 'options');
-	if ( isset($notoptions[$name]) ) {
-		unset($notoptions[$name]);
-		wp_cache_set('notoptions', $notoptions, 'options');
-	} elseif ( false !== get_option($name) ) {
+	if ( !is_array($notoptions) || !isset($notoptions[$name]) )
+		if ( false !== get_option($safe_name) )
 			return;
-	}
 
 	$value = maybe_serialize($value);
+	$autoload = ( 'no' === $autoload ) ? 'no' : 'yes';
 
 	if ( 'yes' == $autoload ) {
 		$alloptions = wp_load_alloptions();
@@ -373,6 +377,13 @@ function add_option($name, $value = '', $description = '', $autoload = 'yes') {
 		wp_cache_set($name, $value, 'options');
 	}
 
+	// This option exists now
+	$notoptions = wp_cache_get('notoptions', 'options'); // yes, again... we need it to be fresh
+	if ( is_array($notoptions) && isset($notoptions[$name]) ) {
+		unset($notoptions[$name]);
+		wp_cache_set('notoptions', $notoptions, 'options');
+	}
+
 	$name = $wpdb->escape($name);
 	$value = $wpdb->escape($value);
 	$description = $wpdb->escape($description);
@@ -761,12 +772,12 @@ add_query_arg(associative_array, oldquery_or_uri)
 function add_query_arg() {
 	$ret = '';
 	if ( is_array(func_get_arg(0)) ) {
-		if ( @func_num_args() < 2 || '' == @func_get_arg(1) )
+		if ( @func_num_args() < 2 || false === @func_get_arg(1) )
 			$uri = $_SERVER['REQUEST_URI'];
 		else
 			$uri = @func_get_arg(1);
 	} else {
-		if ( @func_num_args() < 3 || '' == @func_get_arg(2) )
+		if ( @func_num_args() < 3 || false === @func_get_arg(2) )
 			$uri = $_SERVER['REQUEST_URI'];
 		else
 			$uri = @func_get_arg(2);
@@ -801,9 +812,7 @@ function add_query_arg() {
 		$query = $uri;
 	}
 
-	parse_str($query, $qs);
-	if ( get_magic_quotes_gpc() )
-		$qs = stripslashes_deep($qs); // parse_str() adds slashes if magicquotes is on.  See: http://php.net/parse_str
+	wp_parse_str($query, $qs);
 	$qs = urlencode_deep($qs);
 	if ( is_array(func_get_arg(0)) ) {
 		$kayvees = func_get_arg(0);
@@ -824,7 +833,7 @@ function add_query_arg() {
 	}
 	$ret = trim($ret, '?');
 	$ret = $protocol . $base . $ret . $frag;
-	$ret = trim($ret, '?');
+	$ret = rtrim($ret, '?');
 	return $ret;
 }
 
@@ -838,7 +847,7 @@ remove_query_arg(removekey, [oldquery_or_uri]) or
 remove_query_arg(removekeyarray, [oldquery_or_uri])
 */
 
-function remove_query_arg($key, $query='') {
+function remove_query_arg($key, $query=FALSE) {
 	if ( is_array($key) ) { // removing multiple keys
 		foreach ( (array) $key as $k )
 			$query = add_query_arg($k, FALSE, $query);
@@ -1317,7 +1326,7 @@ function wp_nonce_ays($action) {
 function wp_die( $message, $title = '' ) {
 	global $wp_locale;
 
-	if ( is_wp_error( $message ) ) {
+	if ( function_exists( 'is_wp_error' ) && is_wp_error( $message ) ) {
 		if ( empty($title) ) {
 			$error_data = $message->get_error_data();
 			if ( is_array($error_data) && isset($error_data['title']) )
@@ -1481,21 +1490,15 @@ function smilies_init() {
 }
 
 function wp_parse_args( $args, $defaults = '' ) {
-	if ( is_array($args) ) :
+	if ( is_array( $args ) )
 		$r =& $args;
-	else :
-		parse_str( $args, $r );
-		if ( get_magic_quotes_gpc() )
-			$r = stripslashes_deep( $r );
-	endif;
+	else
+		wp_parse_str( $args, $r );
 
-	if ( is_array($defaults) ) :
-		extract($defaults);
-		extract($r);
-		return compact(array_keys($defaults)); // only those options defined in $defaults
-	else :
+	if ( is_array( $defaults ) )
+		return array_merge( $defaults, $r );
+	else
 		return $r;
-	endif;
 }
 
 function wp_maybe_load_widgets() {
@@ -1507,7 +1510,7 @@ function wp_maybe_load_widgets() {
 
 function wp_widgets_add_menu() {
 	global $submenu;
-	$submenu['themes.php'][7] = array( __( 'Widgets' ), 'edit_themes', 'widgets.php' );
+	$submenu['themes.php'][7] = array( __( 'Widgets' ), 'switch_themes', 'widgets.php' );
 	ksort($submenu['themes.php'], SORT_NUMERIC);
 }
 
@@ -1518,4 +1521,4 @@ function wp_ob_end_flush_all()
 	while ( @ob_end_flush() );
 }
 
-?>
+?>

wp-includes/general-template.php

@@ -63,8 +63,8 @@ function bloginfo($show='') {
 	$info = get_bloginfo($show);
 	
 	// Don't filter URL's.
-	if (strpos($show, 'url') === false || 
-		strpos($show, 'directory') === false || 
+	if (strpos($show, 'url') === false &&
+		strpos($show, 'directory') === false &&
 		strpos($show, 'home') === false) {
 		$info = apply_filters('bloginfo', $info, $show);
 		$info = convert_chars($info);
@@ -109,6 +109,7 @@ function get_bloginfo($show='') {
 			break;
 		case 'comments_atom_url':
 			$output = get_feed_link('comments_atom');
+			break;
 		case 'comments_rss2_url':
 			$output = get_feed_link('comments_rss2');
 			break;
@@ -217,8 +218,7 @@ function wp_title($sep = '»', $display = true) {
 	// If there is a post
 	if ( is_single() || is_page() ) {
 		$post = $wp_query->get_queried_object();
-		$title = apply_filters('single_post_title', $title);
-		$title = strip_tags($post->post_title);
+		$title = strip_tags( apply_filters( 'single_post_title', $post->post_title ) );
 	}
 
