| [ Index ] |
PHP Cross Reference of WordPress |
[Summary view] [Print] [Text view]
1 <?php 2 /** 3 * These functions can be replaced via plugins. If plugins do not redefine these 4 * functions, then these will be used instead. 5 * 6 * @package WordPress 7 */ 8 9 if ( ! function_exists( 'wp_set_current_user' ) ) : 10 /** 11 * Changes the current user by ID or name. 12 * 13 * Set $id to null and specify a name if you do not know a user's ID. 14 * 15 * Some WordPress functionality is based on the current user and not based on 16 * the signed in user. Therefore, it opens the ability to edit and perform 17 * actions on users who aren't signed in. 18 * 19 * @since 2.0.3 20 * 21 * @global WP_User $current_user The current user object which holds the user data. 22 * 23 * @param int $id User ID 24 * @param string $name User's username 25 * @return WP_User Current user User object 26 */ 27 function wp_set_current_user( $id, $name = '' ) { 28 global $current_user; 29 30 // If `$id` matches the current user, there is nothing to do. 31 if ( isset( $current_user ) 32 && ( $current_user instanceof WP_User ) 33 && ( $id == $current_user->ID ) 34 && ( null !== $id ) 35 ) { 36 return $current_user; 37 } 38 39 $current_user = new WP_User( $id, $name ); 40 41 setup_userdata( $current_user->ID ); 42 43 /** 44 * Fires after the current user is set. 45 * 46 * @since 2.0.1 47 */ 48 do_action( 'set_current_user' ); 49 50 return $current_user; 51 } 52 endif; 53 54 if ( ! function_exists( 'wp_get_current_user' ) ) : 55 /** 56 * Retrieve the current user object. 57 * 58 * Will set the current user, if the current user is not set. The current user 59 * will be set to the logged-in person. If no user is logged-in, then it will 60 * set the current user to 0, which is invalid and won't have any permissions. 61 * 62 * @since 2.0.3 63 * 64 * @see _wp_get_current_user() 65 * @global WP_User $current_user Checks if the current user is set. 66 * 67 * @return WP_User Current WP_User instance. 68 */ 69 function wp_get_current_user() { 70 return _wp_get_current_user(); 71 } 72 endif; 73 74 if ( ! function_exists( 'get_userdata' ) ) : 75 /** 76 * Retrieve user info by user ID. 77 * 78 * @since 0.71 79 * 80 * @param int $user_id User ID 81 * @return WP_User|false WP_User object on success, false on failure. 82 */ 83 function get_userdata( $user_id ) { 84 return get_user_by( 'id', $user_id ); 85 } 86 endif; 87 88 if ( ! function_exists( 'get_user_by' ) ) : 89 /** 90 * Retrieve user info by a given field 91 * 92 * @since 2.8.0 93 * @since 4.4.0 Added 'ID' as an alias of 'id' for the `$field` parameter. 94 * 95 * @param string $field The field to retrieve the user with. id | ID | slug | email | login. 96 * @param int|string $value A value for $field. A user ID, slug, email address, or login name. 97 * @return WP_User|false WP_User object on success, false on failure. 98 */ 99 function get_user_by( $field, $value ) { 100 $userdata = WP_User::get_data_by( $field, $value ); 101 102 if ( ! $userdata ) { 103 return false; 104 } 105 106 $user = new WP_User; 107 $user->init( $userdata ); 108 109 return $user; 110 } 111 endif; 112 113 if ( ! function_exists( 'cache_users' ) ) : 114 /** 115 * Retrieve info for user lists to prevent multiple queries by get_userdata() 116 * 117 * @since 3.0.0 118 * 119 * @global wpdb $wpdb WordPress database abstraction object. 120 * 121 * @param array $user_ids User ID numbers list 122 */ 123 function cache_users( $user_ids ) { 124 global $wpdb; 125 126 $clean = _get_non_cached_ids( $user_ids, 'users' ); 127 128 if ( empty( $clean ) ) { 129 return; 130 } 131 132 $list = implode( ',', $clean ); 133 134 $users = $wpdb->get_results( "SELECT * FROM $wpdb->users WHERE ID IN ($list)" ); 135 136 $ids = array(); 137 foreach ( $users as $user ) { 138 update_user_caches( $user ); 139 $ids[] = $user->ID; 140 } 141 update_meta_cache( 'user', $ids ); 142 } 143 endif; 144 145 if ( ! function_exists( 'wp_mail' ) ) : 146 /** 147 * Sends an email, similar to PHP's mail function. 148 * 149 * A true return value does not automatically mean that the user received the 150 * email successfully. It just only means that the method used was able to 151 * process the request without any errors. 152 * 153 * The default content type is `text/plain` which does not allow using HTML. 154 * However, you can set the content type of the email by using the 155 * {@see 'wp_mail_content_type'} filter. 156 * 157 * The default charset is based on the charset used on the blog. The charset can 158 * be set using the {@see 'wp_mail_charset'} filter. 159 * 160 * @since 1.2.1 161 * @since 5.5.0 is_email() is used for email validation, 162 * instead of PHPMailer's default validator. 163 * 164 * @global PHPMailer\PHPMailer\PHPMailer $phpmailer 165 * 166 * @param string|string[] $to Array or comma-separated list of email addresses to send message. 167 * @param string $subject Email subject. 168 * @param string $message Message contents. 169 * @param string|string[] $headers Optional. Additional headers. 170 * @param string|string[] $attachments Optional. Paths to files to attach. 171 * @return bool Whether the email was sent successfully. 172 */ 173 function wp_mail( $to, $subject, $message, $headers = '', $attachments = array() ) { 174 // Compact the input, apply the filters, and extract them back out. 175 176 /** 177 * Filters the wp_mail() arguments. 178 * 179 * @since 2.2.0 180 * 181 * @param array $args { 182 * Array of the `wp_mail()` arguments. 183 * 184 * @type string|string[] $to Array or comma-separated list of email addresses to send message. 185 * @type string $subject Email subject. 186 * @type string $message Message contents. 187 * @type string|string[] $headers Additional headers. 188 * @type string|string[] $attachments Paths to files to attach. 189 * } 190 */ 191 $atts = apply_filters( 'wp_mail', compact( 'to', 'subject', 'message', 'headers', 'attachments' ) ); 192 193 /** 194 * Filters whether to preempt sending an email. 195 * 196 * Returning a non-null value will short-circuit {@see wp_mail()}, returning 197 * that value instead. A boolean return value should be used to indicate whether 198 * the email was successfully sent. 199 * 200 * @since 5.7.0 201 * 202 * @param null|bool $return Short-circuit return value. 203 * @param array $atts { 204 * Array of the `wp_mail()` arguments. 205 * 206 * @type string|string[] $to Array or comma-separated list of email addresses to send message. 207 * @type string $subject Email subject. 208 * @type string $message Message contents. 209 * @type string|string[] $headers Additional headers. 210 * @type string|string[] $attachments Paths to files to attach. 211 * } 212 */ 213 $pre_wp_mail = apply_filters( 'pre_wp_mail', null, $atts ); 214 215 if ( null !== $pre_wp_mail ) { 216 return $pre_wp_mail; 217 } 218 219 if ( isset( $atts['to'] ) ) { 220 $to = $atts['to']; 221 } 222 223 if ( ! is_array( $to ) ) { 224 $to = explode( ',', $to ); 225 } 226 227 if ( isset( $atts['subject'] ) ) { 228 $subject = $atts['subject']; 229 } 230 231 if ( isset( $atts['message'] ) ) { 232 $message = $atts['message']; 233 } 234 235 if ( isset( $atts['headers'] ) ) { 236 $headers = $atts['headers']; 237 } 238 239 if ( isset( $atts['attachments'] ) ) { 240 $attachments = $atts['attachments']; 241 } 242 243 if ( ! is_array( $attachments ) ) { 244 $attachments = explode( "\n", str_replace( "\r\n", "\n", $attachments ) ); 245 } 246 global $phpmailer; 247 248 // (Re)create it, if it's gone missing. 249 if ( ! ( $phpmailer instanceof PHPMailer\PHPMailer\PHPMailer ) ) { 250 require_once ABSPATH . WPINC . '/PHPMailer/PHPMailer.php'; 251 require_once ABSPATH . WPINC . '/PHPMailer/SMTP.php'; 252 require_once ABSPATH . WPINC . '/PHPMailer/Exception.php'; 253 $phpmailer = new PHPMailer\PHPMailer\PHPMailer( true ); 254 255 $phpmailer::$validator = static function ( $email ) { 256 return (bool) is_email( $email ); 257 }; 258 } 259 260 // Headers. 261 $cc = array(); 262 $bcc = array(); 263 $reply_to = array(); 264 265 if ( empty( $headers ) ) { 266 $headers = array(); 267 } else { 268 if ( ! is_array( $headers ) ) { 269 // Explode the headers out, so this function can take 270 // both string headers and an array of headers. 271 $tempheaders = explode( "\n", str_replace( "\r\n", "\n", $headers ) ); 272 } else { 273 $tempheaders = $headers; 274 } 275 $headers = array(); 276 277 // If it's actually got contents. 278 if ( ! empty( $tempheaders ) ) { 279 // Iterate through the raw headers. 280 foreach ( (array) $tempheaders as $header ) { 281 if ( strpos( $header, ':' ) === false ) { 282 if ( false !== stripos( $header, 'boundary=' ) ) { 283 $parts = preg_split( '/boundary=/i', trim( $header ) ); 284 $boundary = trim( str_replace( array( "'", '"' ), '', $parts[1] ) ); 285 } 286 continue; 287 } 288 // Explode them out. 289 list( $name, $content ) = explode( ':', trim( $header ), 2 ); 290 291 // Cleanup crew. 292 $name = trim( $name ); 293 $content = trim( $content ); 294 295 switch ( strtolower( $name ) ) { 296 // Mainly for legacy -- process a "From:" header if it's there. 297 case 'from': 298 $bracket_pos = strpos( $content, '<' ); 299 if ( false !== $bracket_pos ) { 300 // Text before the bracketed email is the "From" name. 301 if ( $bracket_pos > 0 ) { 302 $from_name = substr( $content, 0, $bracket_pos - 1 ); 303 $from_name = str_replace( '"', '', $from_name ); 304 $from_name = trim( $from_name ); 305 } 306 307 $from_email = substr( $content, $bracket_pos + 1 ); 308 $from_email = str_replace( '>', '', $from_email ); 309 $from_email = trim( $from_email ); 310 311 // Avoid setting an empty $from_email. 312 } elseif ( '' !== trim( $content ) ) { 313 $from_email = trim( $content ); 314 } 315 break; 316 case 'content-type': 317 if ( strpos( $content, ';' ) !== false ) { 318 list( $type, $charset_content ) = explode( ';', $content ); 319 $content_type = trim( $type ); 320 if ( false !== stripos( $charset_content, 'charset=' ) ) { 321 $charset = trim( str_replace( array( 'charset=', '"' ), '', $charset_content ) ); 322 } elseif ( false !== stripos( $charset_content, 'boundary=' ) ) { 323 $boundary = trim( str_replace( array( 'BOUNDARY=', 'boundary=', '"' ), '', $charset_content ) ); 324 $charset = ''; 325 } 326 327 // Avoid setting an empty $content_type. 328 } elseif ( '' !== trim( $content ) ) { 329 $content_type = trim( $content ); 330 } 331 break; 332 case 'cc': 333 $cc = array_merge( (array) $cc, explode( ',', $content ) ); 334 break; 335 case 'bcc': 336 $bcc = array_merge( (array) $bcc, explode( ',', $content ) ); 337 break; 338 case 'reply-to': 339 $reply_to = array_merge( (array) $reply_to, explode( ',', $content ) ); 340 break; 341 default: 342 // Add it to our grand headers array. 343 $headers[ trim( $name ) ] = trim( $content ); 344 break; 345 } 346 } 347 } 348 } 349 350 // Empty out the values that may be set. 351 $phpmailer->clearAllRecipients(); 352 $phpmailer->clearAttachments(); 353 $phpmailer->clearCustomHeaders(); 354 $phpmailer->clearReplyTos(); 355 356 // Set "From" name and email. 357 358 // If we don't have a name from the input headers. 359 if ( ! isset( $from_name ) ) { 360 $from_name = 'WordPress'; 361 } 362 363 /* 364 * If we don't have an email from the input headers, default to wordpress@$sitename 365 * Some hosts will block outgoing mail from this address if it doesn't exist, 366 * but there's no easy alternative. Defaulting to admin_email might appear to be 367 * another option, but some hosts may refuse to relay mail from an unknown domain. 368 * See https://core.trac.wordpress.org/ticket/5007. 369 */ 370 if ( ! isset( $from_email ) ) { 371 // Get the site domain and get rid of www. 372 $sitename = wp_parse_url( network_home_url(), PHP_URL_HOST ); 373 if ( 'www.' === substr( $sitename, 0, 4 ) ) { 374 $sitename = substr( $sitename, 4 ); 375 } 376 377 $from_email = 'wordpress@' . $sitename; 378 } 379 380 /** 381 * Filters the email address to send from. 382 * 383 * @since 2.2.0 384 * 385 * @param string $from_email Email address to send from. 386 */ 387 $from_email = apply_filters( 'wp_mail_from', $from_email ); 388 389 /** 390 * Filters the name to associate with the "from" email address. 391 * 392 * @since 2.3.0 393 * 394 * @param string $from_name Name associated with the "from" email address. 395 */ 396 $from_name = apply_filters( 'wp_mail_from_name', $from_name ); 397 398 try { 399 $phpmailer->setFrom( $from_email, $from_name, false ); 400 } catch ( PHPMailer\PHPMailer\Exception $e ) { 401 $mail_error_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' ); 402 $mail_error_data['phpmailer_exception_code'] = $e->getCode(); 403 404 /** This filter is documented in wp-includes/pluggable.php */ 405 do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_error_data ) ); 406 407 return false; 408 } 409 410 // Set mail's subject and body. 411 $phpmailer->Subject = $subject; 412 $phpmailer->Body = $message; 413 414 // Set destination addresses, using appropriate methods for handling addresses. 