Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

s/attribute_escape/attr/. see #9650 

git-svn-id: http://svn.automattic.com/wordpress/trunk@11109 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2009-04-28 05:58:45 +00:00
parent 430a8cb2cf
commit 2d489767bb
84 changed files with 391 additions and 391 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
wp-admin/admin-ajax.php
View File

@ -474,7 +474,7 @@ case 'add-cat' : // From Manage->Categories
$cat_full_name = $_cat->name . ' — ' . $cat_full_name;
$level++;
}
$cat_full_name = attribute_escape($cat_full_name);
$cat_full_name = attr($cat_full_name);
$x = new WP_Ajax_Response( array(
'what' => 'cat',
@ -552,7 +552,7 @@ case 'add-tag' : // From Manage->Tags
die('0');
$tag_full_name = $tag->name;
$tag_full_name = attribute_escape($tag_full_name);
$tag_full_name = attr($tag_full_name);
$x = new WP_Ajax_Response( array(
'what' => 'tag',

8
wp-admin/custom-header.php
View File

@ -287,7 +287,7 @@ class Custom_Image_Header {
<input type="button" class="button" value="<?php _ea('Hide Text'); ?>" onclick="hide_text()" id="hidetext" />
<input type="button" class="button" value="<?php _ea('Select a Text Color'); ?>" id="pickcolor" /><input type="button" class="button" value="<?php _ea('Use Original Color'); ?>" onclick="colorDefault()" id="defaultcolor" />
<?php wp_nonce_field('custom-header') ?>
<input type="hidden" name="textcolor" id="textcolor" value="#<?php attribute_escape(header_textcolor()) ?>" /><input name="submit" type="submit" class="button" value="<?php _ea('Save Changes'); ?>" /></form>
<input type="hidden" name="textcolor" id="textcolor" value="#<?php attr(header_textcolor()) ?>" /><input name="submit" type="submit" class="button" value="<?php _ea('Save Changes'); ?>" /></form>
<?php } ?>
<div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;display:none;"> </div>
@ -296,7 +296,7 @@ class Custom_Image_Header {
<h2><?php _e('Upload New Header Image'); ?></h2><p><?php _e('Here you can upload a custom header image to be shown at the top of your blog instead of the default one. On the next screen you will be able to crop the image.'); ?></p>
<p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p>
<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attr(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
<label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
<input type="hidden" name="action" value="save" />
<?php wp_nonce_field('custom-header') ?>
@ -311,7 +311,7 @@ class Custom_Image_Header {
<div class="wrap">
<h2><?php _e('Reset Header Image and Color'); ?></h2>
<p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p>
<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>">
<form method="post" action="<?php echo attr(add_query_arg('step', 1)) ?>">
<?php wp_nonce_field('custom-header'); ?>
<input type="submit" class="button" name="resetheader" value="<?php _ea('Restore Original Header'); ?>" />
</form>
@ -372,7 +372,7 @@ class Custom_Image_Header {
<div class="wrap">
<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>">
<form method="POST" action="<?php echo attr(add_query_arg('step', 3)) ?>">
<p><?php _e('Choose the part of the image you want to use as your header.'); ?></p>
<div id="testWrap" style="position: relative">

8
wp-admin/edit-attachment-rows.php
View File

@ -62,7 +62,7 @@ foreach ($posts_columns as $column_name => $column_display_name ) {
if ( $thumb = wp_get_attachment_image( $post->ID, array(80, 60), true ) ) {
?>
<a href="media.php?action=edit&amp;attachment_id=<?php the_ID(); ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $att_title)); ?>">
<a href="media.php?action=edit&amp;attachment_id=<?php the_ID(); ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $att_title)); ?>">
<?php echo $thumb; ?>
</a>
@ -74,7 +74,7 @@ foreach ($posts_columns as $column_name => $column_display_name ) {
case 'media':
?>
<td <?php echo $attributes ?>><strong><a href="<?php echo get_edit_post_link( $post->ID ); ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $att_title; ?></a></strong><br />
<td <?php echo $attributes ?>><strong><a href="<?php echo get_edit_post_link( $post->ID ); ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $att_title; ?></a></strong><br />
<?php echo strtoupper(preg_replace('/^.*?\.(\w+)$/', '$1', get_attached_file($post->ID))); ?>
<p>
<?php
@ -83,7 +83,7 @@ foreach ($posts_columns as $column_name => $column_display_name ) {
$actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '">' . __('Edit') . '</a>';
if ( current_user_can('delete_post', $post->ID) )
$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this attachment '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this attachment '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attribute_escape(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
$action_count = count($actions);
$i = 0;
echo '<div class="row-actions">';
@ -182,7 +182,7 @@ foreach ($posts_columns as $column_name => $column_display_name ) {
case 'actions':
?>
<td <?php echo $attributes ?>>
<a href="media.php?action=edit&amp;attachment_id=<?php the_ID(); ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php _e('Edit'); ?></a> |
<a href="media.php?action=edit&amp;attachment_id=<?php the_ID(); ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php _e('Edit'); ?></a> |
<a href="<?php the_permalink(); ?>"><?php _e('Get permalink'); ?></a>
</td>
<?php

4
wp-admin/edit-category-form.php
View File

@ -49,12 +49,12 @@ _fill_empty_category($category);
<table class="form-table">
<tr class="form-field form-required">
<th scope="row" valign="top"><label for="cat_name"><?php _e('Category Name') ?></label></th>
<td><input name="cat_name" id="cat_name" type="text" value="<?php echo attribute_escape($category->name); ?>" size="40" aria-required="true" /><br />
<td><input name="cat_name" id="cat_name" type="text" value="<?php echo attr($category->name); ?>" size="40" aria-required="true" /><br />
<?php _e('The name is used to identify the category almost everywhere, for example under the post or in the category widget.'); ?></td>
</tr>
<tr class="form-field">
<th scope="row" valign="top"><label for="category_nicename"><?php _e('Category Slug') ?></label></th>
<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo attribute_escape(apply_filters('editable_slug', $category->slug)); ?>" size="40" /><br />
<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo attr(apply_filters('editable_slug', $category->slug)); ?>" size="40" /><br />
<?php _e('The &#8220;slug&#8221; is the URL-friendly version of the name. It is usually all lowercase and contains only letters, numbers, and hyphens.'); ?></td>
</tr>
<tr class="form-field">

12
wp-admin/edit-comments.php
View File

@ -83,7 +83,7 @@ else
require_once('admin-header.php');
$mode = ( ! isset($_GET['mode']) || empty($_GET['mode']) ) ? 'detail' : attribute_escape($_GET['mode']);
$mode = ( ! isset($_GET['mode']) || empty($_GET['mode']) ) ? 'detail' : attr($_GET['mode']);
$default_status = get_user_option('edit_comments_last_view');
if ( empty($default_status) )
@ -94,10 +94,10 @@ if ( !in_array($comment_status, array('all', 'moderated', 'approved', 'spam')) )
if ( $comment_status != $default_status )
update_usermeta($current_user->ID, 'edit_comments_last_view', $comment_status);
$comment_type = !empty($_GET['comment_type']) ? attribute_escape($_GET['comment_type']) : '';
$comment_type = !empty($_GET['comment_type']) ? attr($_GET['comment_type']) : '';
$search_dirty = ( isset($_GET['s']) ) ? $_GET['s'] : '';
$search = attribute_escape( $search_dirty ); ?>
$search = attr( $search_dirty ); ?>
<div class="wrap">
<?php screen_icon(); ?>
@ -164,7 +164,7 @@ foreach ( $stati as $status => $label ) {
/*
// I toyed with this, but decided against it. Leaving it in here in case anyone thinks it is a good idea. ~ Mark
if ( !empty( $_GET['s'] ) )
$link = add_query_arg( 's', attribute_escape( stripslashes( $_GET['s'] ) ), $link );
$link = add_query_arg( 's', attr( stripslashes( $_GET['s'] ) ), $link );
*/
$status_links[] = "<li class='$status'><a href='$link'$class>" . sprintf(
_n( $label[0], $label[1], $num_comments->$status ),
@ -364,8 +364,8 @@ if ( $page_links )
<input type="hidden" name="mode" value="<?php echo attr($mode); ?>" />
<input type="hidden" name="comment_status" value="<?php echo attr($comment_status); ?>" />
<input type="hidden" name="page" value="<?php echo isset($_REQUEST['page']) ? absint( $_REQUEST['page'] ) : 1; ?>" />
<input type="hidden" name="p" value="<?php echo attribute_escape( $post_id ); ?>" />
<input type="hidden" name="comment_type" value="<?php echo attribute_escape( $comment_type ); ?>" />
<input type="hidden" name="p" value="<?php echo attr( $post_id ); ?>" />
<input type="hidden" name="comment_type" value="<?php echo attr( $comment_type ); ?>" />
<?php wp_nonce_field( 'add-comment', '_ajax_nonce', false ); ?>
</form>