 	$prefix = '';
@@ -322,7 +322,7 @@ function wp_get_archives($args = '') {
 
 	$defaults = array('type' => 'monthly', 'limit' => '', 'format' => 'html', 'before' => '', 'after' => '', 'show_post_count' => false);
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	if ( '' == $type )
 		$type = 'monthly';
@@ -813,7 +813,8 @@ function user_can_richedit() {
 	if ( !isset( $wp_rich_edit) ) {
 		if ( get_user_option( 'rich_editing' ) == 'true' && 
 			( ( preg_match( '!AppleWebKit/(\d+)!', $_SERVER['HTTP_USER_AGENT'], $match ) && intval($match[1]) >= 420 ) || 
-				!preg_match( '!opera[ /][2-8]|konqueror|safari!i', $_SERVER['HTTP_USER_AGENT'] ) ) ) {
+				!preg_match( '!opera[ /][2-8]|konqueror|safari!i', $_SERVER['HTTP_USER_AGENT'] ) )
+				&& 'comment.php' != $pagenow ) {
 			$wp_rich_edit = true;
 		} else {
 			$wp_rich_edit = false;
@@ -899,10 +900,11 @@ function the_editor($content, $id = 'content', $prev_id = 'title') {
 	//<!--
 	edCanvas = document.getElementById('<?php echo $id; ?>');
 	<?php if ( $prev_id && user_can_richedit() ) : ?>
+	// If tinyMCE is defined.
+	if ( typeof tinyMCE != 'undefined' ) {
 	// This code is meant to allow tabbing from Title to Post (TinyMCE).
-	if ( tinyMCE.isMSIE )
-		document.getElementById('<?php echo $prev_id; ?>').onkeydown = function (e)
-			{
+		if ( tinyMCE.isMSIE ) {
+			document.getElementById('<?php echo $prev_id; ?>').onkeydown = function (e) {
 				e = e ? e : window.event;
 				if (e.keyCode == 9 && !e.shiftKey && !e.controlKey && !e.altKey) {
 					var i = tinyMCE.getInstanceById('<?php echo $id; ?>');
@@ -915,9 +917,8 @@ function the_editor($content, $id = 'content', $prev_id = 'title') {
 					return false;
 				}
 			}
-	else
-		document.getElementById('<?php echo $prev_id; ?>').onkeypress = function (e)
-			{
+		} else {
+			document.getElementById('<?php echo $prev_id; ?>').onkeypress = function (e) {
 				e = e ? e : window.event;
 				if (e.keyCode == 9 && !e.shiftKey && !e.controlKey && !e.altKey) {
 					var i = tinyMCE.getInstanceById('<?php echo $id; ?>');
@@ -930,6 +931,8 @@ function the_editor($content, $id = 'content', $prev_id = 'title') {
 					return false;
 				}
 			}
+		}
+	}
 	<?php endif; ?>
 	//-->
 	</script>
@@ -955,27 +958,24 @@ function language_attributes() {
 	echo $output;
 }
 
-function paginate_links( $arg = '' ) {
-	if ( is_array($arg) )
-		$a = &$arg;
-	else
-		parse_str($arg, $a);
+function paginate_links( $args = '' ) {
+	$defaults = array( 
+		'base' => '%_%', // http://example.com/all_posts.php%_% : %_% is replaced by format (below)
+		'format' => '?page=%#%', // ?page=%#% : %#% is replaced by the page number
+		'total' => 1,
+		'current' => 0,
+		'show_all' => false,
+		'prev_next' => true,
+		'prev_text' => __('&laquo; Previous'),
+		'next_text' => __('Next &raquo;'),
+		'end_size' => 1, // How many numbers on either end including the end
+		'mid_size' => 2, // How many numbers to either side of current not including current
+		'type' => 'plain',
+		'add_args' => false // array of query args to aadd
+	);
 
-	// Defaults
-	$base = '%_%'; // http://example.com/all_posts.php%_% : %_% is replaced by format (below)
-	$format = '?page=%#%'; // ?page=%#% : %#% is replaced by the page number
-	$total = 1;
-	$current = 0;
-	$show_all = false;
-	$prev_next = true;
-	$prev_text = __('&laquo; Previous');
-	$next_text = __('Next &raquo;');
-	$end_size = 1; // How many numbers on either end including the end
-	$mid_size = 2; // How many numbers to either side of current not including current
-	$type = 'plain';
-	$add_args = false; // array of query args to aadd
-
-	extract($a);
+	$args = wp_parse_args( $args, $defaults );
+	extract($args, EXTR_SKIP);
 
 	// Who knows what else people pass in $args
 	$total    = (int) $total;

wp-includes/js/tinymce/themes/advanced/color_picker.htm

@@ -2,12 +2,73 @@
 <head>
 	<title>{$lang_theme_colorpicker_title}</title>
 	<script language="javascript" type="text/javascript" src="../../tiny_mce_popup.js"></script>
+	<script language="javascript" type="text/javascript" src="../../utils/mctabs.js"></script>
 	<script language="javascript" type="text/javascript" src="jscripts/color_picker.js"></script>
+	<link href="css/colorpicker.css" rel="stylesheet" type="text/css" />
 	<base target="_self" />
 </head>
-<body onload="tinyMCEPopup.executeOnLoad('init();');" style="margin: 3px; display: none">
-	<div align="center">
-	   <script language="javascript" type="text/javascript">renderColorMap();</script>
+<body onload="tinyMCEPopup.executeOnLoad('init();');" style="display: none">
+	<div class="tabs">
+		<ul>
+			<li id="picker_tab" class="current"><span><a href="javascript:mcTabs.displayTab('picker_tab','picker_panel');" onmousedown="return false;">{$lang_color_picker_tab}</a></span></li>
+			<li id="rgb_tab"><span><a href="#" onclick="generateWebColors();mcTabs.displayTab('rgb_tab','rgb_panel');" onmousedown="return false;">{$lang_web_colors_tab}</a></span></li>
+			<li id="named_tab"><span><a  href="#" onclick="generateNamedColors();javascript:mcTabs.displayTab('named_tab','named_panel');" onmousedown="return false;">{$lang_named_colors_tab}</a></span></li>
+		</ul>
+	</div>
+
+	<div class="panel_wrapper">
+		<div id="picker_panel" class="panel current">
+			<fieldset>
+				<legend>{$lang_color_picker}</legend>
+				<div id="picker">
+					<img id="colorpicker" src="images/colors.jpg" onclick="computeColor(event)" onmousedown="isMouseDown = true;return false;" onmouseup="isMouseDown = false;" onmousemove="if (isMouseDown && isMouseOver) computeColor(event); return false;" onmouseover="isMouseOver=true;" onmouseout="isMouseOver=false;" />
+
+					<div id="light">
+						<!-- Will be filled with divs -->
+					</div>
+
+					<br style="clear: both" />
+				</div>
+			</fieldset>
+		</div>
+
+		<div id="rgb_panel" class="panel">
+			<fieldset>
+				<legend>{$lang_web_colors}</legend>
+				<div id="webcolors">
+					<!-- Gets filled with web safe colors-->
+				</div>
+
+				<br style="clear: both" />
+			</fieldset>
+		</div>
+
+		<div id="named_panel" class="panel">
+			<fieldset>
+				<legend>{$lang_named_colors}</legend>
+				<div id="namedcolors">
+					<!-- Gets filled with named colors-->
+				</div>
+
+				<br style="clear: both" />
+
+				<div id="colornamecontainer">
+					{$lang_color_name} <span id="colorname"></span>
+				</div>
+			</fieldset>
+		</div>
+	</div>
+
+	<div class="mceActionPanel">
+		<div style="float: left">
+			<input type="button" id="insert" name="insert" value="{$lang_theme_colorpicker_apply}" onclick="insertAction();" />
+		</div>
+
+		<div id="preview"></div>
+
+		<div id="previewblock">
+			<label for="color">{$lang_color}</label> <input id="color" type="text" size="8" maxlength="8" class="text" />
+		</div>
 	</div>
 </body>
 </html>