415 $address_headers = compact( 'to', 'cc', 'bcc', 'reply_to' ); 416 417 foreach ( $address_headers as $address_header => $addresses ) { 418 if ( empty( $addresses ) ) { 419 continue; 420 } 421 422 foreach ( (array) $addresses as $address ) { 423 try { 424 // Break $recipient into name and address parts if in the format "Foo <bar@baz.com>". 425 $recipient_name = ''; 426 427 if ( preg_match( '/(.*)<(.+)>/', $address, $matches ) ) { 428 if ( count( $matches ) == 3 ) { 429 $recipient_name = $matches[1]; 430 $address = $matches[2]; 431 } 432 } 433 434 switch ( $address_header ) { 435 case 'to': 436 $phpmailer->addAddress( $address, $recipient_name ); 437 break; 438 case 'cc': 439 $phpmailer->addCc( $address, $recipient_name ); 440 break; 441 case 'bcc': 442 $phpmailer->addBcc( $address, $recipient_name ); 443 break; 444 case 'reply_to': 445 $phpmailer->addReplyTo( $address, $recipient_name ); 446 break; 447 } 448 } catch ( PHPMailer\PHPMailer\Exception $e ) { 449 continue; 450 } 451 } 452 } 453 454 // Set to use PHP's mail(). 455 $phpmailer->isMail(); 456 457 // Set Content-Type and charset. 458 459 // If we don't have a content-type from the input headers. 460 if ( ! isset( $content_type ) ) { 461 $content_type = 'text/plain'; 462 } 463 464 /** 465 * Filters the wp_mail() content type. 466 * 467 * @since 2.3.0 468 * 469 * @param string $content_type Default wp_mail() content type. 470 */ 471 $content_type = apply_filters( 'wp_mail_content_type', $content_type ); 472 473 $phpmailer->ContentType = $content_type; 474 475 // Set whether it's plaintext, depending on $content_type. 476 if ( 'text/html' === $content_type ) { 477 $phpmailer->isHTML( true ); 478 } 479 480 // If we don't have a charset from the input headers. 481 if ( ! isset( $charset ) ) { 482 $charset = get_bloginfo( 'charset' ); 483 } 484 485 /** 486 * Filters the default wp_mail() charset. 487 * 488 * @since 2.3.0 489 * 490 * @param string $charset Default email charset. 491 */ 492 $phpmailer->CharSet = apply_filters( 'wp_mail_charset', $charset ); 493 494 // Set custom headers. 495 if ( ! empty( $headers ) ) { 496 foreach ( (array) $headers as $name => $content ) { 497 // Only add custom headers not added automatically by PHPMailer. 498 if ( ! in_array( $name, array( 'MIME-Version', 'X-Mailer' ), true ) ) { 499 try { 500 $phpmailer->addCustomHeader( sprintf( '%1$s: %2$s', $name, $content ) ); 501 } catch ( PHPMailer\PHPMailer\Exception $e ) { 502 continue; 503 } 504 } 505 } 506 507 if ( false !== stripos( $content_type, 'multipart' ) && ! empty( $boundary ) ) { 508 $phpmailer->addCustomHeader( sprintf( 'Content-Type: %s; boundary="%s"', $content_type, $boundary ) ); 509 } 510 } 511 512 if ( ! empty( $attachments ) ) { 513 foreach ( $attachments as $attachment ) { 514 try { 515 $phpmailer->addAttachment( $attachment ); 516 } catch ( PHPMailer\PHPMailer\Exception $e ) { 517 continue; 518 } 519 } 520 } 521 522 /** 523 * Fires after PHPMailer is initialized. 524 * 525 * @since 2.2.0 526 * 527 * @param PHPMailer $phpmailer The PHPMailer instance (passed by reference). 528 */ 529 do_action_ref_array( 'phpmailer_init', array( &$phpmailer ) ); 530 531 // Send! 532 try { 533 return $phpmailer->send(); 534 } catch ( PHPMailer\PHPMailer\Exception $e ) { 535 536 $mail_error_data = compact( 'to', 'subject', 'message', 'headers', 'attachments' ); 537 $mail_error_data['phpmailer_exception_code'] = $e->getCode(); 538 539 /** 540 * Fires after a PHPMailer\PHPMailer\Exception is caught. 541 * 542 * @since 4.4.0 543 * 544 * @param WP_Error $error A WP_Error object with the PHPMailer\PHPMailer\Exception message, and an array 545 * containing the mail recipient, subject, message, headers, and attachments. 546 */ 547 do_action( 'wp_mail_failed', new WP_Error( 'wp_mail_failed', $e->getMessage(), $mail_error_data ) ); 548 549 return false; 550 } 551 } 552 endif; 553 554 if ( ! function_exists( 'wp_authenticate' ) ) : 555 /** 556 * Authenticate a user, confirming the login credentials are valid. 557 * 558 * @since 2.5.0 559 * @since 4.5.0 `$username` now accepts an email address. 560 * 561 * @param string $username User's username or email address. 562 * @param string $password User's password. 563 * @return WP_User|WP_Error WP_User object if the credentials are valid, 564 * otherwise WP_Error. 565 */ 566 function wp_authenticate( $username, $password ) { 567 $username = sanitize_user( $username ); 568 $password = trim( $password ); 569 570 /** 571 * Filters whether a set of user login credentials are valid. 572 * 573 * A WP_User object is returned if the credentials authenticate a user. 574 * WP_Error or null otherwise. 575 * 576 * @since 2.8.0 577 * @since 4.5.0 `$username` now accepts an email address. 578 * 579 * @param null|WP_User|WP_Error $user WP_User if the user is authenticated. 580 * WP_Error or null otherwise. 581 * @param string $username Username or email address. 582 * @param string $password User password 583 */ 584 $user = apply_filters( 'authenticate', null, $username, $password ); 585 586 if ( null == $user ) { 587 // TODO: What should the error message be? (Or would these even happen?) 588 // Only needed if all authentication handlers fail to return anything. 589 $user = new WP_Error( 'authentication_failed', __( '<strong>Error</strong>: Invalid username, email address or incorrect password.' ) ); 590 } 591 592 $ignore_codes = array( 'empty_username', 'empty_password' ); 593 594 if ( is_wp_error( $user ) && ! in_array( $user->get_error_code(), $ignore_codes, true ) ) { 595 $error = $user; 596 597 /** 598 * Fires after a user login has failed. 599 * 600 * @since 2.5.0 601 * @since 4.5.0 The value of `$username` can now be an email address. 602 * @since 5.4.0 The `$error` parameter was added. 603 * 604 * @param string $username Username or email address. 605 * @param WP_Error $error A WP_Error object with the authentication failure details. 606 */ 607 do_action( 'wp_login_failed', $username, $error ); 608 } 609 610 return $user; 611 } 612 endif; 613 614 if ( ! function_exists( 'wp_logout' ) ) : 615 /** 616 * Log the current user out. 617 * 618 * @since 2.5.0 619 */ 620 function wp_logout() { 621 $user_id = get_current_user_id(); 622 623 wp_destroy_current_session(); 624 wp_clear_auth_cookie(); 625 wp_set_current_user( 0 ); 626 627 /** 628 * Fires after a user is logged out. 629 * 630 * @since 1.5.0 631 * @since 5.5.0 Added the `$user_id` parameter. 632 * 633 * @param int $user_id ID of the user that was logged out. 634 */ 635 do_action( 'wp_logout', $user_id ); 636 } 637 endif; 638 639 if ( ! function_exists( 'wp_validate_auth_cookie' ) ) : 640 /** 641 * Validates authentication cookie. 642 * 643 * The checks include making sure that the authentication cookie is set and 644 * pulling in the contents (if $cookie is not used). 645 * 646 * Makes sure the cookie is not expired. Verifies the hash in cookie is what is 647 * should be and compares the two. 648 * 649 * @since 2.5.0 650 * 651 * @global int $login_grace_period 652 * 653 * @param string $cookie Optional. If used, will validate contents instead of cookie's. 654 * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'. 655 * @return int|false User ID if valid cookie, false if invalid. 656 */ 657 function wp_validate_auth_cookie( $cookie = '', $scheme = '' ) { 658 $cookie_elements = wp_parse_auth_cookie( $cookie, $scheme ); 659 if ( ! $cookie_elements ) { 660 /** 661 * Fires if an authentication cookie is malformed. 662 * 663 * @since 2.7.0 664 * 665 * @param string $cookie Malformed auth cookie. 666 * @param string $scheme Authentication scheme. Values include 'auth', 'secure_auth', 667 * or 'logged_in'. 668 */ 669 do_action( 'auth_cookie_malformed', $cookie, $scheme ); 670 return false; 671 } 672 673 $scheme = $cookie_elements['scheme']; 674 $username = $cookie_elements['username']; 675 $hmac = $cookie_elements['hmac']; 676 $token = $cookie_elements['token']; 677 $expired = $cookie_elements['expiration']; 678 $expiration = $cookie_elements['expiration']; 679 680 // Allow a grace period for POST and Ajax requests. 681 if ( wp_doing_ajax() || 'POST' === $_SERVER['REQUEST_METHOD'] ) { 682 $expired += HOUR_IN_SECONDS; 683 } 684 685 // Quick check to see if an honest cookie has expired. 686 if ( $expired < time() ) { 687 /** 688 * Fires once an authentication cookie has expired. 689 * 690 * @since 2.7.0 691 * 692 * @param string[] $cookie_elements An array of data for the authentication cookie. 693 */ 694 do_action( 'auth_cookie_expired', $cookie_elements ); 695 return false; 696 } 697 698 $user = get_user_by( 'login', $username ); 699 if ( ! $user ) { 700 /** 701 * Fires if a bad username is entered in the user authentication process. 702 * 703 * @since 2.7.0 704 * 705 * @param string[] $cookie_elements An array of data for the authentication cookie. 706 */ 707 do_action( 'auth_cookie_bad_username', $cookie_elements ); 708 return false; 709 } 710 711 $pass_frag = substr( $user->user_pass, 8, 4 ); 712 713 $key = wp_hash( $username . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme ); 714 715 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 716 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 717 $hash = hash_hmac( $algo, $username . '|' . $expiration . '|' . $token, $key ); 718 719 if ( ! hash_equals( $hash, $hmac ) ) { 720 /** 721 * Fires if a bad authentication cookie hash is encountered. 722 * 723 * @since 2.7.0 724 * 725 * @param string[] $cookie_elements An array of data for the authentication cookie. 726 */ 727 do_action( 'auth_cookie_bad_hash', $cookie_elements ); 728 return false; 729 } 730 731 $manager = WP_Session_Tokens::get_instance( $user->ID ); 732 if ( ! $manager->verify( $token ) ) { 733 /** 734 * Fires if a bad session token is encountered. 735 * 736 * @since 4.0.0 737 * 738 * @param string[] $cookie_elements An array of data for the authentication cookie. 739 */ 740 do_action( 'auth_cookie_bad_session_token', $cookie_elements ); 741 return false; 742 } 743 744 // Ajax/POST grace period set above. 745 if ( $expiration < time() ) { 746 $GLOBALS['login_grace_period'] = 1; 747 } 748 749 /** 750 * Fires once an authentication cookie has been validated. 751 * 752 * @since 2.7.0 753 * 754 * @param string[] $cookie_elements An array of data for the authentication cookie. 755 * @param WP_User $user User object. 756 */ 757 do_action( 'auth_cookie_valid', $cookie_elements, $user ); 758 759 return $user->ID; 760 } 761 endif; 762 763 if ( ! function_exists( 'wp_generate_auth_cookie' ) ) : 764 /** 765 * Generates authentication cookie contents. 766 * 767 * @since 2.5.0 768 * @since 4.0.0 The `$token` parameter was added. 769 * 770 * @param int $user_id User ID. 771 * @param int $expiration The time the cookie expires as a UNIX timestamp. 772 * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'. 773 * Default 'auth'. 774 * @param string $token User's session token to use for this cookie. 775 * @return string Authentication cookie contents. Empty string if user does not exist. 776 */ 777 function wp_generate_auth_cookie( $user_id, $expiration, $scheme = 'auth', $token = '' ) { 778 $user = get_userdata( $user_id ); 779 if ( ! $user ) { 780 return ''; 781 } 782 783 if ( ! $token ) { 784 $manager = WP_Session_Tokens::get_instance( $user_id ); 785 $token = $manager->create( $expiration ); 786 } 787 788 $pass_frag = substr( $user->user_pass, 8, 4 ); 789 790 $key = wp_hash( $user->user_login . '|' . $pass_frag . '|' . $expiration . '|' . $token, $scheme ); 791 792 // If ext/hash is not present, compat.php's hash_hmac() does not support sha256. 793 $algo = function_exists( 'hash' ) ? 'sha256' : 'sha1'; 794 $hash = hash_hmac( $algo, $user->user_login . '|' . $expiration . '|' . $token, $key ); 795 796 $cookie = $user->user_login . '|' . $expiration . '|' . $token . '|' . $hash; 797 798 /** 799 * Filters the authentication cookie. 800 * 801 * @since 2.5.0 802 * @since 4.0.0 The `$token` parameter was added. 803 * 804 * @param string $cookie Authentication cookie. 805 * @param int $user_id User ID. 806 * @param int $expiration The time the cookie expires as a UNIX timestamp. 807 * @param string $scheme Cookie scheme used. Accepts 'auth', 'secure_auth', or 'logged_in'. 808 * @param string $token User's session token used. 809 */ 810 return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme, $token ); 811 } 812 endif; 813 814 if ( ! function_exists( 'wp_parse_auth_cookie' ) ) : 815 /** 816 * Parses a cookie into its components. 817 * 818 * @since 2.7.0 819 * 820 * @param string $cookie Authentication cookie. 821 * @param string $scheme Optional. The cookie scheme to use: 'auth', 'secure_auth', or 'logged_in'. 822 * @return string[]|false Authentication cookie components. 823 */ 824 function wp_parse_auth_cookie( $cookie = '', $scheme = '' ) { 825 if ( empty( $cookie ) ) { 826 switch ( $scheme ) { 827 case 'auth': 828 $cookie_name = AUTH_COOKIE; 829 break; 830 case 'secure_auth': 831 $cookie_name = SECURE_AUTH_COOKIE; 832 break; 833 case 'logged_in': 834 $cookie_name = LOGGED_IN_COOKIE; 835 break; 836 default: 837 if ( is_ssl() ) { 838 $cookie_name = SECURE_AUTH_COOKIE; 839 $scheme = 'secure_auth'; 840 } else { 841 $cookie_name = AUTH_COOKIE; 842 $scheme = 'auth'; 843 } 844 } 845 846 if ( empty( $_COOKIE[ $cookie_name ] ) ) { 847 return false; 848 } 849 $cookie = $_COOKIE[ $cookie_name ]; 850 } 851 852 $cookie_elements = explode( '|', $cookie ); 853 if ( count( $cookie_elements ) !