20
wp-admin/edit-form-advanced.php
View File

@ -16,7 +16,7 @@ $post_ID = isset($post_ID) ? (int) $post_ID : 0;
$action = isset($action) ? $action : '';
if ( isset($_GET['message']) )
$_GET['message'] = absint( $_GET['message'] );
$messages[1] = sprintf( __( 'Post updated. Continue editing below or <a href="%s">go back</a>.' ), attribute_escape( stripslashes( ( isset( $_GET['_wp_original_http_referer'] ) ? $_GET['_wp_original_http_referer'] : '') ) ) );
$messages[1] = sprintf( __( 'Post updated. Continue editing below or <a href="%s">go back</a>.' ), attr( stripslashes( ( isset( $_GET['_wp_original_http_referer'] ) ? $_GET['_wp_original_http_referer'] : '') ) ) );
$messages[2] = __('Custom field updated.');
$messages[3] = __('Custom field deleted.');
$messages[4] = __('Post updated.');
@ -169,15 +169,15 @@ if ( 'private' == $post->post_status ) {
?><?php echo wp_specialchars( $visibility_trans ); ?></span></b> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a>
<div id="post-visibility-select" class="hide-if-js">
<input type="hidden" name="hidden_post_password" id="hidden-post-password" value="<?php echo attribute_escape($post->post_password); ?>" />
<input type="hidden" name="hidden_post_password" id="hidden-post-password" value="<?php echo attr($post->post_password); ?>" />
<input type="checkbox" style="display:none" name="hidden_post_sticky" id="hidden-post-sticky" value="sticky" <?php checked(is_sticky($post->ID)); ?> />
<input type="hidden" name="hidden_post_visibility" id="hidden-post-visibility" value="<?php echo attribute_escape( $visibility ); ?>" />
<input type="hidden" name="hidden_post_visibility" id="hidden-post-visibility" value="<?php echo attr( $visibility ); ?>" />
<input type="radio" name="visibility" id="visibility-radio-public" value="public" <?php checked( $visibility, 'public' ); ?> /> <label for="visibility-radio-public" class="selectit"><?php _e('Public'); ?></label><br />
<span id="sticky-span"><input id="sticky" name="sticky" type="checkbox" value="sticky" <?php checked(is_sticky($post->ID)); ?> tabindex="4" /> <label for="sticky" class="selectit"><?php _e('Stick this post to the front page') ?></label><br /></span>
<input type="radio" name="visibility" id="visibility-radio-password" value="password" <?php checked( $visibility, 'password' ); ?> /> <label for="visibility-radio-password" class="selectit"><?php _e('Password protected'); ?></label><br />
<span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo attribute_escape($post->post_password); ?>" /><br /></span>
<span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo attr($post->post_password); ?>" /><br /></span>
<input type="radio" name="visibility" id="visibility-radio-private" value="private" <?php checked( $visibility, 'private' ); ?> /> <label for="visibility-radio-private" class="selectit"><?php _e('Private'); ?></label><br />
<p>
@ -271,7 +271,7 @@ add_meta_box('submitdiv', __('Publish'), 'post_submit_meta_box', 'post', 'side',
function post_tags_meta_box($post, $box) {
$tax_name = substr($box['id'], 8);
$taxonomy = get_taxonomy($tax_name);
$helps = isset($taxonomy->helps) ? attribute_escape($taxonomy->helps) : __('Separate tags with commas.');
$helps = isset($taxonomy->helps) ? attr($taxonomy->helps) : __('Separate tags with commas.');
?>
<div class="tagsdiv" id="<?php echo $tax_name; ?>">
<p class="jaxtag">
@ -293,7 +293,7 @@ function post_tags_meta_box($post, $box) {
foreach ( get_object_taxonomies('post') as $tax_name ) {
if ( !is_taxonomy_hierarchical($tax_name) ) {
$taxonomy = get_taxonomy($tax_name);
$label = isset($taxonomy->label) ? attribute_escape($taxonomy->label) : $tax_name;
$label = isset($taxonomy->label) ? attr($taxonomy->label) : $tax_name;
add_meta_box('tagsdiv-' . $tax_name, $label, 'post_tags_meta_box', 'post', 'side', 'core');
}
@ -384,7 +384,7 @@ add_meta_box('postexcerpt', __('Excerpt'), 'post_excerpt_meta_box', 'post', 'nor
* @param object $post
*/
function post_trackback_meta_box($post) {
$form_trackback = '<input type="text" name="trackback_url" id="trackback_url" class="code" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
$form_trackback = '<input type="text" name="trackback_url" id="trackback_url" class="code" tabindex="7" value="'. attr( str_replace("\n", ' ', $post->to_ping) ) .'" />';
if ('' != $post->pinged) {
$pings = '<p>'. __('Already pinged:') . '</p><ul>';
$already_pinged = explode("\n", trim($post->pinged));
@ -497,7 +497,7 @@ if ( 'publish' == $post->post_status || 'private' == $post->post_status )
*/
function post_slug_meta_box($post) {
?>
<label class="hidden" for="post_name"><?php _e('Post Slug') ?></label><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" />
<label class="hidden" for="post_name"><?php _e('Post Slug') ?></label><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attr( $post->post_name ); ?>" />
<?php
}
if ( !( 'pending' == $post->post_status && !current_user_can( 'publish_posts' ) ) )
@ -574,7 +574,7 @@ else
<input type="hidden" id="user-id" name="user_ID" value="<?php echo (int) $user_ID ?>" />
<input type="hidden" id="hiddenaction" name="action" value="<?php echo attr($form_action) ?>" />
<input type="hidden" id="originalaction" name="originalaction" value="<?php echo attr($form_action) ?>" />
<input type="hidden" id="post_author" name="post_author" value="<?php echo attribute_escape( $post->post_author ); ?>" />
<input type="hidden" id="post_author" name="post_author" value="<?php echo attr( $post->post_author ); ?>" />
<input type="hidden" id="post_type" name="post_type" value="<?php echo attr($post->post_type) ?>" />
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo attr($post->post_status) ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
@ -595,7 +595,7 @@ else
<div id="post-body-content">
<div id="titlediv">
<div id="titlewrap">
<input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( htmlspecialchars( $post->post_title ) ); ?>" id="title" autocomplete="off" />
<input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" autocomplete="off" />
</div>
<div class="inside">
<?php $sample_permalink_html = get_sample_permalink_html($post->ID); ?>

6
wp-admin/edit-form-comment.php
View File

@ -26,8 +26,8 @@ $form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . attr($com
<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
<?php
$email = attribute_escape( $comment->comment_author_email );
$url = attribute_escape( $comment->comment_author_url );
$email = attr( $comment->comment_author_email );
$url = attr( $comment->comment_author_url );
// add_meta_box('submitdiv', __('Save'), 'comment_submit_meta_box', 'comment', 'side', 'core');
?>
@ -90,7 +90,7 @@ $date = date_i18n( $datef, strtotime( $comment->comment_date ) );
<tbody>
<tr valign="top">
<td class="first"><?php _e( 'Name:' ); ?></td>
<td><input type="text" name="newcomment_author" size="30" value="<?php echo attribute_escape( $comment->comment_author ); ?>" tabindex="1" id="name" /></td>
<td><input type="text" name="newcomment_author" size="30" value="<?php echo attr( $comment->comment_author ); ?>" tabindex="1" id="name" /></td>
</tr>
<tr valign="top">
<td class="first">

2
wp-admin/edit-link-category-form.php
View File

@ -67,7 +67,7 @@ _fill_empty_link_category($category);
</tr>
<tr class="form-field">
<th scope="row" valign="top"><label for="slug"><?php _e('Link Category slug') ?></label></th>
<td><input name="slug" id="slug" type="text" value="<?php echo attribute_escape(apply_filters('editable_slug', $category->slug)); ?>" size="40" /><br />
<td><input name="slug" id="slug" type="text" value="<?php echo attr(apply_filters('editable_slug', $category->slug)); ?>" size="40" /><br />
<?php _e('The &#8220;slug&#8221; is the URL-friendly version of the name. It is usually all lowercase and contains only letters, numbers, and hyphens.'); ?></td>
</tr>
<tr class="form-field">

2
wp-admin/edit-link-form.php
View File

@ -404,7 +404,7 @@ do_meta_boxes('link', 'advanced', $link);
if ( $link_id ) : ?>
<input type="hidden" name="action" value="save" />
<input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
<input type="hidden" name="order_by" value="<?php echo attr($order_by); ?>" />
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
<?php else: ?>
<input type="hidden" name="action" value="add" />