wp-includes/js/tinymce/themes/advanced/css/colorpicker.css

@@ -0,0 +1,53 @@
+/* Colorpicker dialog specific CSS */
+
+#preview {
+	float: right;
+	width: 50px;
+	height: 14px;
+	line-height: 1px;
+	border: 1px solid black;
+	margin-left: 5px;
+}
+
+#colorpicker {
+	float: left;
+	cursor: crosshair;
+}
+
+#light {
+	border: 1px solid gray;
+	margin-left: 5px;
+	float: left;
+	width: 15px;
+	cursor: crosshair;
+}
+
+#light div {
+	overflow: hidden;
+}
+
+#previewblock {
+	float: right;
+	padding-left: 10px;
+	height: 20px;
+}
+
+.panel_wrapper div.current {
+	height: 175px;
+}
+
+#namedcolors {
+	width: 150px;
+}
+
+#namedcolors a {
+	display: block;
+	float: left;
+	width: 10px; height: 10px;
+	margin: 1px 1px 0 0;
+	overflow: hidden;
+}
+
+#colornamecontainer {
+	margin-top: 5px;
+}

wp-includes/js/wp-ajax.js

@@ -27,9 +27,9 @@ Object.extend(WPAjax.prototype, {
 		this.getResponseElement(responseEl);
 	},
 	addArg: function(key, value) {
-		var a = [];
+		var a = $H();
 		a[encodeURIComponent(key)] = encodeURIComponent(value);
-		this.options.parameters = $H(this.options.parameters).merge($H(a));
+		this.options.parameters = $H(this.options.parameters).merge(a);
 	},
 	getResponseElement: function(r) {
 		var p = $(r + '-p');

wp-includes/link-template.php

@@ -77,6 +77,8 @@ function get_permalink($id = 0) {
 		$category = '';
 		if (strpos($permalink, '%category%') !== false) {
 			$cats = get_the_category($post->ID);
+			if ( $cats )
+				usort($cats, '_get_the_category_usort_by_ID'); // order by ID
 			$category = $cats[0]->category_nicename;
 			if ( $parent=$cats[0]->category_parent )
 				$category = get_category_parents($parent, FALSE, '/', TRUE) . $category;
@@ -480,7 +482,6 @@ function get_pagenum_link($pagenum = 1) {
 	$qstr = preg_replace('|^/+|', '', $qstr);
 	if ( $permalink )
 		$qstr = user_trailingslashit($qstr, 'paged');
-	$qstr = preg_replace('/&([^#])(?![a-z]{1,8};)/', '&$1', trailingslashit( get_option('home') ) . $qstr );
 
 	// showing /page/1/ or ?paged=1 is redundant
 	if ( 1 === $pagenum ) {
@@ -488,6 +489,9 @@ function get_pagenum_link($pagenum = 1) {
 		$qstr = str_replace(user_trailingslashit('page/1', 'paged'), '', $qstr); // for mod_rewrite style
 		$qstr = remove_query_arg('paged', $qstr); // for query style
 	}
+
+	$qstr = preg_replace('/&([^#])(?![a-z]{1,8};)/', '&$1', trailingslashit( get_option('home') ) . $qstr );
+
 	return $qstr;
 }
 

wp-includes/pluggable.php

@@ -156,7 +156,7 @@ function get_userdatabylogin($user_login) {
 }
 endif;
 
-if ( !function_exists('wp_mail') ) :
+if ( !function_exists( 'wp_mail' ) ) :
 function wp_mail($to, $subject, $message, $headers = '') {
 	global $phpmailer;
 
@@ -168,7 +168,7 @@ function wp_mail($to, $subject, $message, $headers = '') {
 
 	$mail = compact('to', 'subject', 'message', 'headers');
 	$mail = apply_filters('wp_mail', $mail);
-	extract($mail);
+	extract($mail, EXTR_SKIP);
 
 	if ( $headers == '' ) {
 		$headers = "MIME-Version: 1.0\n" .
@@ -224,6 +224,8 @@ if ( !function_exists('wp_login') ) :
 function wp_login($username, $password, $already_md5 = false) {
 	global $wpdb, $error;
 
+	$username = sanitize_user($username);
+
 	if ( '' == $username )
 		return false;
 
@@ -318,8 +320,18 @@ function wp_redirect($location, $status = 302) {
 	$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);
 	$location = wp_kses_no_null($location);
 
+	// remove %0d and %0a from location
 	$strip = array('%0d', '%0a');
-	$location = str_replace($strip, '', $location);
+	$found = true;
+	while($found) {
+		$found = false;
+		foreach($strip as $val) {
+			while(strpos($location, $val) !== false) {
+				$found = true;
+				$location = str_replace($val, '', $location);
+			}
+		}
+	}
 
 	if ( $is_IIS ) {
 		header("Refresh: 0;url=$location");

wp-includes/plugin.php

@@ -19,7 +19,7 @@ function add_filter($tag, $function_to_add, $priority = 10, $accepted_args = 1)
 	global $wp_filter, $merged_filters;
 