== 4 ) { 854 return false; 855 } 856 857 list( $username, $expiration, $token, $hmac ) = $cookie_elements; 858 859 return compact( 'username', 'expiration', 'token', 'hmac', 'scheme' ); 860 } 861 endif; 862 863 if ( ! function_exists( 'wp_set_auth_cookie' ) ) : 864 /** 865 * Sets the authentication cookies based on user ID. 866 * 867 * The $remember parameter increases the time that the cookie will be kept. The 868 * default the cookie is kept without remembering is two days. When $remember is 869 * set, the cookies will be kept for 14 days or two weeks. 870 * 871 * @since 2.5.0 872 * @since 4.3.0 Added the `$token` parameter. 873 * 874 * @param int $user_id User ID. 875 * @param bool $remember Whether to remember the user. 876 * @param bool|string $secure Whether the auth cookie should only be sent over HTTPS. Default is an empty 877 * string which means the value of `is_ssl()` will be used. 878 * @param string $token Optional. User's session token to use for this cookie. 879 */ 880 function wp_set_auth_cookie( $user_id, $remember = false, $secure = '', $token = '' ) { 881 if ( $remember ) { 882 /** 883 * Filters the duration of the authentication cookie expiration period. 884 * 885 * @since 2.8.0 886 * 887 * @param int $length Duration of the expiration period in seconds. 888 * @param int $user_id User ID. 889 * @param bool $remember Whether to remember the user login. Default false. 890 */ 891 $expiration = time() + apply_filters( 'auth_cookie_expiration', 14 * DAY_IN_SECONDS, $user_id, $remember ); 892 893 /* 894 * Ensure the browser will continue to send the cookie after the expiration time is reached. 895 * Needed for the login grace period in wp_validate_auth_cookie(). 896 */ 897 $expire = $expiration + ( 12 * HOUR_IN_SECONDS ); 898 } else { 899 /** This filter is documented in wp-includes/pluggable.php */ 900 $expiration = time() + apply_filters( 'auth_cookie_expiration', 2 * DAY_IN_SECONDS, $user_id, $remember ); 901 $expire = 0; 902 } 903 904 if ( '' === $secure ) { 905 $secure = is_ssl(); 906 } 907 908 // Front-end cookie is secure when the auth cookie is secure and the site's home URL uses HTTPS. 909 $secure_logged_in_cookie = $secure && 'https' === parse_url( get_option( 'home' ), PHP_URL_SCHEME ); 910 911 /** 912 * Filters whether the auth cookie should only be sent over HTTPS. 913 * 914 * @since 3.1.0 915 * 916 * @param bool $secure Whether the cookie should only be sent over HTTPS. 917 * @param int $user_id User ID. 918 */ 919 $secure = apply_filters( 'secure_auth_cookie', $secure, $user_id ); 920 921 /** 922 * Filters whether the logged in cookie should only be sent over HTTPS. 923 * 924 * @since 3.1.0 925 * 926 * @param bool $secure_logged_in_cookie Whether the logged in cookie should only be sent over HTTPS. 927 * @param int $user_id User ID. 928 * @param bool $secure Whether the auth cookie should only be sent over HTTPS. 929 */ 930 $secure_logged_in_cookie = apply_filters( 'secure_logged_in_cookie', $secure_logged_in_cookie, $user_id, $secure ); 931 932 if ( $secure ) { 933 $auth_cookie_name = SECURE_AUTH_COOKIE; 934 $scheme = 'secure_auth'; 935 } else { 936 $auth_cookie_name = AUTH_COOKIE; 937 $scheme = 'auth'; 938 } 939 940 if ( '' === $token ) { 941 $manager = WP_Session_Tokens::get_instance( $user_id ); 942 $token = $manager->create( $expiration ); 943 } 944 945 $auth_cookie = wp_generate_auth_cookie( $user_id, $expiration, $scheme, $token ); 946 $logged_in_cookie = wp_generate_auth_cookie( $user_id, $expiration, 'logged_in', $token ); 947 948 /** 949 * Fires immediately before the authentication cookie is set. 950 * 951 * @since 2.5.0 952 * @since 4.9.0 The `$token` parameter was added. 953 * 954 * @param string $auth_cookie Authentication cookie value. 955 * @param int $expire The time the login grace period expires as a UNIX timestamp. 956 * Default is 12 hours past the cookie's expiration time. 957 * @param int $expiration The time when the authentication cookie expires as a UNIX timestamp. 958 * Default is 14 days from now. 959 * @param int $user_id User ID. 960 * @param string $scheme Authentication scheme. Values include 'auth' or 'secure_auth'. 961 * @param string $token User's session token to use for this cookie. 962 */ 963 do_action( 'set_auth_cookie', $auth_cookie, $expire, $expiration, $user_id, $scheme, $token ); 964 965 /** 966 * Fires immediately before the logged-in authentication cookie is set. 967 * 968 * @since 2.6.0 969 * @since 4.9.0 The `$token` parameter was added. 970 * 971 * @param string $logged_in_cookie The logged-in cookie value. 972 * @param int $expire The time the login grace period expires as a UNIX timestamp. 973 * Default is 12 hours past the cookie's expiration time. 974 * @param int $expiration The time when the logged-in authentication cookie expires as a UNIX timestamp. 975 * Default is 14 days from now. 976 * @param int $user_id User ID. 977 * @param string $scheme Authentication scheme. Default 'logged_in'. 978 * @param string $token User's session token to use for this cookie. 979 */ 980 do_action( 'set_logged_in_cookie', $logged_in_cookie, $expire, $expiration, $user_id, 'logged_in', $token ); 981 982 /** 983 * Allows preventing auth cookies from actually being sent to the client. 984 * 985 * @since 4.7.4 986 * 987 * @param bool $send Whether to send auth cookies to the client. 988 */ 989 if ( ! apply_filters( 'send_auth_cookies', true ) ) { 990 return; 991 } 992 993 setcookie( $auth_cookie_name, $auth_cookie, $expire, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN, $secure, true ); 994 setcookie( $auth_cookie_name, $auth_cookie, $expire, ADMIN_COOKIE_PATH, COOKIE_DOMAIN, $secure, true ); 995 setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, COOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true ); 996 if ( COOKIEPATH != SITECOOKIEPATH ) { 997 setcookie( LOGGED_IN_COOKIE, $logged_in_cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN, $secure_logged_in_cookie, true ); 998 } 999 } 1000 endif; 1001 1002 if ( ! function_exists( 'wp_clear_auth_cookie' ) ) : 1003 /** 1004 * Removes all of the cookies associated with authentication. 1005 * 1006 * @since 2.5.0 1007 */ 1008 function wp_clear_auth_cookie() { 1009 /** 1010 * Fires just before the authentication cookies are cleared. 1011 * 1012 * @since 2.7.0 1013 */ 1014 do_action( 'clear_auth_cookie' ); 1015 1016 /** This filter is documented in wp-includes/pluggable.php */ 1017 if ( ! apply_filters( 'send_auth_cookies', true ) ) { 1018 return; 1019 } 1020 1021 // Auth cookies. 1022 setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN ); 1023 setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, ADMIN_COOKIE_PATH, COOKIE_DOMAIN ); 1024 setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN ); 1025 setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, PLUGINS_COOKIE_PATH, COOKIE_DOMAIN ); 1026 setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1027 setcookie( LOGGED_IN_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 1028 1029 // Settings cookies. 1030 setcookie( 'wp-settings-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); 1031 setcookie( 'wp-settings-time-' . get_current_user_id(), ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH ); 1032 1033 // Old cookies. 1034 setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1035 setcookie( AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 1036 setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1037 setcookie( SECURE_AUTH_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 1038 1039 // Even older cookies. 1040 setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1041 setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1042 setcookie( USER_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 1043 setcookie( PASS_COOKIE, ' ', time() - YEAR_IN_SECONDS, SITECOOKIEPATH, COOKIE_DOMAIN ); 1044 1045 // Post password cookie. 1046 setcookie( 'wp-postpass_' . COOKIEHASH, ' ', time() - YEAR_IN_SECONDS, COOKIEPATH, COOKIE_DOMAIN ); 1047 } 1048 endif; 1049 1050 if ( ! function_exists( 'is_user_logged_in' ) ) : 1051 /** 1052 * Determines whether the current visitor is a logged in user. 1053 * 1054 * For more information on this and similar theme functions, check out 1055 * the {@link https://developer.wordpress.org/themes/basics/conditional-tags/ 1056 * Conditional Tags} article in the Theme Developer Handbook. 1057 * 1058 * @since 2.0.0 1059 * 1060 * @return bool True if user is logged in, false if not logged in. 1061 */ 1062 function is_user_logged_in() { 1063 $user = wp_get_current_user(); 1064 1065 return $user->exists(); 1066 } 1067 endif; 1068 1069 if ( ! function_exists( 'auth_redirect' ) ) : 1070 /** 1071 * Checks if a user is logged in, if not it redirects them to the login page. 1072 * 1073 * When this code is called from a page, it checks to see if the user viewing the page is logged in. 1074 * If the user is not logged in, they are redirected to the login page. The user is redirected 1075 * in such a way that, upon logging in, they will be sent directly to the page they were originally 1076 * trying to access. 1077 * 1078 * @since 1.5.0 1079 */ 1080 function auth_redirect() { 1081 $secure = ( is_ssl() || force_ssl_admin() ); 1082 1083 /** 1084 * Filters whether to use a secure authentication redirect. 1085 * 1086 * @since 3.1.0 1087 * 1088 * @param bool $secure Whether to use a secure authentication redirect. Default false. 1089 */ 1090 $secure = apply_filters( 'secure_auth_redirect', $secure ); 1091 1092 // If https is required and request is http, redirect. 1093 if ( $secure && ! is_ssl() && false !== strpos( $_SERVER['REQUEST_URI'], 'wp-admin' ) ) { 1094 if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) { 1095 wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); 1096 exit; 1097 } else { 1098 wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); 1099 exit; 1100 } 1101 } 1102 1103 /** 1104 * Filters the authentication redirect scheme. 1105 * 1106 * @since 2.9.0 1107 * 1108 * @param string $scheme Authentication redirect scheme. Default empty. 1109 */ 1110 $scheme = apply_filters( 'auth_redirect_scheme', '' ); 1111 1112 $user_id = wp_validate_auth_cookie( '', $scheme ); 1113 if ( $user_id ) { 1114 /** 1115 * Fires before the authentication redirect. 1116 * 1117 * @since 2.8.0 1118 * 1119 * @param int $user_id User ID. 1120 */ 1121 do_action( 'auth_redirect', $user_id ); 1122 1123 // If the user wants ssl but the session is not ssl, redirect. 1124 if ( ! $secure && get_user_option( 'use_ssl', $user_id ) && false !== strpos( $_SERVER['REQUEST_URI'], 'wp-admin' ) ) { 1125 if ( 0 === strpos( $_SERVER['REQUEST_URI'], 'http' ) ) { 1126 wp_redirect( set_url_scheme( $_SERVER['REQUEST_URI'], 'https' ) ); 1127 exit; 1128 } else { 1129 wp_redirect( 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); 1130 exit; 1131 } 1132 } 1133 1134 return; // The cookie is good, so we're done. 1135 } 1136 1137 // The cookie is no good, so force login. 1138 nocache_headers(); 1139 1140 $redirect = ( strpos( $_SERVER['REQUEST_URI'], '/options.php' ) && wp_get_referer() ) ? wp_get_referer() : set_url_scheme( 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] ); 1141 1142 $login_url = wp_login_url( $redirect, true ); 1143 1144 wp_redirect( $login_url ); 1145 exit; 1146 } 1147 endif; 1148 1149 if ( ! function_exists( 'check_admin_referer' ) ) : 1150 /** 1151 * Ensures intent by verifying that a user was referred from another admin page with the correct security nonce. 1152 * 1153 * This function ensures the user intends to perform a given action, which helps protect against clickjacking style 1154 * attacks. It verifies intent, not authorisation, therefore it does not verify the user's capabilities. This should 1155 * be performed with `current_user_can()` or similar. 1156 * 1157 * If the nonce value is invalid, the function will exit with an "Are You Sure?" style message. 1158 * 1159 * @since 1.2.0 1160 * @since 2.5.0 The `$query_arg` parameter was added. 1161 * 1162 * @param int|string $action The nonce action. 1163 * @param string $query_arg Optional. Key to check for nonce in `$_REQUEST`. Default '_wpnonce'. 1164 * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago, 1165 * 2 if the nonce is valid and generated between 12-24 hours ago. 1166 * False if the nonce is invalid. 1167 */ 1168 function check_admin_referer( $action = -1, $query_arg = '_wpnonce' ) { 1169 if ( -1 === $action ) { 1170 _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '3.2.0' ); 1171 } 1172 1173 $adminurl = strtolower( admin_url() ); 1174 $referer = strtolower( wp_get_referer() ); 1175 $result = isset( $_REQUEST[ $query_arg ] ) ? wp_verify_nonce( $_REQUEST[ $query_arg ], $action ) : false; 1176 1177 /** 1178 * Fires once the admin request has been validated or not. 1179 * 1180 * @since 1.5.1 1181 * 1182 * @param string $action The nonce action. 