18
wp-admin/edit-page-form.php
View File

@ -18,7 +18,7 @@ if ( ! isset( $temp_ID ) )
if ( isset($_GET['message']) )
$_GET['message'] = absint( $_GET['message'] );
$messages[1] = sprintf( __( 'Page updated. Continue editing below or <a href="%s">go back</a>.' ), attribute_escape( stripslashes( ( isset( $_GET['_wp_original_http_referer'] ) ? $_GET['_wp_original_http_referer'] : '') ) ) );
$messages[1] = sprintf( __( 'Page updated. Continue editing below or <a href="%s">go back</a>.' ), attr( stripslashes( ( isset( $_GET['_wp_original_http_referer'] ) ? $_GET['_wp_original_http_referer'] : '') ) ) );
$messages[2] = __('Custom field updated.');
$messages[3] = __('Custom field deleted.');
$messages[4] = sprintf(__('Page updated. <a href="%s">View page</a>'), get_permalink($post_ID));
@ -73,9 +73,9 @@ function page_submit_meta_box($post) {
<div id="minor-publishing-actions">
<div id="save-action">
<?php if ( 'publish' != $post->post_status && 'future' != $post->post_status && 'pending' != $post->post_status ) { ?>
<input <?php if ( 'private' == $post->post_status ) { ?>style="display:none"<?php } ?> type="submit" name="save" id="save-post" value="<?php echo attribute_escape( __('Save Draft') ); ?>" tabindex="4" class="button button-highlighted" />
<input <?php if ( 'private' == $post->post_status ) { ?>style="display:none"<?php } ?> type="submit" name="save" id="save-post" value="<?php echo attr( __('Save Draft') ); ?>" tabindex="4" class="button button-highlighted" />
<?php } elseif ( 'pending' == $post->post_status && $can_publish ) { ?>
<input type="submit" name="save" id="save-post" value="<?php echo attribute_escape( __('Save as Pending') ); ?>" tabindex="4" class="button button-highlighted" />
<input type="submit" name="save" id="save-post" value="<?php echo attr( __('Save as Pending') ); ?>" tabindex="4" class="button button-highlighted" />
<?php } ?>
</div>
@ -162,13 +162,13 @@ if ( 'private' == $post->post_status ) {
?><?php echo wp_specialchars( $visibility_trans ); ?></span></b> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a>
<div id="post-visibility-select" class="hide-if-js">
<input type="hidden" name="hidden_post_password" id="hidden-post-password" value="<?php echo attribute_escape($post->post_password); ?>" />
<input type="hidden" name="hidden_post_visibility" id="hidden-post-visibility" value="<?php echo attribute_escape( $visibility ); ?>" />
<input type="hidden" name="hidden_post_password" id="hidden-post-password" value="<?php echo attr($post->post_password); ?>" />
<input type="hidden" name="hidden_post_visibility" id="hidden-post-visibility" value="<?php echo attr( $visibility ); ?>" />
<input type="radio" name="visibility" id="visibility-radio-public" value="public" <?php checked( $visibility, 'public' ); ?> /> <label for="visibility-radio-public" class="selectit"><?php _e('Public'); ?></label><br />
<input type="radio" name="visibility" id="visibility-radio-password" value="password" <?php checked( $visibility, 'password' ); ?> /> <label for="visibility-radio-password" class="selectit"><?php _e('Password protected'); ?></label><br />
<span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo attribute_escape($post->post_password); ?>" /><br /></span>
<span id="password-span"><label for="post_password"><?php _e('Password:'); ?></label> <input type="text" name="post_password" id="post_password" value="<?php echo attr($post->post_password); ?>" /><br /></span>
<input type="radio" name="visibility" id="visibility-radio-private" value="private" <?php checked( $visibility, 'private' ); ?> /> <label for="visibility-radio-private" class="selectit"><?php _e('Private'); ?></label><br />
<p>
@ -349,7 +349,7 @@ add_meta_box('pagecommentstatusdiv', __('Discussion'), 'page_comments_status_met
*/
function page_slug_meta_box($post){
?>
<label class="hidden" for="post_name"><?php _e('Page Slug') ?></label><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" />
<label class="hidden" for="post_name"><?php _e('Page Slug') ?></label><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attr( $post->post_name ); ?>" />
<?php
}
add_meta_box('pageslugdiv', __('Page Slug'), 'page_slug_meta_box', 'page', 'normal', 'core');
@ -419,7 +419,7 @@ if (isset($mode) && 'bookmarklet' == $mode)
<input type="hidden" id="user-id" name="user_ID" value="<?php echo $user_ID ?>" />
<input type="hidden" id="hiddenaction" name="action" value='<?php echo $form_action ?>' />
<input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
<input type="hidden" id="post_author" name="post_author" value="<?php echo attribute_escape( $post->post_author ); ?>" />
<input type="hidden" id="post_author" name="post_author" value="<?php echo attr( $post->post_author ); ?>" />
<?php echo $form_extra ?>
<input type="hidden" id="post_type" name="post_type" value="<?php echo $post->post_type ?>" />
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo $post->post_status ?>" />
@ -442,7 +442,7 @@ $side_meta_boxes = do_meta_boxes('page', 'side', $post);
<div id="post-body-content">
<div id="titlediv">
<div id="titlewrap">
<input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( htmlspecialchars( $post->post_title ) ); ?>" id="title" autocomplete="off" />
<input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" autocomplete="off" />
</div>
<div class="inside">
<?php $sample_permalink_html = get_sample_permalink_html($post->ID); ?>

2
wp-admin/edit-pages.php
View File

@ -175,7 +175,7 @@ endif;
</p>
<?php if ( isset($_GET['post_status'] ) ) : ?>
<input type="hidden" name="post_status" value="<?php echo attribute_escape($_GET['post_status']) ?>" />
<input type="hidden" name="post_status" value="<?php echo attr($_GET['post_status']) ?>" />
<?php endif; ?>
<?php if ($posts) { ?>

6
wp-admin/edit-tag-form.php
View File

@ -21,17 +21,17 @@ do_action('edit_tag_form_pre', $tag); ?>
<form name="edittag" id="edittag" method="post" action="edit-tags.php" class="validate">
<input type="hidden" name="action" value="editedtag" />
<input type="hidden" name="tag_ID" value="<?php echo $tag->term_id ?>" />
<input type="hidden" name="taxonomy" value="<?php echo attribute_escape($taxonomy) ?>" />
<input type="hidden" name="taxonomy" value="<?php echo attr($taxonomy) ?>" />
<?php wp_original_referer_field(true, 'previous'); wp_nonce_field('update-tag_' . $tag_ID); ?>
<table class="form-table">
<tr class="form-field form-required">
<th scope="row" valign="top"><label for="name"><?php _e('Tag name') ?></label></th>
<td><input name="name" id="name" type="text" value="<?php if ( isset( $tag->name ) ) echo attribute_escape($tag->name); ?>" size="40" aria-required="true" />
<td><input name="name" id="name" type="text" value="<?php if ( isset( $tag->name ) ) echo attr($tag->name); ?>" size="40" aria-required="true" />
<p><?php _e('The name is how the tag appears on your site.'); ?></p></td>
</tr>
<tr class="form-field">
<th scope="row" valign="top"><label for="slug"><?php _e('Tag slug') ?></label></th>
<td><input name="slug" id="slug" type="text" value="<?php if ( isset( $tag->slug ) ) echo attribute_escape(apply_filters('editable_slug', $tag->slug)); ?>" size="40" />
<td><input name="slug" id="slug" type="text" value="<?php if ( isset( $tag->slug ) ) echo attr(apply_filters('editable_slug', $tag->slug)); ?>" size="40" />
<p><?php _e('The &#8220;slug&#8221; is the URL-friendly version of the name. It is usually all lowercase and contains only letters, numbers, and hyphens.'); ?></p></td>
</tr>
<tr class="form-field">

4
wp-admin/edit-tags.php
View File

@ -170,7 +170,7 @@ endif; ?>
<div id="col-right">
<div class="col-wrap">
<form id="posts-filter" action="" method="get">
<input type="hidden" name="taxonomy" value="<?php echo attribute_escape($taxonomy); ?>" />
<input type="hidden" name="taxonomy" value="<?php echo attr($taxonomy); ?>" />
<div class="tablenav">
<?php
$pagenum = isset( $_GET['pagenum'] ) ? absint( $_GET['pagenum'] ) : 0;
@ -276,7 +276,7 @@ else
<div id="ajax-response"></div>
<form name="addtag" id="addtag" method="post" action="edit-tags.php" class="add:the-list: validate">
<input type="hidden" name="action" value="addtag" />
<input type="hidden" name="taxonomy" value="<?php echo attribute_escape($taxonomy); ?>" />
<input type="hidden" name="taxonomy" value="<?php echo attr($taxonomy); ?>" />
<?php wp_original_referer_field(true, 'previous'); wp_nonce_field('add-tag'); ?>
<div class="form-field form-required">

4
wp-admin/edit.php
View File

@ -92,7 +92,7 @@ if ( !isset( $_GET['paged'] ) )
if ( empty($_GET['mode']) )
$mode = 'list';
else
$mode = attribute_escape($_GET['mode']); ?>
$mode = attr($_GET['mode']); ?>
<div class="wrap">
<?php screen_icon(); ?>
@ -170,7 +170,7 @@ endif;
</p>
<?php if ( isset($_GET['post_status'] ) ) : ?>
<input type="hidden" name="post_status" value="<?php echo attribute_escape($_GET['post_status']) ?>" />
<input type="hidden" name="post_status" value="<?php echo attr($_GET['post_status']) ?>" />
<?php endif; ?>
<input type="hidden" name="mode" value="<?php echo $mode; ?>" />