 	// So the format is wp_filter['tag']['array of priorities']['array of functions serialized']['array of ['array (functions, accepted_args)]']
-	$wp_filter[$tag][$priority][serialize($function_to_add)] = array('function' => $function_to_add, 'accepted_args' => $accepted_args);
+	$wp_filter[$tag][$priority][_wp_filter_build_unique_id($tag, $function_to_add, $priority)] = array('function' => $function_to_add, 'accepted_args' => $accepted_args);
 	unset( $merged_filters[ $tag ] );
 	return true;
 }
@@ -98,8 +98,8 @@ function merge_filters($tag) {
  */
 function remove_filter($tag, $function_to_remove, $priority = 10, $accepted_args = 1) {
 	global $wp_filter, $merged_filters;
-
-	unset($GLOBALS['wp_filter'][$tag][$priority][serialize($function_to_remove)]);
+	
+	unset($GLOBALS['wp_filter'][$tag][$priority][_wp_filter_build_unique_id($tag, $function_to_remove, $priority)]);
 	unset( $merged_filters[ $tag ] );
 
 	return true;
@@ -235,8 +235,9 @@ function remove_action($tag, $function_to_remove, $priority = 10, $accepted_args
  * @return string The name of a plugin.
  */
 function plugin_basename($file) {
-	$file = preg_replace('|\\\\+|', '\\\\', $file);
-	$file = preg_replace('/^.*wp-content[\\\\\/]plugins[\\\\\/]/', '', $file);
+	$file = str_replace('\\','/',$file); // sanitize for Win32 installs
+	$file = preg_replace('|/+|','/', $file); // remove any duplicate slash
+	$file = preg_replace('|^.*/wp-content/plugins/|','',$file); // get relative path from plugins dir
 	return $file;
 }
 
@@ -278,4 +279,29 @@ function register_deactivation_hook($file, $function) {
 	add_action('deactivate_' . $file, $function);
 }
 
+function _wp_filter_build_unique_id($tag, $function, $priority = 10)
+{
+	global $wp_filter;
+	
+	// If function then just skip all of the tests and not overwrite the following.
+	if( is_string($function) )
+		return $function;
+	// Object Class Calling
+	else if(is_object($function[0]) )
+	{
+		$obj_idx = get_class($function[0]).$function[1];
+		if( is_null($function[0]->wp_filter_id) ) {
+			$count = count((array)$wp_filter[$tag][$priority]);
+			$function[0]->wp_filter_id = $count;
+			$obj_idx .= $count;
+			unset($count);
+		} else
+			$obj_idx .= $function[0]->wp_filter_id;
+		return $obj_idx;
+	}
+	// Static Calling
+	else if( is_string($function[0]) )
+		return $function[0].$function[1];
+}
+
 ?>

wp-includes/post-template.php

@@ -141,7 +141,7 @@ function wp_link_pages($args = '') {
 	$defaults = array('before' => '<p>' . __('Pages:'), 'after' => '</p>', 'next_or_number' => 'number', 'nextpagelink' => __('Next page'),
 			'previouspagelink' => __('Previous page'), 'pagelink' => '%', 'more_file' => '', 'echo' => 1);
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	global $id, $page, $numpages, $multipage, $more, $pagenow;
 	if ( $more_file != '' )
@@ -255,7 +255,7 @@ function wp_dropdown_pages($args = '') {
 	$defaults = array('depth' => 0, 'child_of' => 0, 'selected' => 0, 'echo' => 1,
 		'name' => 'page_id', 'show_option_none' => '');
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$pages = get_pages($r);
 	$output = '';

wp-includes/post.php

@@ -182,7 +182,7 @@ function get_posts($args) {
 		'orderby' => 'post_date', 'order' => 'DESC', 'include' => '', 'exclude' => '',
 		'meta_key' => '', 'meta_value' =>'', 'post_type' => 'post', 'post_status' => 'publish', 'post_parent' => 0);
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 	$numberposts = (int) $numberposts;
 	$offset = (int) $offset;
 	$category = (int) $category;
@@ -490,7 +490,7 @@ function wp_insert_post($postarr = array()) {
 		$postarr = get_object_vars($postarr);
 
 	// export array as variables
-	extract($postarr);
+	extract($postarr, EXTR_SKIP);
 
 	// Are we updating or creating?
 	$update = false;
@@ -881,7 +881,7 @@ function trackback_url_list($tb_list, $post_id) {
 		$postdata = wp_get_single_post($post_id, ARRAY_A);
 
 		// import postdata as variables
-		extract($postdata);
+		extract($postdata, EXTR_SKIP);
 
 		// form an excerpt
 		$excerpt = strip_tags($post_excerpt?$post_excerpt:$post_content);
@@ -1067,7 +1067,7 @@ function &get_pages($args = '') {
 	$defaults = array('child_of' => 0, 'sort_order' => 'ASC', 'sort_column' => 'post_title',
 				'hierarchical' => 1, 'exclude' => '', 'include' => '', 'meta_key' => '', 'meta_value' => '', 'authors' => '');
 	$r = array_merge($defaults, $r);
-	extract($r);
+	extract($r, EXTR_SKIP);
 
 	$key = md5( serialize( $r ) );
 	if ( $cache = wp_cache_get( 'get_pages', 'page' ) )
@@ -1221,7 +1221,7 @@ function wp_insert_attachment($object, $file = false, $post_parent = 0) {
 		$object = get_object_vars($object);
 
 	// Export array as variables
-	extract($object);
+	extract($object, EXTR_SKIP);
 
 	// Get the basics.
 	$post_content    = apply_filters('content_save_pre',   $post_content);

wp-includes/query.php

@@ -413,18 +413,8 @@ class WP_Query {
 		$this->query_vars = $this->fill_query_vars($this->query_vars);
 		$qv = &$this->query_vars;
 
-		if ( ! empty($qv['robots']) ) {
+		if ( ! empty($qv['robots']) )
 			$this->is_robots = true;
-			return;
-		}
-
-		if ('404' == $qv['error']) {
-			$this->is_404 = true;
-			if ( !empty($query) ) {
-				do_action_ref_array('parse_query', array(&$this));
-			}
-			return;
-		}
 
 		$qv['p'] =  (int) $qv['p'];
 		$qv['page_id'] =  (int) $qv['page_id'];
@@ -606,12 +596,21 @@ class WP_Query {
 			}
 		}
 
+		if ( !empty($qv['post_type']) )
+			$qv['post_type'] = sanitize_user($qv['post_type'], true);
+
+		if ( !empty($qv['post_status']) )
+			$qv['post_status'] = sanitize_user($qv['post_status'], true);
+
 		if ( $this->is_posts_page && !$qv['withcomments'] )
 			$this->is_comment_feed = false;
 
 		$this->is_singular = $this->is_single || $this->is_page || $this->is_attachment;
 		// Done correcting is_* for page_on_front and page_for_posts
 
+		if ('404' == $qv['error'])
+			$this->set_404();
+
 		if ( !empty($query) )
 			do_action_ref_array('parse_query', array(&$this));
 	}

wp-includes/registration.php

@@ -32,7 +32,7 @@ function validate_username( $username ) {
 function wp_insert_user($userdata) {
 	global $wpdb;
 
-	extract($userdata);
+	extract($userdata, EXTR_SKIP);
 