1183 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between 1184 * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. 1185 */ 1186 do_action( 'check_admin_referer', $action, $result ); 1187 1188 if ( ! $result && ! ( -1 === $action && strpos( $referer, $adminurl ) === 0 ) ) { 1189 wp_nonce_ays( $action ); 1190 die(); 1191 } 1192 1193 return $result; 1194 } 1195 endif; 1196 1197 if ( ! function_exists( 'check_ajax_referer' ) ) : 1198 /** 1199 * Verifies the Ajax request to prevent processing requests external of the blog. 1200 * 1201 * @since 2.0.3 1202 * 1203 * @param int|string $action Action nonce. 1204 * @param false|string $query_arg Optional. Key to check for the nonce in `$_REQUEST` (since 2.5). If false, 1205 * `$_REQUEST` values will be evaluated for '_ajax_nonce', and '_wpnonce' 1206 * (in that order). Default false. 1207 * @param bool $die Optional. Whether to die early when the nonce cannot be verified. 1208 * Default true. 1209 * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago, 1210 * 2 if the nonce is valid and generated between 12-24 hours ago. 1211 * False if the nonce is invalid. 1212 */ 1213 function check_ajax_referer( $action = -1, $query_arg = false, $die = true ) { 1214 if ( -1 == $action ) { 1215 _doing_it_wrong( __FUNCTION__, __( 'You should specify a nonce action to be verified by using the first parameter.' ), '4.7' ); 1216 } 1217 1218 $nonce = ''; 1219 1220 if ( $query_arg && isset( $_REQUEST[ $query_arg ] ) ) { 1221 $nonce = $_REQUEST[ $query_arg ]; 1222 } elseif ( isset( $_REQUEST['_ajax_nonce'] ) ) { 1223 $nonce = $_REQUEST['_ajax_nonce']; 1224 } elseif ( isset( $_REQUEST['_wpnonce'] ) ) { 1225 $nonce = $_REQUEST['_wpnonce']; 1226 } 1227 1228 $result = wp_verify_nonce( $nonce, $action ); 1229 1230 /** 1231 * Fires once the Ajax request has been validated or not. 1232 * 1233 * @since 2.1.0 1234 * 1235 * @param string $action The Ajax nonce action. 1236 * @param false|int $result False if the nonce is invalid, 1 if the nonce is valid and generated between 1237 * 0-12 hours ago, 2 if the nonce is valid and generated between 12-24 hours ago. 1238 */ 1239 do_action( 'check_ajax_referer', $action, $result ); 1240 1241 if ( $die && false === $result ) { 1242 if ( wp_doing_ajax() ) { 1243 wp_die( -1, 403 ); 1244 } else { 1245 die( '-1' ); 1246 } 1247 } 1248 1249 return $result; 1250 } 1251 endif; 1252 1253 if ( ! function_exists( 'wp_redirect' ) ) : 1254 /** 1255 * Redirects to another page. 1256 * 1257 * Note: wp_redirect() does not exit automatically, and should almost always be 1258 * followed by a call to `exit;`: 1259 * 1260 * wp_redirect( $url ); 1261 * exit; 1262 * 1263 * Exiting can also be selectively manipulated by using wp_redirect() as a conditional 1264 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters: 1265 * 1266 * if ( wp_redirect( $url ) ) { 1267 * exit; 1268 * } 1269 * 1270 * @since 1.5.1 1271 * @since 5.1.0 The `$x_redirect_by` parameter was added. 1272 * @since 5.4.0 On invalid status codes, wp_die() is called. 1273 * 1274 * @global bool $is_IIS 1275 * 1276 * @param string $location The path or URL to redirect to. 1277 * @param int $status Optional. HTTP response status code to use. Default '302' (Moved Temporarily). 1278 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'. 1279 * @return bool False if the redirect was cancelled, true otherwise. 1280 */ 1281 function wp_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) { 1282 global $is_IIS; 1283 1284 /** 1285 * Filters the redirect location. 1286 * 1287 * @since 2.1.0 1288 * 1289 * @param string $location The path or URL to redirect to. 1290 * @param int $status The HTTP response status code to use. 1291 */ 1292 $location = apply_filters( 'wp_redirect', $location, $status ); 1293 1294 /** 1295 * Filters the redirect HTTP response status code to use. 1296 * 1297 * @since 2.3.0 1298 * 1299 * @param int $status The HTTP response status code to use. 1300 * @param string $location The path or URL to redirect to. 1301 */ 1302 $status = apply_filters( 'wp_redirect_status', $status, $location ); 1303 1304 if ( ! $location ) { 1305 return false; 1306 } 1307 1308 if ( $status < 300 || 399 < $status ) { 1309 wp_die( __( 'HTTP redirect status code must be a redirection code, 3xx.' ) ); 1310 } 1311 1312 $location = wp_sanitize_redirect( $location ); 1313 1314 if ( ! $is_IIS && 'cgi-fcgi' !== PHP_SAPI ) { 1315 status_header( $status ); // This causes problems on IIS and some FastCGI setups. 1316 } 1317 1318 /** 1319 * Filters the X-Redirect-By header. 1320 * 1321 * Allows applications to identify themselves when they're doing a redirect. 1322 * 1323 * @since 5.1.0 1324 * 1325 * @param string $x_redirect_by The application doing the redirect. 1326 * @param int $status Status code to use. 1327 * @param string $location The path to redirect to. 1328 */ 1329 $x_redirect_by = apply_filters( 'x_redirect_by', $x_redirect_by, $status, $location ); 1330 if ( is_string( $x_redirect_by ) ) { 1331 header( "X-Redirect-By: $x_redirect_by" ); 1332 } 1333 1334 header( "Location: $location", true, $status ); 1335 1336 return true; 1337 } 1338 endif; 1339 1340 if ( ! function_exists( 'wp_sanitize_redirect' ) ) : 1341 /** 1342 * Sanitizes a URL for use in a redirect. 1343 * 1344 * @since 2.3.0 1345 * 1346 * @param string $location The path to redirect to. 1347 * @return string Redirect-sanitized URL. 1348 */ 1349 function wp_sanitize_redirect( $location ) { 1350 // Encode spaces. 1351 $location = str_replace( ' ', '%20', $location ); 1352 1353 $regex = '/ 1354 ( 1355 (?: [\xC2-\xDF][\x80-\xBF] # double-byte sequences 110xxxxx 10xxxxxx 1356 | \xE0[\xA0-\xBF][\x80-\xBF] # triple-byte sequences 1110xxxx 10xxxxxx * 2 1357 | [\xE1-\xEC][\x80-\xBF]{2} 1358 | \xED[\x80-\x9F][\x80-\xBF] 1359 | [\xEE-\xEF][\x80-\xBF]{2} 1360 | \xF0[\x90-\xBF][\x80-\xBF]{2} # four-byte sequences 11110xxx 10xxxxxx * 3 1361 | [\xF1-\xF3][\x80-\xBF]{3} 1362 | \xF4[\x80-\x8F][\x80-\xBF]{2} 1363 ){1,40} # ...one or more times 1364 )/x'; 1365 $location = preg_replace_callback( $regex, '_wp_sanitize_utf8_in_redirect', $location ); 1366 $location = preg_replace( '|[^a-z0-9-~+_.?#=&;,/:%!*\[\]()@]|i', '', $location ); 1367 $location = wp_kses_no_null( $location ); 1368 1369 // Remove %0D and %0A from location. 1370 $strip = array( '%0d', '%0a', '%0D', '%0A' ); 1371 return _deep_replace( $strip, $location ); 1372 } 1373 1374 /** 1375 * URL encode UTF-8 characters in a URL. 1376 * 1377 * @ignore 1378 * @since 4.2.0 1379 * @access private 1380 * 1381 * @see wp_sanitize_redirect() 1382 * 1383 * @param array $matches RegEx matches against the redirect location. 1384 * @return string URL-encoded version of the first RegEx match. 1385 */ 1386 function _wp_sanitize_utf8_in_redirect( $matches ) { 1387 return urlencode( $matches[0] ); 1388 } 1389 endif; 1390 1391 if ( ! function_exists( 'wp_safe_redirect' ) ) : 1392 /** 1393 * Performs a safe (local) redirect, using wp_redirect(). 1394 * 1395 * Checks whether the $location is using an allowed host, if it has an absolute 1396 * path. A plugin can therefore set or remove allowed host(s) to or from the 1397 * list. 1398 * 1399 * If the host is not allowed, then the redirect defaults to wp-admin on the siteurl 1400 * instead. This prevents malicious redirects which redirect to another host, 1401 * but only used in a few places. 1402 * 1403 * Note: wp_safe_redirect() does not exit automatically, and should almost always be 1404 * followed by a call to `exit;`: 1405 * 1406 * wp_safe_redirect( $url ); 1407 * exit; 1408 * 1409 * Exiting can also be selectively manipulated by using wp_safe_redirect() as a conditional 1410 * in conjunction with the {@see 'wp_redirect'} and {@see 'wp_redirect_location'} filters: 1411 * 1412 * if ( wp_safe_redirect( $url ) ) { 1413 * exit; 1414 * } 1415 * 1416 * @since 2.3.0 1417 * @since 5.1.0 The return value from wp_redirect() is now passed on, and the `$x_redirect_by` parameter was added. 1418 * 1419 * @param string $location The path or URL to redirect to. 1420 * @param int $status Optional. HTTP response status code to use. Default '302' (Moved Temporarily). 1421 * @param string $x_redirect_by Optional. The application doing the redirect. Default 'WordPress'. 1422 * @return bool False if the redirect was cancelled, true otherwise. 1423 */ 1424 function wp_safe_redirect( $location, $status = 302, $x_redirect_by = 'WordPress' ) { 1425 1426 // Need to look at the URL the way it will end up in wp_redirect(). 1427 $location = wp_sanitize_redirect( $location ); 1428 1429 /** 1430 * Filters the redirect fallback URL for when the provided redirect is not safe (local). 1431 * 1432 * @since 4.3.0 1433 * 1434 * @param string $fallback_url The fallback URL to use by default. 1435 * @param int $status The HTTP response status code to use. 1436 */ 1437 $location = wp_validate_redirect( $location, apply_filters( 'wp_safe_redirect_fallback', admin_url(), $status ) ); 1438 1439 return wp_redirect( $location, $status, $x_redirect_by ); 1440 } 1441 endif; 1442 1443 if ( ! function_exists( 'wp_validate_redirect' ) ) : 1444 /** 1445 * Validates a URL for use in a redirect. 1446 * 1447 * Checks whether the $location is using an allowed host, if it has an absolute 1448 * path. A plugin can therefore set or remove allowed host(s) to or from the 1449 * list. 1450 * 1451 * If the host is not allowed, then the redirect is to $default supplied 1452 * 1453 * @since 2.8.1 1454 * 1455 * @param string $location The redirect to validate 1456 * @param string $default The value to return if $location is not allowed 1457 * @return string redirect-sanitized URL 1458 */ 1459 function wp_validate_redirect( $location, $default = '' ) { 1460 $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) ); 1461 // Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'. 1462 if ( '//' === substr( $location, 0, 2 ) ) { 1463 $location = 'http:' . $location; 1464 } 1465 1466 // In PHP 5 parse_url() may fail if the URL query part contains 'http://'. 1467 // See https://bugs.php.net/bug.php?id=38143 1468 $cut = strpos( $location, '?' ); 1469 $test = $cut ? substr( $location, 0, $cut ) : $location; 1470 1471 $lp = parse_url( $test ); 1472 1473 // Give up if malformed URL. 1474 if ( false === $lp ) { 1475 return $default; 1476 } 1477 1478 // Allow only 'http' and 'https' schemes. No 'data:', etc. 1479 if ( isset( $lp['scheme'] ) && ! ( 'http' === $lp['scheme'] || 'https' === $lp['scheme'] ) ) { 1480 return $default; 1481 } 1482 1483 if ( ! isset( $lp['host'] ) && ! empty( $lp['path'] ) && '/' !== $lp['path'][0] ) { 1484 $path = ''; 1485 if ( ! empty( $_SERVER['REQUEST_URI'] ) ) { 1486 $path = dirname( parse_url( 'http://placeholder' . $_SERVER['REQUEST_URI'], PHP_URL_PATH ) . '?' ); 1487 $path = wp_normalize_path( $path ); 1488 } 1489 $location = '/' . ltrim( $path . '/', '/' ) . $location; 1490 } 1491 1492 // Reject if certain components are set but host is not. 1493 // This catches URLs like https:host.com for which parse_url() does not set the host field. 1494 if ( ! isset( $lp['host'] ) && ( isset( $lp['scheme'] ) || isset( $lp['user'] ) || isset( $lp['pass'] ) || isset( $lp['port'] ) ) ) { 1495 return $default; 1496 } 1497 1498 // Reject malformed components parse_url() can return on odd inputs. 1499 foreach ( array( 'user', 'pass', 'host' ) as $component ) { 1500 if ( isset( $lp[ $component ] ) && strpbrk( $lp[ $component ], ':/?#@' ) ) { 1501 return $default; 1502 } 1503 } 1504 1505 $wpp = parse_url( home_url() ); 1506 1507 /** 1508 * Filters the list of allowed hosts to redirect to. 1509 * 1510 * @since 2.3.0 1511 * 1512 * @param string[] $hosts An array of allowed host names. 1513 * @param string $host The host name of the redirect destination; empty string if not set. 1514 */ 1515 $allowed_hosts = (array) apply_filters( 'allowed_redirect_hosts', array( $wpp['host'] ), isset( $lp['host'] ) ? $lp['host'] : '' ); 1516 1517 if ( isset( $lp['host'] ) && ( ! in_array( $lp['host'], $allowed_hosts, true ) && strtolower( $wpp['host'] ) !== $lp['host'] ) ) { 1518 $location = $default; 1519 } 1520 1521 return $location; 1522 } 1523 endif; 1524 1525 if ( ! function_exists( 'wp_notify_postauthor' ) ) : 1526 /** 1527 * Notify an author (and/or others) of a comment/trackback/pingback on a post. 1528 * 1529 * @since 1.0.0 1530 * 1531 * @param int|WP_Comment $comment_id Comment ID or WP_Comment object. 1532 * @param string $deprecated Not used 1533 * @return bool True on completion. False if no email addresses were specified. 1534 */ 1535 function wp_notify_postauthor( $comment_id, $deprecated = null ) { 1536 if ( null !== $deprecated ) { 1537 _deprecated_argument( __FUNCTION__, '3.8.0' ); 1538 } 1539 1540 $comment = get_comment( $comment_id ); 1541 if ( empty( $comment ) || empty( $comment->comment_post_ID ) ) { 1542 return false; 1543 } 1544 1545 $post = get_post( $comment->comment_post_ID ); 1546 $author = get_userdata( $post->post_author ); 1547 1548 // Who to notify? By default, just the post author, but others can be added. 