12
wp-admin/import/dotclear.php
View File

@ -215,7 +215,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=1" method="post">';
wp_nonce_field('import-dotclear');
$this->db_form();
echo '<p class="submit"><input type="submit" name="submit" class="button" value="'.attribute_escape(__('Import Categories')).'" /></p>';
echo '<p class="submit"><input type="submit" name="submit" class="button" value="'.attr(__('Import Categories')).'" /></p>';
echo '</form></div>';
}
@ -632,7 +632,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=2" method="post">';
wp_nonce_field('import-dotclear');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Users')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Users')));
echo '</form>';
}
@ -645,7 +645,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=3" method="post">';
wp_nonce_field('import-dotclear');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Posts')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Posts')));
echo '</form>';
}
@ -659,7 +659,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=4" method="post">';
wp_nonce_field('import-dotclear');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Comments')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Comments')));
echo '</form>';
}
@ -671,7 +671,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=5" method="post">';
wp_nonce_field('import-dotclear');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Links')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Links')));
echo '</form>';
}
@ -684,7 +684,7 @@ class Dotclear_Import {
echo '<form action="admin.php?import=dotclear&amp;step=6" method="post">';
wp_nonce_field('import-dotclear');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Finish')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Finish')));
echo '</form>';
}

16
wp-admin/import/livejournal.php
View File

@ -184,9 +184,9 @@ class LJ_API_Import {
<input type="hidden" name="step" value="<?php echo get_option( 'ljapi_step' ) ?>" />
<p><?php _e( 'It looks like you attempted to import your LiveJournal posts previously and got interrupted.' ) ?></p>
<p class="submit">
<input type="submit" class="button-primary" value="<?php echo attribute_escape( __( 'Continue previous import' ) ) ?>" />
<input type="submit" class="button-primary" value="<?php echo attr( __( 'Continue previous import' ) ) ?>" />
</p>
<p class="submitbox"><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attribute_escape( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
<p class="submitbox"><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attr( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
<p>
<?php else : ?>
<input type="hidden" name="step" value="1" />
@ -223,7 +223,7 @@ class LJ_API_Import {
<p><?php _e( "<strong>WARNING:</strong> This can take a really long time if you have a lot of entries in your LiveJournal, or a lot of comments. Ideally, you should only start this process if you can leave your computer alone while it finishes the import." ) ?></p>
<p class="submit">
<input type="submit" class="button-primary" value="<?php echo attribute_escape( __( 'Connect to LiveJournal and Import' ) ) ?>" />
<input type="submit" class="button-primary" value="<?php echo attr( __( 'Connect to LiveJournal and Import' ) ) ?>" />
</p>
<p><?php _e( '<strong>NOTE:</strong> If the import process is interrupted for <em>any</em> reason, come back to this page and it will continue from where it stopped automatically.' ) ?></p>
@ -724,7 +724,7 @@ class LJ_API_Import {
if ( empty( $this->username ) || empty( $this->password ) ) {
?>
<p><?php _e( 'Please enter your LiveJournal username <em>and</em> password so we can download your posts and comments.' ) ?></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attribute_escape( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<?php
return false;
}
@ -736,7 +736,7 @@ class LJ_API_Import {
delete_option( 'ljapi_protected_password' );
?>
<p><?php _e( 'Logging in to LiveJournal failed. Check your username and password and try again.' ) ?></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attribute_escape( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<?php
return false;
} else {
@ -816,7 +816,7 @@ class LJ_API_Import {
<form action="admin.php?import=livejournal" method="post" id="ljapi-auto-repost">
<?php wp_nonce_field( 'lj-api-import' ) ?>
<input type="hidden" name="step" id="step" value="1" />
<p><input type="submit" class="button-primary" value="<?php echo attribute_escape( __( 'Import the next batch' ) ) ?>" /> <span id="auto-message"></span></p>
<p><input type="submit" class="button-primary" value="<?php echo attr( __( 'Import the next batch' ) ) ?>" /> <span id="auto-message"></span></p>
</form>
<?php $this->auto_ajax( 'ljapi-auto-repost', 'auto-message', 0 ); ?>
<?php
@ -866,7 +866,7 @@ class LJ_API_Import {
<p><strong><?php printf( __( 'Imported comment batch %d of <strong>approximately</strong> %d' ), get_option( 'ljapi_comment_batch' ), $batch ) ?></strong></p>
<?php wp_nonce_field( 'lj-api-import' ) ?>
<input type="hidden" name="step" id="step" value="2" />
<p><input type="submit" class="button-primary" value="<?php echo attribute_escape( __( 'Import the next batch' ) ) ?>" /> <span id="auto-message"></span></p>
<p><input type="submit" class="button-primary" value="<?php echo attr( __( 'Import the next batch' ) ) ?>" /> <span id="auto-message"></span></p>
</form>
<?php $this->auto_ajax( 'ljapi-auto-repost', 'auto-message', 0 ); ?>
<?php
@ -942,7 +942,7 @@ class LJ_API_Import {
$str .= wp_nonce_field( 'lj-api-import', '_wpnonce', true, false );
$str .= wp_referer_field( false );
$str .= '<input type="hidden" name="step" id="step" value="' . $next_step . '" />';
$str .= '<p><input type="submit" class="button-primary" value="' . attribute_escape( $label ) . '" /> <span id="auto-message"></span></p>';
$str .= '<p><input type="submit" class="button-primary" value="' . attr( $label ) . '" /> <span id="auto-message"></span></p>';
$str .= '</form>';
return $str;

4
wp-admin/import/mt.php
View File

@ -39,14 +39,14 @@ class MT_Import {
<p><?php _e('Howdy! We&#8217;re about to begin importing all of your Movable Type or Typepad entries into WordPress. To begin, either choose a file to upload and click "Upload file and import," or use FTP to upload your MT export file as <code>mt-export.txt</code> in your <code>/wp-content/</code> directory and then click "Import mt-export.txt"'); ?></p>
<?php wp_import_upload_form( add_query_arg('step', 1) ); ?>
<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)); ?>" class="import-upload-form">
<form method="post" action="<?php echo attr(add_query_arg('step', 1)); ?>" class="import-upload-form">
<?php wp_nonce_field('import-upload'); ?>
<p>
<input type="hidden" name="upload_type" value="ftp" />
<?php _e('Or use <code>mt-export.txt</code> in your <code>/wp-content/</code> directory'); ?></p>
<p class="submit">
<input type="submit" class="button" value="<?php echo attribute_escape(__('Import mt-export.txt')); ?>" />
<input type="submit" class="button" value="<?php echo attr(__('Import mt-export.txt')); ?>" />
</p>
</form>
<p><?php _e('The importer is smart enough not to import duplicates, so you can run this multiple times without worry if&#8212;for whatever reason&#8212;it doesn\'t finish. If you get an <strong>out of memory</strong> error try splitting up the import file into pieces.'); ?> </p>

12
wp-admin/import/textpattern.php
View File

@ -70,7 +70,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=1" method="post">';
wp_nonce_field('import-textpattern');
$this->db_form();
echo '<p class="submit"><input type="submit" name="submit" class="button" value="'.attribute_escape(__('Import')).'" /></p>';
echo '<p class="submit"><input type="submit" name="submit" class="button" value="'.attr(__('Import')).'" /></p>';
echo '</form>';
echo '</div>';
}
@ -505,7 +505,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=2" method="post">';
wp_nonce_field('import-textpattern');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Users')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Users')));
echo '</form>';
}
@ -518,7 +518,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=3" method="post">';
wp_nonce_field('import-textpattern');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Posts')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Posts')));
echo '</form>';
}
@ -532,7 +532,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=4" method="post">';
wp_nonce_field('import-textpattern');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Comments')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Comments')));
echo '</form>';
}
@ -544,7 +544,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=5" method="post">';
wp_nonce_field('import-textpattern');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Import Links')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Import Links')));
echo '</form>';
}
@ -557,7 +557,7 @@ class Textpattern_Import {
echo '<form action="admin.php?import=textpattern&amp;step=6" method="post">';
wp_nonce_field('import-textpattern');
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attribute_escape(__('Finish')));
printf('<p class="submit"><input type="submit" name="submit" class="button" value="%s" /></p>', attr(__('Finish')));
echo '</form>';
}

2
wp-admin/import/wordpress.php
View File

@ -233,7 +233,7 @@ class WP_Import {
}
echo '<p class="submit">';
echo '<input type="submit" class="button" value="'.attribute_escape( __('Submit') ).'" />'.'<br />';
echo '<input type="submit" class="button" value="'.attr( __('Submit') ).'" />'.'<br />';
echo '</p>';
echo '</form>';

2
wp-admin/import/wp-cat2tag.php
View File

@ -184,7 +184,7 @@ function check_all_tagrows() {
<ul style="list-style:none">
<?php foreach ( $this->all_tags as $tag ) { ?>
<li><label><input type="checkbox" name="tags_to_convert[]" value="<?php echo intval($tag->term_id); ?>" /> <?php echo attribute_escape($tag->name) . ' (' . $tag->count . ')'; ?></label><?php if ( in_array( intval($tag->term_id), $this->hybrids_ids ) ) echo ' <a href="#note"> * </a>'; ?></li>
<li><label><input type="checkbox" name="tags_to_convert[]" value="<?php echo intval($tag->term_id); ?>" /> <?php echo attr($tag->name) . ' (' . $tag->count . ')'; ?></label><?php if ( in_array( intval($tag->term_id), $this->hybrids_ids ) ) echo ' <a href="#note"> * </a>'; ?></li>
<?php } ?>
</ul>