 	// Are we updating or creating?
 	if ( !empty($ID) ) {

wp-includes/rewrite.php

@@ -135,6 +135,15 @@ function url_to_postid($url) {
 
 			// Substitute the substring matches into the query.
 			eval("\$query = \"$query\";");
+			// Filter out non-public query vars
+			global $wp;
+			parse_str($query, $query_vars);
+			$query = array();
+			foreach ( $query_vars as $key => $value ) {
+				if ( in_array($key, $wp->public_query_vars) )
+					$query[$key] = $value;
+			}
+			// Do the query
 			$query = new WP_Query($query);
 			if ( $query->is_single || $query->is_page )
 				return $query->post->ID;

wp-includes/rss.php

@@ -9,7 +9,7 @@
 
 define('RSS', 'RSS');
 define('ATOM', 'Atom');
-define('MAGPIE_USER_AGENT', 'WordPress/' . $wp_version);
+define('MAGPIE_USER_AGENT', 'WordPress/' . $GLOBALS['wp_version']);
 
 class MagpieRSS {
 	var $parser;
@@ -591,7 +591,7 @@ function init () {
 	}
 
 	if ( !defined('MAGPIE_USER_AGENT') ) {
-		$ua = 'WordPress/' . $wp_version;
+		$ua = 'WordPress/' . $GLOBALS['wp_version'];
 
 		if ( MAGPIE_CACHE_ON ) {
 			$ua = $ua . ')';

wp-includes/theme.php

@@ -79,6 +79,7 @@ function get_theme_data( $theme_file ) {
 	$name = trim( $name );
 	$theme = $name;
 	$theme_uri = trim( $theme_uri[1] );
+	$template = trim( $template[1] );
 
 	if ( '' == $author_uri[1] ) {
 		$author = trim( $author_name[1] );
@@ -86,7 +87,7 @@ function get_theme_data( $theme_file ) {
 		$author = '<a href="' . trim( $author_uri[1] ) . '" title="' . __('Visit author homepage') . '">' . trim( $author_name[1] ) . '</a>';
 	}
 
-	return array( 'Name' => $name, 'Title' => $theme, 'URI' => $theme_uri, 'Description' => $description, 'Author' => $author, 'Version' => $version, 'Template' => $template[1], 'Status' => $status );
+	return array( 'Name' => $name, 'Title' => $theme, 'URI' => $theme_uri, 'Description' => $description, 'Author' => $author, 'Version' => $version, 'Template' => $template, 'Status' => $status );
 }
 
 function get_themes() {

wp-includes/vars.php

@@ -1,15 +1,24 @@
 <?php
 
 // On which page are we ?
-if ( preg_match('#([^/]+\.php)$#', $PHP_SELF, $self_matches) ) {
+if ( is_admin() ) {
+	// wp-admin pages are checked more carefully
+	preg_match('#/wp-admin/?(.*?)$#i', $PHP_SELF, $self_matches);
 	$pagenow = $self_matches[1];
-} elseif ( strpos($PHP_SELF, '?') !== false ) {
-	$pagenow = explode('/', $PHP_SELF);
-	$pagenow = trim($pagenow[(sizeof($pagenow)-1)]);
-	$pagenow = explode('?', $pagenow);
-	$pagenow = $pagenow[0];
+	$pagenow = preg_replace('#\?.*?$#', '', $pagenow);
+	if ( '' === $pagenow || 'index' === $pagenow || 'index.php' === $pagenow ) {
+		$pagenow = 'index.php';
+	} else {
+		preg_match('#(.*?)(/|$)#', $pagenow, $self_matches);
+		$pagenow = strtolower($self_matches[1]);
+		if ( '.php' !== substr($pagenow, -4, 4) )
+			$pagenow .= '.php'; // for Options +Multiviews: /wp-admin/themes/index.php (themes.php is queried)
+	}
 } else {
-	$pagenow = 'index.php';
+	if ( preg_match('#([^/]+\.php)([?/].*?)?$#i', $PHP_SELF, $self_matches) )
+		$pagenow = strtolower($self_matches[1]);
+	else
+		$pagenow = 'index.php';
 }
 
 // Simple browser detection

wp-includes/version.php

@@ -2,7 +2,7 @@
 
 // This holds the version number in a separate file so we can bump it without cluttering the SVN
 
-$wp_version = '2.2';
+$wp_version = '2.2.3';
 $wp_db_version = 5183;
 
 ?>

wp-includes/widgets.php

@@ -75,9 +75,9 @@ function register_sidebar_widget($name, $output_callback, $classname = '') {
 
 	$id = sanitize_title($name);
 	$options = array();
-	if ( !empty($classname) )
+	if ( !empty($classname) && is_string($classname) )
 		$options['classname'] = $classname;
-	$params = array_slice(func_get_args(), 3);
+	$params = array_slice(func_get_args(), 2);
 	$args = array($id, $name, $output_callback, $options);
 	if ( !empty($params) )
 		$args = array_merge($args, $params);
@@ -326,34 +326,70 @@ function wp_get_widget_defaults() {
 
 /* Default Widgets */
 
-function wp_widget_pages($args) {
-	extract($args);
-	$options = get_option('widget_pages');
-	$title = empty($options['title']) ? __('Pages') : $options['title'];
-	echo $before_widget . $before_title . $title . $after_title . "<ul>\n";
-	wp_list_pages("title_li=");
-	echo "</ul>\n" . $after_widget;
+function wp_widget_pages( $args ) {
+	extract( $args );
+	$options = get_option( 'widget_pages' );
+	
+	$title = empty( $options['title'] ) ? __( 'Pages' ) : $options['title'];
+	$sortby = empty( $options['sortby'] ) ? 'menu_order' : $options['sortby'];
+	$exclude = empty( $options['exclude'] ) ? '' : $options['exclude'];
+	
+	if ( $sortby == 'menu_order' ) {
+		$sortby = 'menu_order, post_title';
+	}
+	
+	$out = wp_list_pages( array('title_li' => '', 'echo' => 0, 'sort_column' => $sortby, 'exclude' => $exclude) );
+	
+	if ( !empty( $out ) ) {
+?>
+	<?php echo $before_widget; ?>
+		<?php echo $before_title . $title . $after_title; ?>
+		<ul>
+			<?php echo $out; ?>
+		</ul>
+	<?php echo $after_widget; ?>
+<?php
+	}
 }
 