1549 $emails = array(); 1550 if ( $author ) { 1551 $emails[] = $author->user_email; 1552 } 1553 1554 /** 1555 * Filters the list of email addresses to receive a comment notification. 1556 * 1557 * By default, only post authors are notified of comments. This filter allows 1558 * others to be added. 1559 * 1560 * @since 3.7.0 1561 * 1562 * @param string[] $emails An array of email addresses to receive a comment notification. 1563 * @param int $comment_id The comment ID. 1564 */ 1565 $emails = apply_filters( 'comment_notification_recipients', $emails, $comment->comment_ID ); 1566 $emails = array_filter( $emails ); 1567 1568 // If there are no addresses to send the comment to, bail. 1569 if ( ! count( $emails ) ) { 1570 return false; 1571 } 1572 1573 // Facilitate unsetting below without knowing the keys. 1574 $emails = array_flip( $emails ); 1575 1576 /** 1577 * Filters whether to notify comment authors of their comments on their own posts. 1578 * 1579 * By default, comment authors aren't notified of their comments on their own 1580 * posts. This filter allows you to override that. 1581 * 1582 * @since 3.8.0 1583 * 1584 * @param bool $notify Whether to notify the post author of their own comment. 1585 * Default false. 1586 * @param int $comment_id The comment ID. 1587 */ 1588 $notify_author = apply_filters( 'comment_notification_notify_author', false, $comment->comment_ID ); 1589 1590 // The comment was left by the author. 1591 if ( $author && ! $notify_author && $comment->user_id == $post->post_author ) { 1592 unset( $emails[ $author->user_email ] ); 1593 } 1594 1595 // The author moderated a comment on their own post. 1596 if ( $author && ! $notify_author && get_current_user_id() == $post->post_author ) { 1597 unset( $emails[ $author->user_email ] ); 1598 } 1599 1600 // The post author is no longer a member of the blog. 1601 if ( $author && ! $notify_author && ! user_can( $post->post_author, 'read_post', $post->ID ) ) { 1602 unset( $emails[ $author->user_email ] ); 1603 } 1604 1605 // If there's no email to send the comment to, bail, otherwise flip array back around for use below. 1606 if ( ! count( $emails ) ) { 1607 return false; 1608 } else { 1609 $emails = array_flip( $emails ); 1610 } 1611 1612 $switched_locale = switch_to_locale( get_locale() ); 1613 1614 $comment_author_domain = ''; 1615 if ( WP_Http::is_ip_address( $comment->comment_author_IP ) ) { 1616 $comment_author_domain = gethostbyaddr( $comment->comment_author_IP ); 1617 } 1618 1619 // The blogname option is escaped with esc_html() on the way into the database in sanitize_option(). 1620 // We want to reverse this for the plain text arena of emails. 1621 $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 1622 $comment_content = wp_specialchars_decode( $comment->comment_content ); 1623 1624 switch ( $comment->comment_type ) { 1625 case 'trackback': 1626 /* translators: %s: Post title. */ 1627 $notify_message = sprintf( __( 'New trackback on your post "%s"' ), $post->post_title ) . "\r\n"; 1628 /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */ 1629 $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1630 /* translators: %s: Trackback/pingback/comment author URL. */ 1631 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1632 /* translators: %s: Comment text. */ 1633 $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n"; 1634 $notify_message .= __( 'You can see all trackbacks on this post here:' ) . "\r\n"; 1635 /* translators: Trackback notification email subject. 1: Site title, 2: Post title. */ 1636 $subject = sprintf( __( '[%1$s] Trackback: "%2$s"' ), $blogname, $post->post_title ); 1637 break; 1638 1639 case 'pingback': 1640 /* translators: %s: Post title. */ 1641 $notify_message = sprintf( __( 'New pingback on your post "%s"' ), $post->post_title ) . "\r\n"; 1642 /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */ 1643 $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1644 /* translators: %s: Trackback/pingback/comment author URL. */ 1645 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1646 /* translators: %s: Comment text. */ 1647 $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n"; 1648 $notify_message .= __( 'You can see all pingbacks on this post here:' ) . "\r\n"; 1649 /* translators: Pingback notification email subject. 1: Site title, 2: Post title. */ 1650 $subject = sprintf( __( '[%1$s] Pingback: "%2$s"' ), $blogname, $post->post_title ); 1651 break; 1652 1653 default: // Comments. 1654 /* translators: %s: Post title. */ 1655 $notify_message = sprintf( __( 'New comment on your post "%s"' ), $post->post_title ) . "\r\n"; 1656 /* translators: 1: Comment author's name, 2: Comment author's IP address, 3: Comment author's hostname. */ 1657 $notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1658 /* translators: %s: Comment author email. */ 1659 $notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n"; 1660 /* translators: %s: Trackback/pingback/comment author URL. */ 1661 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1662 1663 if ( $comment->comment_parent && user_can( $post->post_author, 'edit_comment', $comment->comment_parent ) ) { 1664 /* translators: Comment moderation. %s: Parent comment edit URL. */ 1665 $notify_message .= sprintf( __( 'In reply to: %s' ), admin_url( "comment.php?action=editcomment&c={$comment->comment_parent}#wpbody-content" ) ) . "\r\n"; 1666 } 1667 1668 /* translators: %s: Comment text. */ 1669 $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n"; 1670 $notify_message .= __( 'You can see all comments on this post here:' ) . "\r\n"; 1671 /* translators: Comment notification email subject. 1: Site title, 2: Post title. */ 1672 $subject = sprintf( __( '[%1$s] Comment: "%2$s"' ), $blogname, $post->post_title ); 1673 break; 1674 } 1675 1676 $notify_message .= get_permalink( $comment->comment_post_ID ) . "#comments\r\n\r\n"; 1677 /* translators: %s: Comment URL. */ 1678 $notify_message .= sprintf( __( 'Permalink: %s' ), get_comment_link( $comment ) ) . "\r\n"; 1679 1680 if ( user_can( $post->post_author, 'edit_comment', $comment->comment_ID ) ) { 1681 if ( EMPTY_TRASH_DAYS ) { 1682 /* translators: Comment moderation. %s: Comment action URL. */ 1683 $notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n"; 1684 } else { 1685 /* translators: Comment moderation. %s: Comment action URL. */ 1686 $notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n"; 1687 } 1688 /* translators: Comment moderation. %s: Comment action URL. */ 1689 $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment->comment_ID}#wpbody-content" ) ) . "\r\n"; 1690 } 1691 1692 $wp_email = 'wordpress@' . preg_replace( '#^www\.#', '', wp_parse_url( network_home_url(), PHP_URL_HOST ) ); 1693 1694 if ( '' === $comment->comment_author ) { 1695 $from = "From: \"$blogname\" <$wp_email>"; 1696 if ( '' !== $comment->comment_author_email ) { 1697 $reply_to = "Reply-To: $comment->comment_author_email"; 1698 } 1699 } else { 1700 $from = "From: \"$comment->comment_author\" <$wp_email>"; 1701 if ( '' !== $comment->comment_author_email ) { 1702 $reply_to = "Reply-To: \"$comment->comment_author_email\" <$comment->comment_author_email>"; 1703 } 1704 } 1705 1706 $message_headers = "$from\n" 1707 . 'Content-Type: text/plain; charset="' . get_option( 'blog_charset' ) . "\"\n"; 1708 1709 if ( isset( $reply_to ) ) { 1710 $message_headers .= $reply_to . "\n"; 1711 } 1712 1713 /** 1714 * Filters the comment notification email text. 1715 * 1716 * @since 1.5.2 1717 * 1718 * @param string $notify_message The comment notification email text. 1719 * @param int $comment_id Comment ID. 1720 */ 1721 $notify_message = apply_filters( 'comment_notification_text', $notify_message, $comment->comment_ID ); 1722 1723 /** 1724 * Filters the comment notification email subject. 1725 * 1726 * @since 1.5.2 1727 * 1728 * @param string $subject The comment notification email subject. 1729 * @param int $comment_id Comment ID. 1730 */ 1731 $subject = apply_filters( 'comment_notification_subject', $subject, $comment->comment_ID ); 1732 1733 /** 1734 * Filters the comment notification email headers. 1735 * 1736 * @since 1.5.2 1737 * 1738 * @param string $message_headers Headers for the comment notification email. 1739 * @param int $comment_id Comment ID. 1740 */ 1741 $message_headers = apply_filters( 'comment_notification_headers', $message_headers, $comment->comment_ID ); 1742 1743 foreach ( $emails as $email ) { 1744 wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers ); 1745 } 1746 1747 if ( $switched_locale ) { 1748 restore_previous_locale(); 1749 } 1750 1751 return true; 1752 } 1753 endif; 1754 1755 if ( ! function_exists( 'wp_notify_moderator' ) ) : 1756 /** 1757 * Notifies the moderator of the site about a new comment that is awaiting approval. 1758 * 1759 * @since 1.0.0 1760 * 1761 * @global wpdb $wpdb WordPress database abstraction object. 1762 * 1763 * Uses the {@see 'notify_moderator'} filter to determine whether the site moderator 1764 * should be notified, overriding the site setting. 1765 * 1766 * @param int $comment_id Comment ID. 1767 * @return true Always returns true. 1768 */ 1769 function wp_notify_moderator( $comment_id ) { 1770 global $wpdb; 1771 1772 $maybe_notify = get_option( 'moderation_notify' ); 1773 1774 /** 1775 * Filters whether to send the site moderator email notifications, overriding the site setting. 1776 * 1777 * @since 4.4.0 1778 * 1779 * @param bool $maybe_notify Whether to notify blog moderator. 1780 * @param int $comment_ID The id of the comment for the notification. 1781 */ 1782 $maybe_notify = apply_filters( 'notify_moderator', $maybe_notify, $comment_id ); 1783 1784 if ( ! $maybe_notify ) { 1785 return true; 1786 } 1787 1788 $comment = get_comment( $comment_id ); 1789 $post = get_post( $comment->comment_post_ID ); 1790 $user = get_userdata( $post->post_author ); 1791 // Send to the administration and to the post author if the author can modify the comment. 1792 $emails = array( get_option( 'admin_email' ) ); 1793 if ( $user && user_can( $user->ID, 'edit_comment', $comment_id ) && ! empty( $user->user_email ) ) { 1794 if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) { 1795 $emails[] = $user->user_email; 1796 } 1797 } 1798 1799 $switched_locale = switch_to_locale( get_locale() ); 1800 1801 $comment_author_domain = ''; 1802 if ( WP_Http::is_ip_address( $comment->comment_author_IP ) ) { 1803 $comment_author_domain = gethostbyaddr( $comment->comment_author_IP ); 1804 } 1805 1806 $comments_waiting = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->comments WHERE comment_approved = '0'" ); 1807 1808 // The blogname option is escaped with esc_html() on the way into the database in sanitize_option(). 1809 // We want to reverse this for the plain text arena of emails. 1810 $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 1811 $comment_content = wp_specialchars_decode( $comment->comment_content ); 1812 1813 switch ( $comment->comment_type ) { 1814 case 'trackback': 1815 /* translators: %s: Post title. */ 1816 $notify_message = sprintf( __( 'A new trackback on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n"; 1817 $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n"; 1818 /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */ 1819 $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1820 /* translators: %s: Trackback/pingback/comment author URL. */ 1821 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1822 $notify_message .= __( 'Trackback excerpt: ' ) . "\r\n" . $comment_content . "\r\n\r\n"; 1823 break; 1824 1825 case 'pingback': 1826 /* translators: %s: Post title. */ 1827 $notify_message = sprintf( __( 'A new pingback on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n"; 1828 $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n"; 1829 /* translators: 1: Trackback/pingback website name, 2: Website IP address, 3: Website hostname. */ 1830 $notify_message .= sprintf( __( 'Website: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1831 /* translators: %s: Trackback/pingback/comment author URL. */ 1832 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1833 $notify_message .= __( 'Pingback excerpt: ' ) . "\r\n" . $comment_content . "\r\n\r\n"; 1834 break; 1835 1836 default: // Comments. 1837 /* translators: %s: Post title. */ 1838 $notify_message = sprintf( __( 'A new comment on the post "%s" is waiting for your approval' ), $post->post_title ) . "\r\n"; 1839 $notify_message .= get_permalink( $comment->comment_post_ID ) . "\r\n\r\n"; 1840 /* translators: 1: Comment author's name, 2: Comment author's IP address, 3: Comment author's hostname. */ 1841 $notify_message .= sprintf( __( 'Author: %1$s (IP address: %2$s, %3$s)' ), $comment->comment_author, $comment->comment_author_IP, $comment_author_domain ) . "\r\n"; 1842 /* translators: %s: Comment author email. */ 1843 $notify_message .= sprintf( __( 'Email: %s' ), $comment->comment_author_email ) . "\r\n"; 1844 /* translators: %s: Trackback/pingback/comment author URL. */ 1845 $notify_message .