2
wp-admin/includes/bookmark.php
View File

@ -59,7 +59,7 @@ function get_default_link_to_edit() {
$link->link_url = '';
if ( isset( $_GET['name'] ) )
$link->link_name = attribute_escape( $_GET['name']);
$link->link_name = attr( $_GET['name']);
else
$link->link_name = '';

24
wp-admin/includes/class-wp-upgrader.php
View File

@ -820,8 +820,8 @@ class Plugin_Upgrader_Skin extends WP_Upgrader_Skin {
echo '<iframe style="border:0;overflow:hidden" width="100%" height="170px" src="' . wp_nonce_url('update.php?action=activate-plugin&plugin=' . $this->plugin, 'activate-plugin_' . $this->plugin) .'"></iframe>';
}
$update_actions = array(
'activate_plugin' => '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $this->plugin, 'activate-plugin_' . $this->plugin) . '" title="' . attribute_escape(__('Activate this plugin')) . '" target="_parent">' . __('Activate Plugin') . '</a>',
'plugins_page' => '<a href="' . admin_url('plugins.php') . '" title="' . attribute_escape(__('Goto plugins page')) . '" target="_parent">' . __('Return to Plugins page') . '</a>'
'activate_plugin' => '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $this->plugin, 'activate-plugin_' . $this->plugin) . '" title="' . attr(__('Activate this plugin')) . '" target="_parent">' . __('Activate Plugin') . '</a>',
'plugins_page' => '<a href="' . admin_url('plugins.php') . '" title="' . attr(__('Goto plugins page')) . '" target="_parent">' . __('Return to Plugins page') . '</a>'
);
if ( $this->plugin_active )
unset( $update_actions['activate_plugin'] );
@ -871,13 +871,13 @@ class Plugin_Installer_Skin extends WP_Upgrader_Skin {
$plugin_file = $this->upgrader->plugin_info();
$install_actions = array(
'activate_plugin' => '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . attribute_escape(__('Activate this plugin')) . '" target="_parent">' . __('Activate Plugin') . '</a>',
'activate_plugin' => '<a href="' . wp_nonce_url('plugins.php?action=activate&amp;plugin=' . $plugin_file, 'activate-plugin_' . $plugin_file) . '" title="' . attr(__('Activate this plugin')) . '" target="_parent">' . __('Activate Plugin') . '</a>',
);
if ( $this->type == 'web' )
$install_actions['plugins_page'] = '<a href="' . admin_url('plugin-install.php') . '" title="' . attribute_escape(__('Return to Plugin Installer')) . '" target="_parent">' . __('Return to Plugin Installer') . '</a>';
$install_actions['plugins_page'] = '<a href="' . admin_url('plugin-install.php') . '" title="' . attr(__('Return to Plugin Installer')) . '" target="_parent">' . __('Return to Plugin Installer') . '</a>';
else
$install_actions['plugins_page'] = '<a href="' . admin_url('plugins.php') . '" title="' . attribute_escape(__('Return to Plugins page')) . '" target="_parent">' . __('Return to Plugins page') . '</a>';
$install_actions['plugins_page'] = '<a href="' . admin_url('plugins.php') . '" title="' . attr(__('Return to Plugins page')) . '" target="_parent">' . __('Return to Plugins page') . '</a>';
if ( ! $this->result || is_wp_error($this->result) )
@ -936,14 +936,14 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
$install_actions = array(
'preview' => '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attribute_escape(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>',
'activate' => '<a href="' . $activate_link . '" class="activatelink" title="' . attribute_escape( sprintf( __('Activate "%s"'), $name ) ) . '">' . __('Activate') . '</a>'
'preview' => '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attr(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>',
'activate' => '<a href="' . $activate_link . '" class="activatelink" title="' . attr( sprintf( __('Activate "%s"'), $name ) ) . '">' . __('Activate') . '</a>'
);
if ( $this->type == 'web' )
$install_actions['themes_page'] = '<a href="' . admin_url('theme-install.php') . '" title="' . attribute_escape(__('Back to Theme Installer')) . '" target="_parent">' . __('Return to Theme Installer.') . '</a>';
$install_actions['themes_page'] = '<a href="' . admin_url('theme-install.php') . '" title="' . attr(__('Back to Theme Installer')) . '" target="_parent">' . __('Return to Theme Installer.') . '</a>';
else
$install_actions['themes_page'] = '<a href="' . admin_url('themes.php') . '" title="' . attribute_escape(__('Themes page')) . '" target="_parent">' . __('Return to Themes page') . '</a>';
$install_actions['themes_page'] = '<a href="' . admin_url('themes.php') . '" title="' . attr(__('Themes page')) . '" target="_parent">' . __('Return to Themes page') . '</a>';
if ( ! $this->result || is_wp_error($this->result) )
unset( $install_actions['activate'], $install_actions['preview'] );
@ -995,9 +995,9 @@ class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
$update_actions = array(
'preview' => '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attribute_escape(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>',
'activate' => '<a href="' . $activate_link . '" class="activatelink" title="' . attribute_escape( sprintf( __('Activate "%s"'), $name ) ) . '">' . __('Activate') . '</a>',
'themes_page' => '<a href="' . admin_url('themes.php') . '" title="' . attribute_escape(__('Return to Themes page')) . '" target="_parent">' . __('Return to Themes page') . '</a>',
'preview' => '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attr(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>',
'activate' => '<a href="' . $activate_link . '" class="activatelink" title="' . attr( sprintf( __('Activate "%s"'), $name ) ) . '">' . __('Activate') . '</a>',
'themes_page' => '<a href="' . admin_url('themes.php') . '" title="' . attr(__('Return to Themes page')) . '" target="_parent">' . __('Return to Themes page') . '</a>',
);
if ( ( ! $this->result || is_wp_error($this->result) ) || $stylesheet == get_stylesheet() )
unset($update_actions['preview'], $update_actions['activate']);

10
wp-admin/includes/dashboard.php
View File

@ -371,7 +371,7 @@ function wp_dashboard_quick_press() {
<form name="post" action="<?php echo clean_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
<h4 id="quick-post-title"><label for="title"><?php _e('Title') ?></label></h4>
<div class="input-text-wrap">
<input type="text" name="post_title" id="title" tabindex="1" autocomplete="off" value="<?php echo attribute_escape( $post->post_title ); ?>" />
<input type="text" name="post_title" id="title" tabindex="1" autocomplete="off" value="<?php echo attr( $post->post_title ); ?>" />
</div>
<?php if ( current_user_can( 'upload_files' ) ) : ?>
@ -432,7 +432,7 @@ function wp_dashboard_recent_drafts( $drafts = false ) {
foreach ( $drafts as $draft ) {
$url = get_edit_post_link( $draft->ID );
$title = _draft_or_post_title( $draft->ID );
$item = "<h4><a href='$url' title='" . sprintf( __( 'Edit "%s"' ), attribute_escape( $title ) ) . "'>$title</a> <abbr title='" . get_the_time(__('Y/m/d g:i:s A'), $draft) . "'>" . get_the_time( get_option( 'date_format' ), $draft ) . '</abbr></h4>';
$item = "<h4><a href='$url' title='" . sprintf( __( 'Edit "%s"' ), attr( $title ) ) . "'>$title</a> <abbr title='" . get_the_time(__('Y/m/d g:i:s A'), $draft) . "'>" . get_the_time( get_option( 'date_format' ), $draft ) . '</abbr></h4>';
if ( $the_content = preg_split( '#\s#', strip_tags( $draft->post_content ), 11, PREG_SPLIT_NO_EMPTY ) )
$item .= '<p>' . join( ' ', array_slice( $the_content, 0, 10 ) ) . ( 10 < count( $the_content ) ? '&hellip;' : '' ) . '</p>';
$list[] = $item;
@ -579,9 +579,9 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
<div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
<textarea class="comment" rows="3" cols="10"><?php echo $comment->comment_content; ?></textarea>
<div class="author-email"><?php echo attribute_escape( $comment->comment_author_email ); ?></div>
<div class="author"><?php echo attribute_escape( $comment->comment_author ); ?></div>
<div class="author-url"><?php echo attribute_escape( $comment->comment_author_url ); ?></div>
<div class="author-email"><?php echo attr( $comment->comment_author_email ); ?></div>
<div class="author"><?php echo attr( $comment->comment_author ); ?></div>
<div class="author-url"><?php echo attr( $comment->comment_author_url ); ?></div>
<div class="comment_status"><?php echo $comment->comment_approved; ?></div>
</div>
</div>