 function wp_widget_pages_control() {
 	$options = $newoptions = get_option('widget_pages');
-	if ( $_POST["pages-submit"] ) {
-		$newoptions['title'] = strip_tags(stripslashes($_POST["pages-title"]));
+	if ( $_POST['pages-submit'] ) {
+		$newoptions['title'] = strip_tags(stripslashes($_POST['pages-title']));
+		
+		$sortby = stripslashes( $_POST['pages-sortby'] );
+		
+		if ( in_array( $sortby, array( 'post_title', 'menu_order', 'ID' ) ) ) {
+			$newoptions['sortby'] = $sortby;
+		} else {
+			$newoptions['sortby'] = 'menu_order';
+		}
+		
+		$newoptions['exclude'] = strip_tags( stripslashes( $_POST['pages-exclude'] ) );
 	}
 	if ( $options != $newoptions ) {
 		$options = $newoptions;
 		update_option('widget_pages', $options);
 	}
 	$title = attribute_escape($options['title']);
+	$exclude = attribute_escape( $options['exclude'] );
 ?>
 			<p><label for="pages-title"><?php _e('Title:'); ?> <input style="width: 250px;" id="pages-title" name="pages-title" type="text" value="<?php echo $title; ?>" /></label></p>
+			<p><label for="pages-sortby"><?php _e( 'Sort by:' ); ?> 
+				<select name="pages-sortby" id="pages-sortby">
+					<option value="post_title"<?php selected( $options['sortby'], 'post_title' ); ?>><?php _e('Page title'); ?></option>
+					<option value="menu_order"<?php selected( $options['sortby'], 'menu_order' ); ?>><?php _e('Page order'); ?></option>
+					<option value="ID"<?php selected( $options['sortby'], 'ID' ); ?>><?php _e( 'Page ID' ); ?></option>
+				</select></label></p>
+			<p><label for="pages-exclude"><?php _e( 'Exclude:' ); ?> <input type="text" value="<?php echo $exclude; ?>" name="pages-exclude" id="pages-exclude" style="width: 180px;" /></label><br />
+			<small><?php _e( 'Page IDs, separated by commas.' ); ?></small></p>
 			<input type="hidden" id="pages-submit" name="pages-submit" value="1" />
 <?php
 }
 
 function wp_widget_links($args) {
 	global $wp_db_version;
-	extract($args);
+	extract($args, EXTR_SKIP);
 	if ( $wp_db_version < 3582 ) {
 		// This ONLY works with li/h2 sidebars.
 		get_links_list();
@@ -493,12 +529,10 @@ function wp_widget_text($args, $number = 1) {
 	extract($args);
 	$options = get_option('widget_text');
 	$title = $options[$number]['title'];
-	if ( empty($title) )
-		$title = '&nbsp;';
-	$text = $options[$number]['text'];
+	$text = apply_filters( 'widget_text', $options[$number]['text'] );
 ?>
 		<?php echo $before_widget; ?>
-			<?php $title ? print($before_title . $title . $after_title) : null; ?>
+			<?php if ( !empty( $title ) ) { echo $before_title . $title . $after_title; } ?>
 			<div class="textwidget"><?php echo $text; ?></div>
 		<?php echo $after_widget; ?>
 <?php
@@ -519,10 +553,10 @@ function wp_widget_text_control($number) {
 		update_option('widget_text', $options);
 	}
 	$title = attribute_escape($options[$number]['title']);
-	$text = attribute_escape($options[$number]['text']);
+	$text = format_to_edit($options[$number]['text']);
 ?>
-			<input style="width: 450px;" id="text-title-<?php echo "$number"; ?>" name="text-title-<?php echo "$number"; ?>" type="text" value="<?php echo $title; ?>" />
-			<textarea style="width: 450px; height: 280px;" id="text-text-<?php echo "$number"; ?>" name="text-text-<?php echo "$number"; ?>"><?php echo $text; ?></textarea>
+			<input style="width: 450px;" id="text-title-<?php echo $number; ?>" name="text-title-<?php echo $number; ?>" type="text" value="<?php echo $title; ?>" />
+			<textarea style="width: 450px; height: 280px;" id="text-text-<?php echo $number; ?>" name="text-text-<?php echo $number; ?>"><?php echo $text; ?></textarea>
 			<input type="hidden" id="text-submit-<?php echo "$number"; ?>" name="text-submit-<?php echo "$number"; ?>" value="1" />
 <?php
 }
@@ -596,7 +630,7 @@ function wp_widget_categories($args) {
     var dropdown = document.getElementById("cat");
     function onCatChange() {
 		if ( dropdown.options[dropdown.selectedIndex].value > 0 ) {
-	        location.href = "<?php echo get_option('siteurl'); ?>/?cat="+dropdown.options[dropdown.selectedIndex].value;
+			location.href = "<?php echo get_option('home'); ?>/?cat="+dropdown.options[dropdown.selectedIndex].value;
 		}
     }
     dropdown.onchange = onCatChange;
@@ -771,7 +805,7 @@ function wp_widget_recent_comments_register() {
 
 function wp_widget_rss($args, $number = 1) {
 	require_once(ABSPATH . WPINC . '/rss.php');
-	extract($args);
+	extract($args, EXTR_SKIP);
 	$options = get_option('widget_rss');
 	if ( isset($options['error']) && $options['error'] )
 		return;
@@ -826,7 +860,7 @@ function wp_widget_rss($args, $number = 1) {
 			echo "<li><a class='rsswidget' href='$link' title='$desc'>$title</a>$summary</li>";
 		}
 	} else {
-		echo __('<li>An error has occured; the feed is probably down. Try again later.</li>');
+		echo '<li>' . __( 'An error has occurred; the feed is probably down. Try again later.' ) . '</li>';
 	}
 ?>
 			</ul>
@@ -928,7 +962,7 @@ function wp_widgets_init() {
 	$dims150 = array('height' => 150, 'width' => 300);
 	$class = array('classname' => 'widget_pages');
 	wp_register_sidebar_widget('pages', __('Pages'), 'wp_widget_pages', $class);
-	wp_register_widget_control('pages', __('Pages'), 'wp_widget_pages_control', $dims90);
+	wp_register_widget_control('pages', __('Pages'), 'wp_widget_pages_control', $dims150);
 	$class['classname'] = 'widget_calendar';
 	wp_register_sidebar_widget('calendar', __('Calendar'), 'wp_widget_calendar', $class);
 	wp_register_widget_control('calendar', __('Calendar'), 'wp_widget_calendar_control', $dims90);

wp-mail.php

@@ -64,17 +64,17 @@ for ($i=1; $i <= $count; $i++) :
 			// otherwise use the site admin
 			if (preg_match('/From: /', $line) | preg_match('/Reply-To: /', $line))  {
 				$author=trim($line);
-			if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) {
-				$author = $regs[1];
-				echo "Author = {$author} <p>";
-				$author = $wpdb->escape($author);
-				$result = $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author' LIMIT 1");
-				if (!$result)
+				if ( ereg("([a-zA-Z0-9\_\-\.]+@[\a-zA-z0-9\_\-\.]+)", $author , $regs) ) {
+					$author = $regs[1];
+					echo "Author = {$author} <p>";
+					$author = $wpdb->escape($author);
+					$result = $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author' LIMIT 1");
+					if (!$result)
+						$post_author = 1;
+					else
+						$post_author = $result->ID;
+				} else
 					$post_author = 1;
-				else
-					$post_author = $result->ID;
-			} else
-				$post_author = 1;
 			}
 
 			if (preg_match('/Date: /i', $line)) { // of the form '20 Mar 2002 20:32:37'

wp-settings.php

@@ -48,8 +48,8 @@ $PHP_SELF = $_SERVER['PHP_SELF'];
 if ( empty($PHP_SELF) )
 	$_SERVER['PHP_SELF'] = $PHP_SELF = preg_replace("/(\?.*)?$/",'',$_SERVER["REQUEST_URI"]);
 