= sprintf( __( 'URL: %s' ), $comment->comment_author_url ) . "\r\n"; 1846 1847 if ( $comment->comment_parent ) { 1848 /* translators: Comment moderation. %s: Parent comment edit URL. */ 1849 $notify_message .= sprintf( __( 'In reply to: %s' ), admin_url( "comment.php?action=editcomment&c={$comment->comment_parent}#wpbody-content" ) ) . "\r\n"; 1850 } 1851 1852 /* translators: %s: Comment text. */ 1853 $notify_message .= sprintf( __( 'Comment: %s' ), "\r\n" . $comment_content ) . "\r\n\r\n"; 1854 break; 1855 } 1856 1857 /* translators: Comment moderation. %s: Comment action URL. */ 1858 $notify_message .= sprintf( __( 'Approve it: %s' ), admin_url( "comment.php?action=approve&c={$comment_id}#wpbody-content" ) ) . "\r\n"; 1859 1860 if ( EMPTY_TRASH_DAYS ) { 1861 /* translators: Comment moderation. %s: Comment action URL. */ 1862 $notify_message .= sprintf( __( 'Trash it: %s' ), admin_url( "comment.php?action=trash&c={$comment_id}#wpbody-content" ) ) . "\r\n"; 1863 } else { 1864 /* translators: Comment moderation. %s: Comment action URL. */ 1865 $notify_message .= sprintf( __( 'Delete it: %s' ), admin_url( "comment.php?action=delete&c={$comment_id}#wpbody-content" ) ) . "\r\n"; 1866 } 1867 1868 /* translators: Comment moderation. %s: Comment action URL. */ 1869 $notify_message .= sprintf( __( 'Spam it: %s' ), admin_url( "comment.php?action=spam&c={$comment_id}#wpbody-content" ) ) . "\r\n"; 1870 1871 $notify_message .= sprintf( 1872 /* translators: Comment moderation. %s: Number of comments awaiting approval. */ 1873 _n( 1874 'Currently %s comment is waiting for approval. Please visit the moderation panel:', 1875 'Currently %s comments are waiting for approval. Please visit the moderation panel:', 1876 $comments_waiting 1877 ), 1878 number_format_i18n( $comments_waiting ) 1879 ) . "\r\n"; 1880 $notify_message .= admin_url( 'edit-comments.php?comment_status=moderated#wpbody-content' ) . "\r\n"; 1881 1882 /* translators: Comment moderation notification email subject. 1: Site title, 2: Post title. */ 1883 $subject = sprintf( __( '[%1$s] Please moderate: "%2$s"' ), $blogname, $post->post_title ); 1884 $message_headers = ''; 1885 1886 /** 1887 * Filters the list of recipients for comment moderation emails. 1888 * 1889 * @since 3.7.0 1890 * 1891 * @param string[] $emails List of email addresses to notify for comment moderation. 1892 * @param int $comment_id Comment ID. 1893 */ 1894 $emails = apply_filters( 'comment_moderation_recipients', $emails, $comment_id ); 1895 1896 /** 1897 * Filters the comment moderation email text. 1898 * 1899 * @since 1.5.2 1900 * 1901 * @param string $notify_message Text of the comment moderation email. 1902 * @param int $comment_id Comment ID. 1903 */ 1904 $notify_message = apply_filters( 'comment_moderation_text', $notify_message, $comment_id ); 1905 1906 /** 1907 * Filters the comment moderation email subject. 1908 * 1909 * @since 1.5.2 1910 * 1911 * @param string $subject Subject of the comment moderation email. 1912 * @param int $comment_id Comment ID. 1913 */ 1914 $subject = apply_filters( 'comment_moderation_subject', $subject, $comment_id ); 1915 1916 /** 1917 * Filters the comment moderation email headers. 1918 * 1919 * @since 2.8.0 1920 * 1921 * @param string $message_headers Headers for the comment moderation email. 1922 * @param int $comment_id Comment ID. 1923 */ 1924 $message_headers = apply_filters( 'comment_moderation_headers', $message_headers, $comment_id ); 1925 1926 foreach ( $emails as $email ) { 1927 wp_mail( $email, wp_specialchars_decode( $subject ), $notify_message, $message_headers ); 1928 } 1929 1930 if ( $switched_locale ) { 1931 restore_previous_locale(); 1932 } 1933 1934 return true; 1935 } 1936 endif; 1937 1938 if ( ! function_exists( 'wp_password_change_notification' ) ) : 1939 /** 1940 * Notify the blog admin of a user changing password, normally via email. 1941 * 1942 * @since 2.7.0 1943 * 1944 * @param WP_User $user User object. 1945 */ 1946 function wp_password_change_notification( $user ) { 1947 // Send a copy of password change notification to the admin, 1948 // but check to see if it's the admin whose password we're changing, and skip this. 1949 if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) { 1950 /* translators: %s: User name. */ 1951 $message = sprintf( __( 'Password changed for user: %s' ), $user->user_login ) . "\r\n"; 1952 // The blogname option is escaped with esc_html() on the way into the database in sanitize_option(). 1953 // We want to reverse this for the plain text arena of emails. 1954 $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 1955 1956 $wp_password_change_notification_email = array( 1957 'to' => get_option( 'admin_email' ), 1958 /* translators: Password change notification email subject. %s: Site title. */ 1959 'subject' => __( '[%s] Password Changed' ), 1960 'message' => $message, 1961 'headers' => '', 1962 ); 1963 1964 /** 1965 * Filters the contents of the password change notification email sent to the site admin. 1966 * 1967 * @since 4.9.0 1968 * 1969 * @param array $wp_password_change_notification_email { 1970 * Used to build wp_mail(). 1971 * 1972 * @type string $to The intended recipient - site admin email address. 1973 * @type string $subject The subject of the email. 1974 * @type string $message The body of the email. 1975 * @type string $headers The headers of the email. 1976 * } 1977 * @param WP_User $user User object for user whose password was changed. 1978 * @param string $blogname The site title. 1979 */ 1980 $wp_password_change_notification_email = apply_filters( 'wp_password_change_notification_email', $wp_password_change_notification_email, $user, $blogname ); 1981 1982 wp_mail( 1983 $wp_password_change_notification_email['to'], 1984 wp_specialchars_decode( sprintf( $wp_password_change_notification_email['subject'], $blogname ) ), 1985 $wp_password_change_notification_email['message'], 1986 $wp_password_change_notification_email['headers'] 1987 ); 1988 } 1989 } 1990 endif; 1991 1992 if ( ! function_exists( 'wp_new_user_notification' ) ) : 1993 /** 1994 * Email login credentials to a newly-registered user. 1995 * 1996 * A new user registration notification is also sent to admin email. 1997 * 1998 * @since 2.0.0 1999 * @since 4.3.0 The `$plaintext_pass` parameter was changed to `$notify`. 2000 * @since 4.3.1 The `$plaintext_pass` parameter was deprecated. `$notify` added as a third parameter. 2001 * @since 4.6.0 The `$notify` parameter accepts 'user' for sending notification only to the user created. 2002 * 2003 * @param int $user_id User ID. 2004 * @param null $deprecated Not used (argument deprecated). 2005 * @param string $notify Optional. Type of notification that should happen. Accepts 'admin' or an empty 2006 * string (admin only), 'user', or 'both' (admin and user). Default empty. 2007 */ 2008 function wp_new_user_notification( $user_id, $deprecated = null, $notify = '' ) { 2009 if ( null !== $deprecated ) { 2010 _deprecated_argument( __FUNCTION__, '4.3.1' ); 2011 } 2012 2013 // Accepts only 'user', 'admin' , 'both' or default '' as $notify. 2014 if ( ! in_array( $notify, array( 'user', 'admin', 'both', '' ), true ) ) { 2015 return; 2016 } 2017 2018 $user = get_userdata( $user_id ); 2019 2020 // The blogname option is escaped with esc_html() on the way into the database in sanitize_option(). 2021 // We want to reverse this for the plain text arena of emails. 2022 $blogname = wp_specialchars_decode( get_option( 'blogname' ), ENT_QUOTES ); 2023 2024 if ( 'user' !== $notify ) { 2025 $switched_locale = switch_to_locale( get_locale() ); 2026 2027 /* translators: %s: Site title. */ 2028 $message = sprintf( __( 'New user registration on your site %s:' ), $blogname ) . "\r\n\r\n"; 2029 /* translators: %s: User login. */ 2030 $message .= sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n"; 2031 /* translators: %s: User email address. */ 2032 $message .= sprintf( __( 'Email: %s' ), $user->user_email ) . "\r\n"; 2033 2034 $wp_new_user_notification_email_admin = array( 2035 'to' => get_option( 'admin_email' ), 2036 /* translators: New user registration notification email subject. %s: Site title. */ 2037 'subject' => __( '[%s] New User Registration' ), 2038 'message' => $message, 2039 'headers' => '', 2040 ); 2041 2042 /** 2043 * Filters the contents of the new user notification email sent to the site admin. 2044 * 2045 * @since 4.9.0 2046 * 2047 * @param array $wp_new_user_notification_email_admin { 2048 * Used to build wp_mail(). 2049 * 2050 * @type string $to The intended recipient - site admin email address. 2051 * @type string $subject The subject of the email. 2052 * @type string $message The body of the email. 2053 * @type string $headers The headers of the email. 2054 * } 2055 * @param WP_User $user User object for new user. 2056 * @param string $blogname The site title. 2057 */ 2058 $wp_new_user_notification_email_admin = apply_filters( 'wp_new_user_notification_email_admin', $wp_new_user_notification_email_admin, $user, $blogname ); 2059 2060 wp_mail( 2061 $wp_new_user_notification_email_admin['to'], 2062 wp_specialchars_decode( sprintf( $wp_new_user_notification_email_admin['subject'], $blogname ) ), 2063 $wp_new_user_notification_email_admin['message'], 2064 $wp_new_user_notification_email_admin['headers'] 2065 ); 2066 2067 if ( $switched_locale ) { 2068 restore_previous_locale(); 2069 } 2070 } 2071 2072 // `$deprecated` was pre-4.3 `$plaintext_pass`. An empty `$plaintext_pass` didn't sent a user notification. 2073 if ( 'admin' === $notify || ( empty( $deprecated ) && empty( $notify ) ) ) { 2074 return; 2075 } 2076 2077 $key = get_password_reset_key( $user ); 2078 if ( is_wp_error( $key ) ) { 2079 return; 2080 } 2081 2082 $switched_locale = switch_to_locale( get_user_locale( $user ) ); 2083 2084 /* translators: %s: User login. */ 2085 $message = sprintf( __( 'Username: %s' ), $user->user_login ) . "\r\n\r\n"; 2086 $message .= __( 'To set your password, visit the following address:' ) . "\r\n\r\n"; 2087 $message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user->user_login ), 'login' ) . "\r\n\r\n"; 2088 2089 $message .= wp_login_url() . "\r\n"; 2090 2091 $wp_new_user_notification_email = array( 2092 'to' => $user->user_email, 2093 /* translators: Login details notification email subject. %s: Site title. */ 2094 'subject' => __( '[%s] Login Details' ), 2095 'message' => $message, 2096 'headers' => '', 2097 ); 2098 2099 /** 2100 * Filters the contents of the new user notification email sent to the new user. 2101 * 2102 * @since 4.9.0 2103 * 2104 * @param array $wp_new_user_notification_email { 2105 * Used to build wp_mail(). 2106 * 2107 * @type string $to The intended recipient - New user email address. 2108 * @type string $subject The subject of the email. 2109 * @type string $message The body of the email. 2110 * @type string $headers The headers of the email. 2111 * } 2112 * @param WP_User $user User object for new user. 2113 * @param string $blogname The site title. 2114 */ 2115 $wp_new_user_notification_email = apply_filters( 'wp_new_user_notification_email', $wp_new_user_notification_email, $user, $blogname ); 2116 2117 wp_mail( 2118 $wp_new_user_notification_email['to'], 2119 wp_specialchars_decode( sprintf( $wp_new_user_notification_email['subject'], $blogname ) ), 2120 $wp_new_user_notification_email['message'], 2121 $wp_new_user_notification_email['headers'] 2122 ); 2123 2124 if ( $switched_locale ) { 2125 restore_previous_locale(); 2126 } 2127 } 2128 endif; 2129 2130 if ( ! function_exists( 'wp_nonce_tick' ) ) : 2131 /** 2132 * Returns the time-dependent variable for nonce creation. 2133 * 2134 * A nonce has a lifespan of two ticks. Nonces in their second tick may be 2135 * updated, e.g. by autosave. 2136 * 2137 * @since 2.5.0 2138 * 2139 * @return float Float value rounded up to the next highest integer. 2140 */ 2141 function wp_nonce_tick() { 2142 /** 2143 * Filters the lifespan of nonces in seconds. 2144 * 2145 * @since 2.5.0 2146 * 2147 * @param int $lifespan Lifespan of nonces in seconds. Default 86,400 seconds, or one day. 2148 */ 2149 $nonce_life = apply_filters( 'nonce_life', DAY_IN_SECONDS ); 2150 2151 return ceil( time() / ( $nonce_life / 2 ) ); 2152 } 2153 endif; 2154 2155 if ( ! function_exists( 'wp_verify_nonce' ) ) : 2156 /** 2157 * Verifies that a correct security nonce was used with time limit. 2158 * 2159 * A nonce is valid for 24 hours (by default). 2160 * 2161 * @since 2.0.3 2162 * 2163 * @param string $nonce Nonce value that was used for verification, usually via a form field. 2164 * @param string|int $action Should give context to what is taking place and be the same when nonce was created. 2165 * @return int|false 1 if the nonce is valid and generated between 0-12 hours ago, 2166 * 2 if the nonce is valid and generated between 12-24 hours ago. 2167 * False if the nonce is invalid. 2168 */ 2169 function wp_verify_nonce( $nonce, $action = -1 ) { 2170 $nonce = (string) $nonce; 2171 $user = wp_get_current_user(); 2172 $uid = (int) $user->ID; 2173 if ( ! $uid ) { 2174 /** 2175 * Filters whether the user who generated the nonce is logged out. 2176 * 2177 * @since 3.5.0 2178 * 2179 * @param int $uid ID of the nonce-owning user. 2180 * @param string $action The nonce action. 