10
wp-admin/includes/file.php
View File

@ -731,12 +731,12 @@ jQuery(function($){
<table class="form-table">
<tr valign="top">
<th scope="row"><label for="hostname"><?php _e('Hostname') ?></label></th>
<td><input name="hostname" type="text" id="hostname" value="<?php echo attribute_escape($hostname); if ( !empty($port) ) echo ":$port"; ?>"<?php if( defined('FTP_HOST') ) echo ' disabled="disabled"' ?> size="40" /></td>
<td><input name="hostname" type="text" id="hostname" value="<?php echo attr($hostname); if ( !empty($port) ) echo ":$port"; ?>"<?php if( defined('FTP_HOST') ) echo ' disabled="disabled"' ?> size="40" /></td>
</tr>
<tr valign="top">
<th scope="row"><label for="username"><?php _e('Username') ?></label></th>
<td><input name="username" type="text" id="username" value="<?php echo attribute_escape($username) ?>"<?php if( defined('FTP_USER') ) echo ' disabled="disabled"' ?> size="40" /></td>
<td><input name="username" type="text" id="username" value="<?php echo attr($username) ?>"<?php if( defined('FTP_USER') ) echo ' disabled="disabled"' ?> size="40" /></td>
</tr>
<tr valign="top">
@ -750,7 +750,7 @@ jQuery(function($){
<label for="public_key"><?php _e('Public Key:') ?></label ><br />
<label for="private_key"><?php _e('Private Key:') ?></label>
</div></th>
<td><br /><input name="public_key" type="text" id="public_key" value="<?php echo attribute_escape($public_key) ?>"<?php if( defined('FTP_PUBKEY') ) echo ' disabled="disabled"' ?> size="40" /><br /><input name="private_key" type="text" id="private_key" value="<?php echo attribute_escape($private_key) ?>"<?php if( defined('FTP_PRIKEY') ) echo ' disabled="disabled"' ?> size="40" />
<td><br /><input name="public_key" type="text" id="public_key" value="<?php echo attr($public_key) ?>"<?php if( defined('FTP_PUBKEY') ) echo ' disabled="disabled"' ?> size="40" /><br /><input name="private_key" type="text" id="private_key" value="<?php echo attr($private_key) ?>"<?php if( defined('FTP_PRIKEY') ) echo ' disabled="disabled"' ?> size="40" />
<div><?php _e('Enter the location on the server where the keys are located. If a passphrase is needed, enter that in the password field above.') ?></div></td>
</tr>
@ -767,10 +767,10 @@ jQuery(function($){
</table>
<?php if ( isset( $_POST['version'] ) ) : ?>
<input type="hidden" name="version" value="<?php echo attribute_escape($_POST['version']) ?>" />
<input type="hidden" name="version" value="<?php echo attr($_POST['version']) ?>" />
<?php endif; ?>
<?php if ( isset( $_POST['locale'] ) ) : ?>
<input type="hidden" name="locale" value="<?php echo attribute_escape($_POST['locale']) ?>" />
<input type="hidden" name="locale" value="<?php echo attr($_POST['locale']) ?>" />
<?php endif; ?>
<p class="submit">
<input id="upgrade" name="upgrade" type="submit" class="button" value="<?php _e('Proceed'); ?>" />

2
wp-admin/includes/manifest.php
View File

@ -26,7 +26,7 @@ function add_filter() {}
/**
* @ignore
*/
function attribute_escape() {}
function attr() {}
/**
* @ignore