-if ( !(phpversion() >= '4.1') )
-	die( 'Your server is running PHP version ' . phpversion() . ' but WordPress requires at least 4.1' );
+if ( !(phpversion() >= '4.2') )
+	die( 'Your server is running PHP version ' . phpversion() . ' but WordPress requires at least 4.2.' );
 
 if ( !extension_loaded('mysql') && !file_exists(ABSPATH . 'wp-content/db.php') )
 	die( 'Your PHP installation appears to be missing the MySQL which is required for WordPress.' );
@@ -81,7 +81,7 @@ error_reporting(E_ALL ^ E_NOTICE);
 
 // For an advanced caching plugin to use, static because you would only want one
 if ( defined('WP_CACHE') )
-	require (ABSPATH . 'wp-content/advanced-cache.php');
+	@include ABSPATH . 'wp-content/advanced-cache.php';
 
 define('WPINC', 'wp-includes');
 
@@ -263,4 +263,4 @@ register_shutdown_function('shutdown_action_hook');
 // Everything is loaded and initialized.
 do_action('init');
 
-?>
+?>

xmlrpc.php

@@ -28,10 +28,10 @@ header('Content-type: text/xml; charset=' . get_option('blog_charset'), true);
     <engineLink>http://wordpress.org/</engineLink>
     <homePageLink><?php bloginfo_rss('url') ?></homePageLink>
     <apis>
-      <api name="WordPress" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('url') ?>/xmlrpc.php" />
-      <api name="Movable Type" blogID="1" preferred="true" apiLink="<?php bloginfo_rss('url') ?>/xmlrpc.php" />
-      <api name="MetaWeblog" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('url') ?>/xmlrpc.php" />
-      <api name="Blogger" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('url') ?>/xmlrpc.php" />
+      <api name="WordPress" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
+      <api name="Movable Type" blogID="1" preferred="true" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
+      <api name="MetaWeblog" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
+      <api name="Blogger" blogID="1" preferred="false" apiLink="<?php bloginfo_rss('wpurl') ?>/xmlrpc.php" />
     </apis>
   </service>
 </rsd>
@@ -208,7 +208,7 @@ class wp_xmlrpc_server extends IXR_Server {
 			$allow_pings = ("open" == $page->ping_status) ? 1 : 0;
 
 			// Format page date.
-			$page_date = mysql2date("Ymd\TH:i:s", $page->post_date_gmt);
+			$page_date = mysql2date("Ymd\TH:i:s\Z", $page->post_date_gmt);
 
 			// Pull the categories info together.
 			$categories = array();
@@ -438,7 +438,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		// The date needs to be formated properly.
 		$num_pages = count($page_list);
 		for($i = 0; $i < $num_pages; $i++) {
-			$post_date = mysql2date("Ymd\TH:i:s", $page_list[$i]->post_date_gmt);
+			$post_date = mysql2date("Ymd\TH:i:s\Z", $page_list[$i]->post_date_gmt);
 			$page_list[$i]->dateCreated = new IXR_Date($post_date);
 
 			unset($page_list[$i]->post_date_gmt);
@@ -538,7 +538,7 @@ class wp_xmlrpc_server extends IXR_Server {
 		$username				= $args[1];
 		$password				= $args[2];
 		$category				= $args[3];
-		$max_results			= $args[4];
+		$max_results			= (int) $args[4];
 
 		if(!$this->login_pass_ok($username, $password)) {
 			return($this->error);
@@ -849,7 +849,7 @@ class wp_xmlrpc_server extends IXR_Server {
 	  if ( !current_user_can('edit_post', $post_ID) )
 	    return new IXR_Error(401, __('Sorry, you do not have the right to edit this post.'));
 
-	  extract($actual_post);
+	  extract($actual_post, EXTR_SKIP);
 
 	  if ( ('publish' == $post_status) && !current_user_can('publish_posts') )
 	  	return new IXR_Error(401, __('Sorry, you do not have the right to publish this post.'));
@@ -929,8 +929,9 @@ class wp_xmlrpc_server extends IXR_Server {
 	    return $this->error;
 	  }
 
+      $cap = ($publish) ? 'publish_posts' : 'edit_posts';
 	  $user = set_current_user(0, $user_login);
-	  if ( !current_user_can('publish_posts') )
+	  if ( !current_user_can($cap) )
 	    return new IXR_Error(401, __('Sorry, you can not post on this weblog or category.'));
 
 		// The post_type defaults to post, but could also be page.
@@ -999,31 +1000,67 @@ class wp_xmlrpc_server extends IXR_Server {
 	  $post_more = $content_struct['mt_text_more'];
 
 		if(isset($content_struct["mt_allow_comments"])) {
-			switch((int) $content_struct["mt_allow_comments"]) {
-				case 0:
-					$comment_status = "closed";
-					break;
-				case 1:
-					$comment_status = "open";
-					break;
-				default:
-					$comment_status = get_option("default_comment_status");
-					break;
+			if(!is_numeric($content_struct["mt_allow_comments"])) {
+				switch($content_struct["mt_allow_comments"]) {
+					case "closed":
+						$comment_status = "closed";
+						break;
+					case "open":
+						$comment_status = "open";
+						break;
+					default:
+						$comment_status = get_option("default_comment_status");
+						break;
+				}
 			}
+			else {
+				switch((int) $content_struct["mt_allow_comments"]) {
+					case 0:
+						$comment_status = "closed";
+						break;
+					case 1:
+						$comment_status = "open";
+						break;
+					default:
+						$comment_status = get_option("default_comment_status");
+						break;
+				}
+			}
+		}
+		else {
+			$comment_status = get_option("default_comment_status");
 		}
 
 		if(isset($content_struct["mt_allow_pings"])) {
-			switch((int) $content_struct["mt_allow_pings"]) {
-				case 0:
-					$ping_status = "closed";
-					break;
-				case 1:
-					$ping_status = "open";
-					break;
-				default:
-					$ping_status = get_option("default_ping_status");
-					break;
+			if(!is_numeric($content_struct["mt_allow_pings"])) {
+				switch($content_struct["mt_allow_pings"]) {
+					case "closed":
+						$ping_status = "closed";
+						break;
+					case "open":
+						$ping_status = "open";
+						break;
+					default:
+						$ping_status = get_option("default_ping_status");
+						break;
+				}
 			}
+			else {
+				switch((int) $content_struct["mt_allow_pings"]) {
+					case 0:
+						$ping_status = "closed";
+						break;
+					case 1:
+						$ping_status = "open";
+						break;
+					default:
+						$ping_status = get_option("default_ping_status");
+						break;
+				}
+			}
+		}
+		else {
+			$ping_status = get_option("default_ping_status");
 		}
 
 	  if ($post_more) {
@@ -1126,8 +1163,8 @@ class wp_xmlrpc_server extends IXR_Server {
 			return(new IXR_Error(404, __("Invalid post id.")));
 		}
 