2181 */ 2182 $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); 2183 } 2184 2185 if ( empty( $nonce ) ) { 2186 return false; 2187 } 2188 2189 $token = wp_get_session_token(); 2190 $i = wp_nonce_tick(); 2191 2192 // Nonce generated 0-12 hours ago. 2193 $expected = substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); 2194 if ( hash_equals( $expected, $nonce ) ) { 2195 return 1; 2196 } 2197 2198 // Nonce generated 12-24 hours ago. 2199 $expected = substr( wp_hash( ( $i - 1 ) . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); 2200 if ( hash_equals( $expected, $nonce ) ) { 2201 return 2; 2202 } 2203 2204 /** 2205 * Fires when nonce verification fails. 2206 * 2207 * @since 4.4.0 2208 * 2209 * @param string $nonce The invalid nonce. 2210 * @param string|int $action The nonce action. 2211 * @param WP_User $user The current user object. 2212 * @param string $token The user's session token. 2213 */ 2214 do_action( 'wp_verify_nonce_failed', $nonce, $action, $user, $token ); 2215 2216 // Invalid nonce. 2217 return false; 2218 } 2219 endif; 2220 2221 if ( ! function_exists( 'wp_create_nonce' ) ) : 2222 /** 2223 * Creates a cryptographic token tied to a specific action, user, user session, 2224 * and window of time. 2225 * 2226 * @since 2.0.3 2227 * @since 4.0.0 Session tokens were integrated with nonce creation 2228 * 2229 * @param string|int $action Scalar value to add context to the nonce. 2230 * @return string The token. 2231 */ 2232 function wp_create_nonce( $action = -1 ) { 2233 $user = wp_get_current_user(); 2234 $uid = (int) $user->ID; 2235 if ( ! $uid ) { 2236 /** This filter is documented in wp-includes/pluggable.php */ 2237 $uid = apply_filters( 'nonce_user_logged_out', $uid, $action ); 2238 } 2239 2240 $token = wp_get_session_token(); 2241 $i = wp_nonce_tick(); 2242 2243 return substr( wp_hash( $i . '|' . $action . '|' . $uid . '|' . $token, 'nonce' ), -12, 10 ); 2244 } 2245 endif; 2246 2247 if ( ! function_exists( 'wp_salt' ) ) : 2248 /** 2249 * Returns a salt to add to hashes. 2250 * 2251 * Salts are created using secret keys. Secret keys are located in two places: 2252 * in the database and in the wp-config.php file. The secret key in the database 2253 * is randomly generated and will be appended to the secret keys in wp-config.php. 2254 * 2255 * The secret keys in wp-config.php should be updated to strong, random keys to maximize 2256 * security. Below is an example of how the secret key constants are defined. 2257 * Do not paste this example directly into wp-config.php. Instead, have a 2258 * {@link https://api.wordpress.org/secret-key/1.1/salt/ secret key created} just 2259 * for you. 2260 * 2261 * define('AUTH_KEY', ' Xakm<o xQy rw4EMsLKM-?!T+,PFF})H4lzcW57AF0U@N@< >M%G4Yt>f`z]MON'); 2262 * define('SECURE_AUTH_KEY', 'LzJ}op]mr|6+![P}Ak:uNdJCJZd>(Hx.-Mh#Tz)pCIU#uGEnfFz|f ;;eU%/U^O~'); 2263 * define('LOGGED_IN_KEY', '|i|Ux`9<p-h$aFf(qnT:sDO:D1P^wZ$$/Ra@miTJi9G;ddp_<q}6H1)o|a +&JCM'); 2264 * define('NONCE_KEY', '%:R{[P|,s.KuMltH5}cI;/k<Gx~j!f0I)m_sIyu+&NJZ)-iO>z7X>QYR0Z_XnZ@|'); 2265 * define('AUTH_SALT', 'eZyT)-Naw]F8CwA*VaW#q*|.)g@o}||wf~@C-YSt}(dh_r6EbI#A,y|nU2{B#JBW'); 2266 * define('SECURE_AUTH_SALT', '!=oLUTXh,QW=H `}`L|9/^4-3 STz},T(w}W<I`.JjPi)<Bmf1v,HpGe}T1:Xt7n'); 2267 * define('LOGGED_IN_SALT', '+XSqHc;@Q*K_b|Z?NC[3H!!EONbh.n<+=uKR:>*c(u`g~EJBf#8u#R{mUEZrozmm'); 2268 * define('NONCE_SALT', 'h`GXHhD>SLWVfg1(1(N{;.V!MoE(SfbA_ksP@&`+AycHcAV$+?@3q+rxV{%^VyKT'); 2269 * 2270 * Salting passwords helps against tools which has stored hashed values of 2271 * common dictionary strings. The added values makes it harder to crack. 2272 * 2273 * @since 2.5.0 2274 * 2275 * @link https://api.wordpress.org/secret-key/1.1/salt/ Create secrets for wp-config.php 2276 * 2277 * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce) 2278 * @return string Salt value 2279 */ 2280 function wp_salt( $scheme = 'auth' ) { 2281 static $cached_salts = array(); 2282 if ( isset( $cached_salts[ $scheme ] ) ) { 2283 /** 2284 * Filters the WordPress salt. 2285 * 2286 * @since 2.5.0 2287 * 2288 * @param string $cached_salt Cached salt for the given scheme. 2289 * @param string $scheme Authentication scheme. Values include 'auth', 2290 * 'secure_auth', 'logged_in', and 'nonce'. 2291 */ 2292 return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme ); 2293 } 2294 2295 static $duplicated_keys; 2296 if ( null === $duplicated_keys ) { 2297 $duplicated_keys = array( 'put your unique phrase here' => true ); 2298 foreach ( array( 'AUTH', 'SECURE_AUTH', 'LOGGED_IN', 'NONCE', 'SECRET' ) as $first ) { 2299 foreach ( array( 'KEY', 'SALT' ) as $second ) { 2300 if ( ! defined( "{$first}_{$second}" ) ) { 2301 continue; 2302 } 2303 $value = constant( "{$first}_{$second}" ); 2304 $duplicated_keys[ $value ] = isset( $duplicated_keys[ $value ] ); 2305 } 2306 } 2307 } 2308 2309 $values = array( 2310 'key' => '', 2311 'salt' => '', 2312 ); 2313 if ( defined( 'SECRET_KEY' ) && SECRET_KEY && empty( $duplicated_keys[ SECRET_KEY ] ) ) { 2314 $values['key'] = SECRET_KEY; 2315 } 2316 if ( 'auth' === $scheme && defined( 'SECRET_SALT' ) && SECRET_SALT && empty( $duplicated_keys[ SECRET_SALT ] ) ) { 2317 $values['salt'] = SECRET_SALT; 2318 } 2319 2320 if ( in_array( $scheme, array( 'auth', 'secure_auth', 'logged_in', 'nonce' ), true ) ) { 2321 foreach ( array( 'key', 'salt' ) as $type ) { 2322 $const = strtoupper( "{$scheme}_{$type}" ); 2323 if ( defined( $const ) && constant( $const ) && empty( $duplicated_keys[ constant( $const ) ] ) ) { 2324 $values[ $type ] = constant( $const ); 2325 } elseif ( ! $values[ $type ] ) { 2326 $values[ $type ] = get_site_option( "{$scheme}_{$type}" ); 2327 if ( ! $values[ $type ] ) { 2328 $values[ $type ] = wp_generate_password( 64, true, true ); 2329 update_site_option( "{$scheme}_{$type}", $values[ $type ] ); 2330 } 2331 } 2332 } 2333 } else { 2334 if ( ! $values['key'] ) { 2335 $values['key'] = get_site_option( 'secret_key' ); 2336 if ( ! $values['key'] ) { 2337 $values['key'] = wp_generate_password( 64, true, true ); 2338 update_site_option( 'secret_key', $values['key'] ); 2339 } 2340 } 2341 $values['salt'] = hash_hmac( 'md5', $scheme, $values['key'] ); 2342 } 2343 2344 $cached_salts[ $scheme ] = $values['key'] . $values['salt']; 2345 2346 /** This filter is documented in wp-includes/pluggable.php */ 2347 return apply_filters( 'salt', $cached_salts[ $scheme ], $scheme ); 2348 } 2349 endif; 2350 2351 if ( ! function_exists( 'wp_hash' ) ) : 2352 /** 2353 * Get hash of given string. 2354 * 2355 * @since 2.0.3 2356 * 2357 * @param string $data Plain text to hash 2358 * @param string $scheme Authentication scheme (auth, secure_auth, logged_in, nonce) 2359 * @return string Hash of $data 2360 */ 2361 function wp_hash( $data, $scheme = 'auth' ) { 2362 $salt = wp_salt( $scheme ); 2363 2364 return hash_hmac( 'md5', $data, $salt ); 2365 } 2366 endif; 2367 2368 if ( ! function_exists( 'wp_hash_password' ) ) : 2369 /** 2370 * Create a hash (encrypt) of a plain text password. 2371 * 2372 * For integration with other applications, this function can be overwritten to 2373 * instead use the other package password checking algorithm. 2374 * 2375 * @since 2.5.0 2376 * 2377 * @global PasswordHash $wp_hasher PHPass object 2378 * 2379 * @param string $password Plain text user password to hash 2380 * @return string The hash string of the password 2381 */ 2382 function wp_hash_password( $password ) { 2383 global $wp_hasher; 2384 2385 if ( empty( $wp_hasher ) ) { 2386 require_once ABSPATH . WPINC . '/class-phpass.php'; 2387 // By default, use the portable hash from phpass. 2388 $wp_hasher = new PasswordHash( 8, true ); 2389 } 2390 2391 return $wp_hasher->HashPassword( trim( $password ) ); 2392 } 2393 endif; 2394 2395 if ( ! function_exists( 'wp_check_password' ) ) : 2396 /** 2397 * Checks the plaintext password against the encrypted Password. 2398 * 2399 * Maintains compatibility between old version and the new cookie authentication 2400 * protocol using PHPass library. The $hash parameter is the encrypted password 2401 * and the function compares the plain text password when encrypted similarly 2402 * against the already encrypted password to see if they match. 2403 * 2404 * For integration with other applications, this function can be overwritten to 2405 * instead use the other package password checking algorithm. 2406 * 2407 * @since 2.5.0 2408 * 2409 * @global PasswordHash $wp_hasher PHPass object used for checking the password 2410 * against the $hash + $password 2411 * @uses PasswordHash::CheckPassword 2412 * 2413 * @param string $password Plaintext user's password 2414 * @param string $hash Hash of the user's password to check against. 2415 * @param string|int $user_id Optional. User ID. 2416 * @return bool False, if the $password does not match the hashed password 2417 */ 2418 function wp_check_password( $password, $hash, $user_id = '' ) { 2419 global $wp_hasher; 2420 2421 // If the hash is still md5... 2422 if ( strlen( $hash ) <= 32 ) { 2423 $check = hash_equals( $hash, md5( $password ) ); 2424 if ( $check && $user_id ) { 2425 // Rehash using new hash. 2426 wp_set_password( $password, $user_id ); 2427 $hash = wp_hash_password( $password ); 2428 } 2429 2430 /** 2431 * Filters whether the plaintext password matches the encrypted password. 2432 * 2433 * @since 2.5.0 2434 * 2435 * @param bool $check Whether the passwords match. 2436 * @param string $password The plaintext password. 2437 * @param string $hash The hashed password. 2438 * @param string|int $user_id User ID. Can be empty. 2439 */ 2440 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 2441 } 2442 2443 // If the stored hash is longer than an MD5, 2444 // presume the new style phpass portable hash. 2445 if ( empty( $wp_hasher ) ) { 2446 require_once ABSPATH . WPINC . '/class-phpass.php'; 2447 // By default, use the portable hash from phpass. 2448 $wp_hasher = new PasswordHash( 8, true ); 2449 } 2450 2451 $check = $wp_hasher->CheckPassword( $password, $hash ); 2452 2453 /** This filter is documented in wp-includes/pluggable.php */ 2454 return apply_filters( 'check_password', $check, $password, $hash, $user_id ); 2455 } 2456 endif; 2457 2458 if ( ! function_exists( 'wp_generate_password' ) ) : 2459 /** 2460 * Generates a random password drawn from the defined set of characters. 2461 * 2462 * Uses wp_rand() is used to create passwords with far less predictability 2463 * than similar native PHP functions like `rand()` or `mt_rand()`. 2464 * 2465 * @since 2.5.0 2466 * 2467 * @param int $length Optional. The length of password to generate. Default 12. 2468 * @param bool $special_chars Optional. Whether to include standard special characters. 2469 * Default true. 2470 * @param bool $extra_special_chars Optional. Whether to include other special characters. 2471 * Used when generating secret keys and salts. Default false. 2472 * @return string The random password. 2473 */ 2474 function wp_generate_password( $length = 12, $special_chars = true, $extra_special_chars = false ) { 2475 $chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; 2476 if ( $special_chars ) { 2477 $chars .= '!@#$%^&*()'; 2478 } 2479 if ( $extra_special_chars ) { 2480 $chars .= '-_ []{}<>~`+=,.;:/?|'; 2481 } 2482 2483 $password = ''; 2484 for ( $i = 0; $i < $length; $i++ ) { 2485 $password .= substr( $chars, wp_rand( 0, strlen( $chars ) - 1 ), 1 ); 2486 } 2487 2488 /** 2489 * Filters the randomly-generated password. 2490 * 2491 * @since 3.0.0 2492 * @since 5.3.0 Added the `$length`, `$special_chars`, and `$extra_special_chars` parameters. 2493 * 2494 * @param string $password The generated password. 2495 * @param int $length The length of password to generate. 2496 * @param bool $special_chars Whether to include standard special characters. 2497 * @param bool $extra_special_chars Whether to include other special characters. 2498 */ 2499 return apply_filters( 'random_password', $password, $length, $special_chars, $extra_special_chars ); 2500 } 2501 endif; 2502 2503 if ( ! function_exists( 'wp_rand' ) ) : 2504 /** 2505 * Generates a random number. 2506 * 2507 * @since 2.6.2 2508 * @since 4.4.0 Uses PHP7 random_int() or the random_compat library if available. 2509 * 2510 * @global string $rnd_value 2511 * 2512 * @param int $min Lower limit for the generated number 2513 * @param int $max Upper limit for the generated number 2514 * @return int A random number between min and max 2515 */ 2516 function wp_rand( $min = 0, $max = 0 ) { 2517 global $rnd_value; 2518 2519 // Some misconfigured 32-bit environments (Entropy PHP, for example) 2520 // truncate integers larger than PHP_INT_MAX to PHP_INT_MAX rather than overflowing them to floats. 2521 $max_random_number = 3000000000 === 2147483647 ? (float) '4294967295' : 4294967295; // 4294967295 = 0xffffffff 2522 2523 // We only handle ints, floats are truncated to their integer value. 2524 $min = (int) $min; 2525 $max = (int) $max; 2526 2527 // Use PHP's CSPRNG, or a compatible method. 