82
wp-admin/includes/media.php
View File

@ -78,7 +78,7 @@ function the_media_upload_tabs() {
$class = " class='current'";
$href = add_query_arg(array('tab'=>$callback, 's'=>false, 'paged'=>false, 'post_mime_type'=>false, 'm'=>false));
$link = "<a href='" . clean_url($href) . "'$class>$text</a>";
echo "\t<li id='" . attribute_escape("tab-$callback") . "'>$link</li>\n";
echo "\t<li id='" . attr("tab-$callback") . "'>$link</li>\n";
}
echo "</ul>\n";
}
@ -104,7 +104,7 @@ function get_image_send_to_editor($id, $alt, $title, $align, $url='', $rel = fal
$html = get_image_tag($id, $htmlalt, $title, $align, $size);
$rel = $rel ? ' rel="attachment wp-att-'.attribute_escape($id).'"' : '';
$rel = $rel ? ' rel="attachment wp-att-'.attr($id).'"' : '';
if ( $url )
$html = '<a href="' . clean_url($url) . "\"$rel>$html</a>";
@ -424,7 +424,7 @@ function media_upload_form_handler() {
$html = $attachment['post_title'];
if ( !empty($attachment['url']) ) {
if ( strpos($attachment['url'], 'attachment_id') || false !== strpos($attachment['url'], get_permalink($_POST['post_id'])) )
$rel = " rel='attachment wp-att-".attribute_escape($send_id)."'";
$rel = " rel='attachment wp-att-".attr($send_id)."'";
$html = "<a href='{$attachment['url']}'$rel>$html</a>";
}
$html = apply_filters('media_send_to_editor', $html, $send_id, $attachment);
@ -459,9 +459,9 @@ function media_upload_image() {
$src = $_POST['insertonly']['src'];
if ( !empty($src) && !strpos($src, '://') )
$src = "http://$src";
$alt = attribute_escape($_POST['insertonly']['alt']);
$alt = attr($_POST['insertonly']['alt']);
if ( isset($_POST['insertonly']['align']) ) {
$align = attribute_escape($_POST['insertonly']['align']);
$align = attr($_POST['insertonly']['align']);
$class = " class='align$align'";
}
if ( !empty($src) )
@ -553,7 +553,7 @@ function media_upload_audio() {
$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
$href = "http://$href";
$title = attribute_escape($_POST['insertonly']['title']);
$title = attr($_POST['insertonly']['title']);
if ( empty($title) )
$title = basename($href);
if ( !empty($title) && !empty($href) )
@ -607,7 +607,7 @@ function media_upload_video() {
$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
$href = "http://$href";
$title = attribute_escape($_POST['insertonly']['title']);
$title = attr($_POST['insertonly']['title']);
if ( empty($title) )
$title = basename($href);
if ( !empty($title) && !empty($href) )
@ -661,7 +661,7 @@ function media_upload_file() {
$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
$href = "http://$href";
$title = attribute_escape($_POST['insertonly']['title']);
$title = attr($_POST['insertonly']['title']);
if ( empty($title) )
$title = basename($href);
if ( !empty($title) && !empty($href) )
@ -825,10 +825,10 @@ function image_link_input_fields($post, $url_type='') {
elseif ( $url_type == 'post' )
$url = $link;
return "<input type='text' class='urlfield' name='attachments[$post->ID][url]' value='" . attribute_escape($url) . "' /><br />
return "<input type='text' class='urlfield' name='attachments[$post->ID][url]' value='" . attr($url) . "' /><br />
<button type='button' class='button urlnone' title=''>" . __('None') . "</button>
<button type='button' class='button urlfile' title='" . attribute_escape($file) . "'>" . __('File URL') . "</button>
<button type='button' class='button urlpost' title='" . attribute_escape($link) . "'>" . __('Post URL') . "</button>
<button type='button' class='button urlfile' title='" . attr($file) . "'>" . __('File URL') . "</button>
<button type='button' class='button urlpost' title='" . attr($link) . "'>" . __('Post URL') . "</button>
";
}
@ -988,7 +988,7 @@ function get_attachment_fields_to_edit($post, $errors = null) {
'image_url' => array(
'label' => __('File URL'),
'input' => 'html',
'html' => "<input type='text' class='urlfield' readonly='readonly' name='attachments[$post->ID][url]' value='" . attribute_escape($image_url) . "' /><br />",
'html' => "<input type='text' class='urlfield' readonly='readonly' name='attachments[$post->ID][url]' value='" . attr($image_url) . "' /><br />",
'value' => isset($edit_post->post_url) ? $edit_post->post_url : '',
'helps' => __('Location of the uploaded file.'),
)
@ -1085,19 +1085,19 @@ function get_media_item( $attachment_id, $args = null ) {
$post = get_post($attachment_id);
$filename = basename($post->guid);
$title = attribute_escape($post->post_title);
$title = attr($post->post_title);
if ( $_tags = get_the_tags($attachment_id) ) {
foreach ( $_tags as $tag )
$tags[] = $tag->name;
$tags = attribute_escape(join(', ', $tags));
$tags = attr(join(', ', $tags));
}
$type = '';
if ( isset($post_mime_types) ) {
$keys = array_keys(wp_match_mime_types(array_keys($post_mime_types), $post->post_mime_type));
$type = array_shift($keys);
$type = "<input type='hidden' id='type-of-$attachment_id' value='" . attribute_escape( $type ) . "' />";
$type = "<input type='hidden' id='type-of-$attachment_id' value='" . attr( $type ) . "' />";
}
$form_fields = get_attachment_fields_to_edit($post, $errors);
@ -1156,7 +1156,7 @@ function get_media_item( $attachment_id, $args = null ) {
$delete_href = wp_nonce_url("post.php?action=delete-post&amp;post=$attachment_id", 'delete-post_' . $attachment_id);
if ( $send )
$send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . attribute_escape( __( 'Insert into Post' ) ) . "' />";
$send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . attr( __( 'Insert into Post' ) ) . "' />";
if ( $delete )
$delete = "<a href=\"#\" class=\"del-link\" onclick=\"document.getElementById('del_attachment_$attachment_id').style.display='block';return false;\">" . __('Delete') . "</a>";
if ( ( $send || $delete ) && !isset($form_fields['buttons']) )
@ -1194,7 +1194,7 @@ function get_media_item( $attachment_id, $args = null ) {
elseif ( $field['input'] == 'textarea' ) {
$item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . wp_specialchars( $field['value'] ) . "</textarea>";
} else {
$item .= "<input type='text' id='$name' name='$name' value='" . attribute_escape( $field['value'] ) . "'" . $aria_required . "/>";
$item .= "<input type='text' id='$name' name='$name' value='" . attr( $field['value'] ) . "'" . $aria_required . "/>";
}
if ( !empty($field['helps']) )
$item .= "<p class='help'>" . join( "</p>\n<p class='help'>", array_unique((array) $field['helps']) ) . '</p>';
@ -1222,7 +1222,7 @@ function get_media_item( $attachment_id, $args = null ) {
$item .= "\t</table>\n";
foreach ( $hidden_fields as $name => $value )
$item .= "\t<input type='hidden' name='$name' id='$name' value='" . attribute_escape( $value ) . "' />\n";
$item .= "\t<input type='hidden' name='$name' id='$name' value='" . attr( $value ) . "' />\n";
if ( $post->post_parent < 1 && isset($_REQUEST['post_id']) ) {
$parent = (int) $_REQUEST['post_id'];
@ -1303,7 +1303,7 @@ SWFUpload.onload = function() {
button_width: "132",
button_image_url: '<?php echo includes_url('images/upload.png'); ?>',
button_placeholder_id: "flash-browse-button",
upload_url : "<?php echo attribute_escape( $flash_action_url ); ?>",
upload_url : "<?php echo attr( $flash_action_url ); ?>",
flash_url : "<?php echo includes_url('js/swfupload/swfupload.swf'); ?>",
file_post_name: "async-upload",
file_types: "<?php echo apply_filters('upload_file_glob', '*.*'); ?>",
@ -1350,7 +1350,7 @@ SWFUpload.onload = function() {
<div id="html-upload-ui">
<?php do_action('pre-html-upload-ui'); ?>
<p id="async-upload-wrap">
<input type="file" name="async-upload" id="async-upload" /> <input type="submit" class="button" name="html-upload" value="<?php echo attribute_escape(__('Upload')); ?>" /> <a href="#" onclick="return top.tb_remove();"><?php _e('Cancel'); ?></a>
<input type="file" name="async-upload" id="async-upload" /> <input type="submit" class="button" name="html-upload" value="<?php echo attr(__('Upload')); ?>" /> <a href="#" onclick="return top.tb_remove();"><?php _e('Cancel'); ?></a>
</p>
<div class="clear"></div>
<?php if ( is_lighttpd_before_150() ): ?>
@ -1380,7 +1380,7 @@ function media_upload_type_form($type = 'file', $errors = null, $id = null) {
$form_action_url = apply_filters('media_upload_form_url', $form_action_url, $type);
?>
<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form">
<form enctype="multipart/form-data" method="post" action="<?php echo attr($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form">
<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
<?php wp_nonce_field('media-form'); ?>
@ -1412,7 +1412,7 @@ if ( $id ) {
}
?>
</div>
<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
<input type="submit" class="button savebutton" name="save" value="<?php echo attr( __( 'Save all changes' ) ); ?>" />
<?php
}
@ -1436,7 +1436,7 @@ function media_upload_type_url_form($type = 'file', $errors = null, $id = null)
$callback = "type_url_form_$type";
?>
<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form">
<form enctype="multipart/form-data" method="post" action="<?php echo attr($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form">
<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
<?php wp_nonce_field('media-form'); ?>
@ -1570,7 +1570,7 @@ jQuery(function($){
<a href="#" id="desc"><?php _e('Descending'); ?></a> |
<a href="#" id="clear"><?php _e('Clear'); ?></a>
</div>
<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form validate" id="gallery-form">
<form enctype="multipart/form-data" method="post" action="<?php echo attr($form_action_url); ?>" class="media-upload-form validate" id="gallery-form">
<?php wp_nonce_field('media-form'); ?>
<?php //media_upload_form( $errors ); ?>
<table class="widefat" cellspacing="0">
@ -1585,10 +1585,10 @@ jQuery(function($){
</div>
<p class="ml-submit">
<input type="submit" class="button savebutton" style="display:none;" name="save" id="save-all" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
<input type="submit" class="button savebutton" style="display:none;" name="save" id="save-all" value="<?php echo attr( __( 'Save all changes' ) ); ?>" />
<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
<input type="hidden" name="type" value="<?php echo attribute_escape( $GLOBALS['type'] ); ?>" />
<input type="hidden" name="tab" value="<?php echo attribute_escape( $GLOBALS['tab'] ); ?>" />
<input type="hidden" name="type" value="<?php echo attr( $GLOBALS['type'] ); ?>" />
<input type="hidden" name="tab" value="<?php echo attr( $GLOBALS['tab'] ); ?>" />
</p>
<div id="gallery-settings" style="display:none;">
@ -1662,8 +1662,8 @@ jQuery(function($){
</tbody></table>
<p class="ml-submit">
<input type="button" class="button" style="display:none;" onmousedown="wpgallery.update();" name="insert-gallery" id="insert-gallery" value="<?php echo attribute_escape( __( 'Insert gallery' ) ); ?>" />
<input type="button" class="button" style="display:none;" onmousedown="wpgallery.update();" name="update-gallery" id="update-gallery" value="<?php echo attribute_escape( __( 'Update gallery settings' ) ); ?>" />
<input type="button" class="button" style="display:none;" onmousedown="wpgallery.update();" name="insert-gallery" id="insert-gallery" value="<?php echo attr( __( 'Insert gallery' ) ); ?>" />
<input type="button" class="button" style="display:none;" onmousedown="wpgallery.update();" name="update-gallery" id="update-gallery" value="<?php echo attr( __( 'Update gallery settings' ) ); ?>" />
</p>
</div>
</form>
@ -1699,15 +1699,15 @@ function media_upload_library_form($errors) {
?>
<form id="filter" action="" method="get">
<input type="hidden" name="type" value="<?php echo attribute_escape( $type ); ?>" />
<input type="hidden" name="tab" value="<?php echo attribute_escape( $tab ); ?>" />
<input type="hidden" name="type" value="<?php echo attr( $type ); ?>" />
<input type="hidden" name="tab" value="<?php echo attr( $tab ); ?>" />
<input type="hidden" name="post_id" value="<?php echo (int) $post_id; ?>" />
<input type="hidden" name="post_mime_type" value="<?php echo isset( $_GET['post_mime_type'] ) ? attribute_escape( $_GET['post_mime_type'] ) : ''; ?>" />
<input type="hidden" name="post_mime_type" value="<?php echo isset( $_GET['post_mime_type'] ) ? attr( $_GET['post_mime_type'] ) : ''; ?>" />
<p id="media-search" class="search-box">
<label class="hidden" for="media-search-input"><?php _e('Search Media');?>:</label>
<input type="text" id="media-search-input" name="s" value="<?php the_search_query(); ?>" />
<input type="submit" value="<?php echo attribute_escape( __( 'Search Media' ) ); ?>" class="button" />
<input type="submit" value="<?php echo attr( __( 'Search Media' ) ); ?>" class="button" />
</p>
<ul class="subsubsub">
@ -1786,7 +1786,7 @@ foreach ($arc_result as $arc_row) {
else
$default = '';
echo "<option$default value='" . attribute_escape( $arc_row->yyear . $arc_row->mmonth ) . "'>";
echo "<option$default value='" . attr( $arc_row->yyear . $arc_row->mmonth ) . "'>";
echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
echo "</option>\n";
}
@ -1794,7 +1794,7 @@ foreach ($arc_result as $arc_row) {
</select>
<?php } ?>
<input type="submit" id="post-query-submit" value="<?php echo attribute_escape( __( 'Filter &#187;' ) ); ?>" class="button-secondary" />
<input type="submit" id="post-query-submit" value="<?php echo attr( __( 'Filter &#187;' ) ); ?>" class="button-secondary" />
</div>
@ -1802,7 +1802,7 @@ foreach ($arc_result as $arc_row) {
</div>
</form>
<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form validate" id="library-form">
<form enctype="multipart/form-data" method="post" action="<?php echo attr($form_action_url); ?>" class="media-upload-form validate" id="library-form">
<?php wp_nonce_field('media-form'); ?>
<?php //media_upload_form( $errors ); ?>
@ -1824,7 +1824,7 @@ jQuery(function($){
<?php echo get_media_items(null, $errors); ?>
</div>
<p class="ml-submit">
<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
<input type="submit" class="button savebutton" name="save" value="<?php echo attr( __( 'Save all changes' ) ); ?>" />
<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
</p>
</form>
@ -1906,7 +1906,7 @@ function type_url_form_image() {
<tr>
<td></td>
<td>
<input type="button" class="button" id="go_button" style="color:#bbb;" onclick="addExtImage.insert()" value="' . attribute_escape(__('Insert into Post')) . '" />
<input type="button" class="button" id="go_button" style="color:#bbb;" onclick="addExtImage.insert()" value="' . attr(__('Insert into Post')) . '" />
</td>
</tr>
</tbody></table>
@ -1942,7 +1942,7 @@ function type_url_form_audio() {
<tr>
<td></td>
<td>
<input type="submit" class="button" name="insertonlybutton" value="' . attribute_escape(__('Insert into Post')) . '" />
<input type="submit" class="button" name="insertonlybutton" value="' . attr(__('Insert into Post')) . '" />
</td>
</tr>
</tbody></table>
@ -1977,7 +1977,7 @@ function type_url_form_video() {
<tr>
<td></td>
<td>
<input type="submit" class="button" name="insertonlybutton" value="' . attribute_escape(__('Insert into Post')) . '" />
<input type="submit" class="button" name="insertonlybutton" value="' . attr(__('Insert into Post')) . '" />
</td>
</tr>
</tbody></table>
@ -2012,7 +2012,7 @@ function type_url_form_file() {
<tr>
<td></td>
<td>
<input type="submit" class="button" name="insertonlybutton" value="' . attribute_escape(__('Insert into Post')) . '" />
<input type="submit" class="button" name="insertonlybutton" value="' . attr(__('Insert into Post')) . '" />
</td>
</tr>
</tbody></table>