-	  extract($postdata);
 		$this->escape($postdata);
+		extract($postdata, EXTR_SKIP);
 
 		// Let WordPress manage slug if none was provided.
 		$post_name = "";
@@ -1150,7 +1187,7 @@ class wp_xmlrpc_server extends IXR_Server {
 			$menu_order = $content_struct["wp_page_order"];
 		}
 
-		$post_author = $user->ID;
+		$post_author = $postdata["post_author"];
 
 		// Only set the post_author if one is set.
 		if(
@@ -1177,15 +1214,61 @@ class wp_xmlrpc_server extends IXR_Server {
 			$post_author = $content_struct["wp_author_id"];
 		}
 
-		// Only set ping_status if it was provided.
+		if(isset($content_struct["mt_allow_comments"])) {
+			if(!is_numeric($content_struct["mt_allow_comments"])) {
+				switch($content_struct["mt_allow_comments"]) {
+					case "closed":
+						$comment_status = "closed";
+						break;
+					case "open":
+						$comment_status = "open";
+						break;
+					default:
+						$comment_status = get_option("default_comment_status");
+						break;
+				}
+			}
+			else {
+				switch((int) $content_struct["mt_allow_comments"]) {
+					case 0:
+						$comment_status = "closed";
+						break;
+					case 1:
+						$comment_status = "open";
+						break;
+					default:
+						$comment_status = get_option("default_comment_status");
+						break;
+				}
+			}
+		}
+
 		if(isset($content_struct["mt_allow_pings"])) {
-			switch((int) $content_struct["mt_allow_pings"]) {
-				case 0:
-					$ping_status = "closed";
-					break;
-				case 1:
-					$ping_status = "open";
-					break;
+			if(!is_numeric($content_struct["mt_allow_pings"])) {
+				switch($content_struct["mt_allow_pings"]) {
+					case "closed":
+						$ping_status = "closed";
+						break;
+					case "open":
+						$ping_status = "open";
+						break;
+					default:
+						$ping_status = get_option("default_ping_status");
+						break;
+				}
+			}
+			else {
+				switch((int) $content_struct["mt_allow_pings"]) {
+					case 0:
+						$ping_status = "closed";
+						break;
+					case 1:
+						$ping_status = "open";
+						break;
+					default:
+						$ping_status = get_option("default_ping_status");
+						break;
+				}
 			}
 		}
 
@@ -1220,10 +1303,6 @@ class wp_xmlrpc_server extends IXR_Server {
 	  if ( is_array($to_ping) )
 	  	$to_ping = implode(' ', $to_ping);
 
-      if(isset($content_struct["mt_allow_comments"])) {
-		$comment_status = (int) $content_struct["mt_allow_comments"];
-      }
-	  
 	  // Do some timestamp voodoo
 	  $dateCreatedd = $content_struct['dateCreated'];
 	  if (!empty($dateCreatedd)) {
@@ -1269,7 +1348,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
 	  if ($postdata['post_date'] != '') {
 
-	    $post_date = mysql2date('Ymd\TH:i:s', $postdata['post_date_gmt']);
+	    $post_date = mysql2date('Ymd\TH:i:s\Z', $postdata['post_date_gmt']);
 
 	    $categories = array();
 	    $catids = wp_get_post_categories($post_ID);
@@ -1337,7 +1416,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		foreach ($posts_list as $entry) {
 
-			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
+			$post_date = mysql2date('Ymd\TH:i:s\Z', $entry['post_date_gmt']);
 			$categories = array();
 			$catids = wp_get_post_categories($entry['ID']);
 			foreach($catids as $catid) {
@@ -1436,6 +1515,21 @@ class wp_xmlrpc_server extends IXR_Server {
 		$type = $data['type'];
 		$bits = $data['bits'];
 
+		logIO('O', '(MW) Received '.strlen($bits).' bytes');
+
+		if ( !$this->login_pass_ok($user_login, $user_pass) )
+			return $this->error;
+
+		set_current_user(0, $user_login);
+		if ( !current_user_can('upload_files') ) {
+			logIO('O', '(MW) User does not have upload_files capability');
+			$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
+			return $this->error;
+		}
+
+		if ( $upload_err = apply_filters( "pre_upload_error", false ) )
+			return new IXR_Error(500, $upload_err);
+
 		if(!empty($data["overwrite"]) && ($data["overwrite"] == true)) {
 			// Get postmeta info on the object.
 			$old_file = $wpdb->get_row("
@@ -1454,21 +1548,6 @@ class wp_xmlrpc_server extends IXR_Server {
 			$name = "wpid{$old_file->ID}-{$filename}";
 		}
 
-		logIO('O', '(MW) Received '.strlen($bits).' bytes');
-
-		if ( !$this->login_pass_ok($user_login, $user_pass) )
-			return $this->error;
-
-		set_current_user(0, $user_login);
-		if ( !current_user_can('upload_files') ) {
-			logIO('O', '(MW) User does not have upload_files capability');
-			$this->error = new IXR_Error(401, __('You are not allowed to upload files to this site.'));
-			return $this->error;
-		}
-
-		if ( $upload_err = apply_filters( "pre_upload_error", false ) )
-			return new IXR_Error(500, $upload_err);
-
 		$upload = wp_upload_bits($name, $type, $bits, $overwrite);
 		if ( ! empty($upload['error']) ) {
 			$errorString = 'Could not write file ' . $name . ' (' . $upload['error'] . ')';
@@ -1522,7 +1601,7 @@ class wp_xmlrpc_server extends IXR_Server {
 
 		foreach ($posts_list as $entry) {
 
-			$post_date = mysql2date('Ymd\TH:i:s', $entry['post_date_gmt']);
+			$post_date = mysql2date('Ymd\TH:i:s\Z', $entry['post_date_gmt']);
 
 			$struct[] = array(
 				'dateCreated' => new IXR_Date($post_date),