2528 static $use_random_int_functionality = true; 2529 if ( $use_random_int_functionality ) { 2530 try { 2531 $_max = ( 0 != $max ) ? $max : $max_random_number; 2532 // wp_rand() can accept arguments in either order, PHP cannot. 2533 $_max = max( $min, $_max ); 2534 $_min = min( $min, $_max ); 2535 $val = random_int( $_min, $_max ); 2536 if ( false !== $val ) { 2537 return absint( $val ); 2538 } else { 2539 $use_random_int_functionality = false; 2540 } 2541 } catch ( Error $e ) { 2542 $use_random_int_functionality = false; 2543 } catch ( Exception $e ) { 2544 $use_random_int_functionality = false; 2545 } 2546 } 2547 2548 // Reset $rnd_value after 14 uses. 2549 // 32 (md5) + 40 (sha1) + 40 (sha1) / 8 = 14 random numbers from $rnd_value. 2550 if ( strlen( $rnd_value ) < 8 ) { 2551 if ( defined( 'WP_SETUP_CONFIG' ) ) { 2552 static $seed = ''; 2553 } else { 2554 $seed = get_transient( 'random_seed' ); 2555 } 2556 $rnd_value = md5( uniqid( microtime() . mt_rand(), true ) . $seed ); 2557 $rnd_value .= sha1( $rnd_value ); 2558 $rnd_value .= sha1( $rnd_value . $seed ); 2559 $seed = md5( $seed . $rnd_value ); 2560 if ( ! defined( 'WP_SETUP_CONFIG' ) && ! defined( 'WP_INSTALLING' ) ) { 2561 set_transient( 'random_seed', $seed ); 2562 } 2563 } 2564 2565 // Take the first 8 digits for our value. 2566 $value = substr( $rnd_value, 0, 8 ); 2567 2568 // Strip the first eight, leaving the remainder for the next call to wp_rand(). 2569 $rnd_value = substr( $rnd_value, 8 ); 2570 2571 $value = abs( hexdec( $value ) ); 2572 2573 // Reduce the value to be within the min - max range. 2574 if ( 0 != $max ) { 2575 $value = $min + ( $max - $min + 1 ) * $value / ( $max_random_number + 1 ); 2576 } 2577 2578 return abs( (int) $value ); 2579 } 2580 endif; 2581 2582 if ( ! function_exists( 'wp_set_password' ) ) : 2583 /** 2584 * Updates the user's password with a new encrypted one. 2585 * 2586 * For integration with other applications, this function can be overwritten to 2587 * instead use the other package password checking algorithm. 2588 * 2589 * Please note: This function should be used sparingly and is really only meant for single-time 2590 * application. Leveraging this improperly in a plugin or theme could result in an endless loop 2591 * of password resets if precautions are not taken to ensure it does not execute on every page load. 2592 * 2593 * @since 2.5.0 2594 * 2595 * @global wpdb $wpdb WordPress database abstraction object. 2596 * 2597 * @param string $password The plaintext new user password 2598 * @param int $user_id User ID 2599 */ 2600 function wp_set_password( $password, $user_id ) { 2601 global $wpdb; 2602 2603 $hash = wp_hash_password( $password ); 2604 $wpdb->update( 2605 $wpdb->users, 2606 array( 2607 'user_pass' => $hash, 2608 'user_activation_key' => '', 2609 ), 2610 array( 'ID' => $user_id ) 2611 ); 2612 2613 clean_user_cache( $user_id ); 2614 } 2615 endif; 2616 2617 if ( ! function_exists( 'get_avatar' ) ) : 2618 /** 2619 * Retrieve the avatar `<img>` tag for a user, email address, MD5 hash, comment, or post. 2620 * 2621 * @since 2.5.0 2622 * @since 4.2.0 Optional `$args` parameter added. 2623 * 2624 * @param mixed $id_or_email The Gravatar to retrieve. Accepts a user_id, gravatar md5 hash, 2625 * user email, WP_User object, WP_Post object, or WP_Comment object. 2626 * @param int $size Optional. Height and width of the avatar image file in pixels. Default 96. 2627 * @param string $default Optional. URL for the default image or a default type. Accepts '404' 2628 * (return a 404 instead of a default image), 'retro' (8bit), 'monsterid' 2629 * (monster), 'wavatar' (cartoon face), 'indenticon' (the "quilt"), 2630 * 'mystery', 'mm', or 'mysteryman' (The Oyster Man), 'blank' (transparent GIF), 2631 * or 'gravatar_default' (the Gravatar logo). Default is the value of the 2632 * 'avatar_default' option, with a fallback of 'mystery'. 2633 * @param string $alt Optional. Alternative text to use in img tag. Default empty. 2634 * @param array $args { 2635 * Optional. Extra arguments to retrieve the avatar. 2636 * 2637 * @type int $height Display height of the avatar in pixels. Defaults to $size. 2638 * @type int $width Display width of the avatar in pixels. Defaults to $size. 2639 * @type bool $force_default Whether to always show the default image, never the Gravatar. Default false. 2640 * @type string $rating What rating to display avatars up to. Accepts 'G', 'PG', 'R', 'X', and are 2641 * judged in that order. Default is the value of the 'avatar_rating' option. 2642 * @type string $scheme URL scheme to use. See set_url_scheme() for accepted values. 2643 * Default null. 2644 * @type array|string $class Array or string of additional classes to add to the img element. 2645 * Default null. 2646 * @type bool $force_display Whether to always show the avatar - ignores the show_avatars option. 2647 * Default false. 2648 * @type string $loading Value for the `loading` attribute. 2649 * Default null. 2650 * @type string $extra_attr HTML attributes to insert in the IMG element. Is not sanitized. Default empty. 2651 * } 2652 * @return string|false `<img>` tag for the user's avatar. False on failure. 2653 */ 2654 function get_avatar( $id_or_email, $size = 96, $default = '', $alt = '', $args = null ) { 2655 $defaults = array( 2656 // get_avatar_data() args. 2657 'size' => 96, 2658 'height' => null, 2659 'width' => null, 2660 'default' => get_option( 'avatar_default', 'mystery' ), 2661 'force_default' => false, 2662 'rating' => get_option( 'avatar_rating' ), 2663 'scheme' => null, 2664 'alt' => '', 2665 'class' => null, 2666 'force_display' => false, 2667 'loading' => null, 2668 'extra_attr' => '', 2669 ); 2670 2671 if ( wp_lazy_loading_enabled( 'img', 'get_avatar' ) ) { 2672 $defaults['loading'] = 'lazy'; 2673 } 2674 2675 if ( empty( $args ) ) { 2676 $args = array(); 2677 } 2678 2679 $args['size'] = (int) $size; 2680 $args['default'] = $default; 2681 $args['alt'] = $alt; 2682 2683 $args = wp_parse_args( $args, $defaults ); 2684 2685 if ( empty( $args['height'] ) ) { 2686 $args['height'] = $args['size']; 2687 } 2688 if ( empty( $args['width'] ) ) { 2689 $args['width'] = $args['size']; 2690 } 2691 2692 if ( is_object( $id_or_email ) && isset( $id_or_email->comment_ID ) ) { 2693 $id_or_email = get_comment( $id_or_email ); 2694 } 2695 2696 /** 2697 * Allows the HTML for a user's avatar to be returned early. 2698 * 2699 * Passing a non-null value will effectively short-circuit get_avatar(), passing 2700 * the value through the {@see 'get_avatar'} filter and returning early. 2701 * 2702 * @since 4.2.0 2703 * 2704 * @param string|null $avatar HTML for the user's avatar. Default null. 2705 * @param mixed $id_or_email The avatar to retrieve. Accepts a user_id, Gravatar MD5 hash, 2706 * user email, WP_User object, WP_Post object, or WP_Comment object. 2707 * @param array $args Arguments passed to get_avatar_url(), after processing. 2708 */ 2709 $avatar = apply_filters( 'pre_get_avatar', null, $id_or_email, $args ); 2710 2711 if ( ! is_null( $avatar ) ) { 2712 /** This filter is documented in wp-includes/pluggable.php */ 2713 return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args ); 2714 } 2715 2716 if ( ! $args['force_display'] && ! get_option( 'show_avatars' ) ) { 2717 return false; 2718 } 2719 2720 $url2x = get_avatar_url( $id_or_email, array_merge( $args, array( 'size' => $args['size'] * 2 ) ) ); 2721 2722 $args = get_avatar_data( $id_or_email, $args ); 2723 2724 $url = $args['url']; 2725 2726 if ( ! $url || is_wp_error( $url ) ) { 2727 return false; 2728 } 2729 2730 $class = array( 'avatar', 'avatar-' . (int) $args['size'], 'photo' ); 2731 2732 if ( ! $args['found_avatar'] || $args['force_default'] ) { 2733 $class[] = 'avatar-default'; 2734 } 2735 2736 if ( $args['class'] ) { 2737 if ( is_array( $args['class'] ) ) { 2738 $class = array_merge( $class, $args['class'] ); 2739 } else { 2740 $class[] = $args['class']; 2741 } 2742 } 2743 2744 // Add `loading` attribute. 2745 $extra_attr = $args['extra_attr']; 2746 $loading = $args['loading']; 2747 2748 if ( in_array( $loading, array( 'lazy', 'eager' ), true ) && ! preg_match( '/\bloading\s*=/', $extra_attr ) ) { 2749 if ( ! empty( $extra_attr ) ) { 2750 $extra_attr .= ' '; 2751 } 2752 2753 $extra_attr .= "loading='{$loading}'"; 2754 } 2755 2756 $avatar = sprintf( 2757 "<img alt='%s' src='%s' srcset='%s' class='%s' height='%d' width='%d' %s/>", 2758 esc_attr( $args['alt'] ), 2759 esc_url( $url ), 2760 esc_url( $url2x ) . ' 2x', 2761 esc_attr( implode( ' ', $class ) ), 2762 (int) $args['height'], 2763 (int) $args['width'], 2764 $extra_attr 2765 ); 2766 2767 /** 2768 * Filters the HTML for a user's avatar. 2769 * 2770 * @since 2.5.0 2771 * @since 4.2.0 The `$args` parameter was added. 2772 * 2773 * @param string $avatar HTML for the user's avatar. 2774 * @param mixed $id_or_email The avatar to retrieve. Accepts a user_id, Gravatar MD5 hash, 2775 * user email, WP_User object, WP_Post object, or WP_Comment object. 2776 * @param int $size Square avatar width and height in pixels to retrieve. 2777 * @param string $default URL for the default image or a default type. Accepts '404', 'retro', 'monsterid', 2778 * 'wavatar', 'indenticon', 'mystery', 'mm', 'mysteryman', 'blank', or 'gravatar_default'. 2779 * Default is the value of the 'avatar_default' option, with a fallback of 'mystery'. 2780 * @param string $alt Alternative text to use in the avatar image tag. Default empty. 2781 * @param array $args Arguments passed to get_avatar_data(), after processing. 2782 */ 2783 return apply_filters( 'get_avatar', $avatar, $id_or_email, $args['size'], $args['default'], $args['alt'], $args ); 2784 } 2785 endif; 2786 2787 if ( ! function_exists( 'wp_text_diff' ) ) : 2788 /** 2789 * Displays a human readable HTML representation of the difference between two strings. 2790 * 2791 * The Diff is available for getting the changes between versions. The output is 2792 * HTML, so the primary use is for displaying the changes. If the two strings 2793 * are equivalent, then an empty string will be returned. 2794 * 2795 * @since 2.6.0 2796 * 2797 * @see wp_parse_args() Used to change defaults to user defined settings. 2798 * @uses Text_Diff 2799 * @uses WP_Text_Diff_Renderer_Table 2800 * 2801 * @param string $left_string "old" (left) version of string 2802 * @param string $right_string "new" (right) version of string 2803 * @param string|array $args { 2804 * Associative array of options to pass to WP_Text_Diff_Renderer_Table(). 2805 * 2806 * @type string $title Titles the diff in a manner compatible 2807 * with the output. Default empty. 2808 * @type string $title_left Change the HTML to the left of the title. 2809 * Default empty. 2810 * @type string $title_right Change the HTML to the right of the title. 2811 * Default empty. 2812 * @type bool $show_split_view True for split view (two columns), false for 2813 * un-split view (single column). Default true. 2814 * } 2815 * @return string Empty string if strings are equivalent or HTML with differences. 2816 */ 2817 function wp_text_diff( $left_string, $right_string, $args = null ) { 2818 $defaults = array( 2819 'title' => '', 2820 'title_left' => '', 2821 'title_right' => '', 2822 'show_split_view' => true, 2823 ); 2824 $args = wp_parse_args( $args, $defaults ); 2825 2826 if ( ! class_exists( 'WP_Text_Diff_Renderer_Table', false ) ) { 2827 require ABSPATH . WPINC . '/wp-diff.php'; 2828 } 2829 2830 $left_string = normalize_whitespace( $left_string ); 2831 $right_string = normalize_whitespace( $right_string ); 2832 2833 $left_lines = explode( "\n", $left_string ); 2834 $right_lines = explode( "\n", $right_string ); 2835 $text_diff = new Text_Diff( $left_lines, $right_lines ); 2836 $renderer = new WP_Text_Diff_Renderer_Table( $args ); 2837 $diff = $renderer->render( $text_diff ); 2838 2839 if ( ! $diff ) { 2840 return ''; 2841 } 2842 2843 $is_split_view = ! empty( $args['show_split_view'] ); 2844 $is_split_view_class = $is_split_view ? ' is-split-view' : ''; 2845 2846 $r = "<table class='diff$is_split_view_class'>\n"; 2847 2848 if ( $args['title'] ) { 2849 $r .= "<caption class='diff-title'>$args[title]</caption>\n"; 2850 } 2851 2852 if ( $args['title_left'] || $args['title_right'] ) { 2853 $r .= '<thead>'; 2854 } 2855 2856 if ( $args['title_left'] || $args['title_right'] ) { 2857 $th_or_td_left = empty( $args['title_left'] ) ? 'td' : 'th'; 2858 $th_or_td_right = empty( $args['title_right'] ) ? 'td' : 'th'; 2859 2860 $r .= "<tr class='diff-sub-title'>\n"; 2861 $r .= "\t<$th_or_td_left>$args[title_left]</$th_or_td_left>\n"; 2862 if ( $is_split_view ) { 2863 $r .= "\t<$th_or_td_right>$args[title_right]</$th_or_td_right>\n"; 2864 } 2865 $r .= "</tr>\n"; 2866 } 2867 2868 if ( $args['title_left'] || $args['title_right'] ) { 2869 $r .= "</thead>\n"; 2870 } 2871 2872 $r .= "<tbody>\n$diff\n</tbody>\n"; 2873 $r .= '</table>'; 2874 2875 return $r; 2876 } 2877 endif;
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Fri Apr 23 01:00:05 2021 | Cross-referenced by PHPXref 0.7.1 |