16
wp-admin/includes/plugin-install.php
View File

@ -162,8 +162,8 @@ function install_search_form(){
<option value="author"<?php selected('author', $type) ?>><?php _e('Author') ?></option>
<option value="tag"<?php selected('tag', $type) ?>><?php _x('Tag', 'Plugin Installer') ?></option>
</select>
<input type="text" name="s" value="<?php echo attribute_escape($term) ?>" />
<input type="submit" name="search" value="<?php echo attribute_escape(__('Search')) ?>" class="button" />
<input type="text" name="s" value="<?php echo attr($term) ?>" />
<input type="submit" name="search" value="<?php echo attr(__('Search')) ?>" class="button" />
</form><?php
}
@ -334,12 +334,12 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){
$author = wp_kses($author, $plugins_allowedtags);
if( isset($plugin['homepage']) )
$title = '<a target="_blank" href="' . attribute_escape($plugin['homepage']) . '">' . $title . '</a>';
$title = '<a target="_blank" href="' . attr($plugin['homepage']) . '">' . $title . '</a>';
$action_links = array();
$action_links[] = '<a href="' . admin_url('plugin-install.php?tab=plugin-information&amp;plugin=' . $plugin['slug'] .
'&amp;TB_iframe=true&amp;width=600&amp;height=800') . '" class="thickbox onclick" title="' .
attribute_escape($name) . '">' . __('Install') . '</a>';
attr($name) . '">' . __('Install') . '</a>';
$action_links = apply_filters('plugin_install_action_links', $action_links, $plugin);
?>
@ -348,7 +348,7 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){
<td class="vers"><?php echo $version; ?></td>
<td class="vers">
<div class="star-holder" title="<?php printf(_n('(based on %s rating)', '(based on %s ratings)', $plugin['num_ratings']), number_format_i18n($plugin['num_ratings'])) ?>">
<div class="star star-rating" style="width: <?php echo attribute_escape($plugin['rating']) ?>px"></div>
<div class="star star-rating" style="width: <?php echo attr($plugin['rating']) ?>px"></div>
<div class="star star5"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('5 stars') ?>" /></div>
<div class="star star4"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('4 stars') ?>" /></div>
<div class="star star3"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('3 stars') ?>" /></div>
@ -416,7 +416,7 @@ function install_plugin_information() {
$class = ( $section_name == $section ) ? ' class="current"' : '';
$href = add_query_arg( array('tab' => $tab, 'section' => $section_name) );
$href = clean_url($href);
$san_title = attribute_escape(sanitize_title_with_dashes($title));
$san_title = attr(sanitize_title_with_dashes($title));
echo "\t<li><a name='$san_title' target='' href='$href'$class>$title</a></li>\n";
}
echo "</ul>\n";
@ -505,7 +505,7 @@ function install_plugin_information() {
</ul>
<h2><?php _e('Average Rating') ?></h2>
<div class="star-holder" title="<?php printf(_n('(based on %s rating)', '(based on %s ratings)', $api->num_ratings), number_format_i18n($api->num_ratings)); ?>">
<div class="star star-rating" style="width: <?php echo attribute_escape($api->rating) ?>px"></div>
<div class="star star-rating" style="width: <?php echo attr($api->rating) ?>px"></div>
<div class="star star5"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('5 stars') ?>" /></div>
<div class="star star4"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('4 stars') ?>" /></div>
<div class="star star3"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('3 stars') ?>" /></div>
@ -530,7 +530,7 @@ function install_plugin_information() {
$content = links_add_base_url($content, 'http://wordpress.org/extend/plugins/' . $api->slug . '/');
$content = links_add_target($content, '_blank');
$san_title = attribute_escape(sanitize_title_with_dashes($title));
$san_title = attr(sanitize_title_with_dashes($title));
$display = ( $section_name == $section ) ? 'block' : 'none';

2
wp-admin/includes/taxonomy.php
View File

@ -222,7 +222,7 @@ function get_terms_to_edit( $post_id, $taxonomy = 'post_tag' ) {
foreach ( $tags as $tag )
$tag_names[] = $tag->name;
$tags_to_edit = join( ',', $tag_names );
$tags_to_edit = attribute_escape( $tags_to_edit );
$tags_to_edit = attr( $tags_to_edit );
$tags_to_edit = apply_filters( 'terms_to_edit', $tags_to_edit, $taxonomy );
return $tags_to_edit;

64
wp-admin/includes/template.php
View File

@ -118,7 +118,7 @@ function _cat_row( $category, $level, $name_override = false ) {
$name = ( $name_override ? $name_override : $pad . ' ' . $category->name );
$edit_link = "categories.php?action=edit&amp;cat_ID=$category->term_id";
if ( current_user_can( 'manage_categories' ) ) {
$edit = "<a class='row-title' href='$edit_link' title='" . attribute_escape(sprintf(__('Edit "%s"'), $category->name)) . "'>" . attribute_escape( $name ) . '</a><br />';
$edit = "<a class='row-title' href='$edit_link' title='" . attr(sprintf(__('Edit "%s"'), $category->name)) . "'>" . attr( $name ) . '</a><br />';
$actions = array();
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
@ -257,7 +257,7 @@ function inline_edit_term_row($type) {
<p class="inline-edit-save submit">
<a accesskey="c" href="#inline-edit" title="<?php _e('Cancel'); ?>" class="cancel button-secondary alignleft"><?php _e('Cancel'); ?></a>
<?php $update_text = ( $is_tag ) ? __( 'Update Tag' ) : __( 'Update Category' ); ?>
<a accesskey="s" href="#inline-edit" title="<?php echo attribute_escape( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
<a accesskey="s" href="#inline-edit" title="<?php echo attr( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
<img class="waiting" style="display:none;" src="images/loading.gif" alt="" />
<span class="error" style="display:none;"></span>
<?php wp_nonce_field( 'taxinlineeditnonce', '_inline_edit', false ); ?>
@ -289,7 +289,7 @@ function link_cat_row( $category, $name_override = false ) {
$name = ( $name_override ? $name_override : $category->name );
$edit_link = "link-category.php?action=edit&amp;cat_ID=$category->term_id";
if ( current_user_can( 'manage_categories' ) ) {
$edit = "<a class='row-title' href='$edit_link' title='" . attribute_escape(sprintf(__('Edit "%s"'), $category->name)) . "'>$name</a><br />";
$edit = "<a class='row-title' href='$edit_link' title='" . attr(sprintf(__('Edit "%s"'), $category->name)) . "'>$name</a><br />";
$actions = array();
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
@ -649,7 +649,7 @@ function _tag_row( $tag, $class = '', $taxonomy = 'post_tag' ) {
$out .= '<th scope="row" class="check-column"> <input type="checkbox" name="delete_tags[]" value="' . $tag->term_id . '" /></th>';
break;
case 'name':
$out .= '<td ' . $attributes . '><strong><a class="row-title" href="' . $edit_link . '" title="' . attribute_escape(sprintf(__('Edit "%s"'), $name)) . '">' . $name . '</a></strong><br />';
$out .= '<td ' . $attributes . '><strong><a class="row-title" href="' . $edit_link . '" title="' . attr(sprintf(__('Edit "%s"'), $name)) . '">' . $name . '</a></strong><br />';
$actions = array();
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
@ -1247,12 +1247,12 @@ function inline_edit_row( $type ) {
wp_nonce_field( 'inlineeditnonce', '_inline_edit', false );
$update_text = ( $is_page ) ? __( 'Update Page' ) : __( 'Update Post' );
?>
<a accesskey="s" href="#inline-edit" title="<?php _e('Update'); ?>" class="button-primary save alignright"><?php echo attribute_escape( $update_text ); ?></a>
<a accesskey="s" href="#inline-edit" title="<?php _e('Update'); ?>" class="button-primary save alignright"><?php echo attr( $update_text ); ?></a>
<img class="waiting" style="display:none;" src="images/loading.gif" alt="" />
<?php } else {
$update_text = ( $is_page ) ? __( 'Update Pages' ) : __( 'Update Posts' );
?>
<input accesskey="s" class="button-primary alignright" type="submit" name="bulk_edit" value="<?php echo attribute_escape( $update_text ); ?>" />
<input accesskey="s" class="button-primary alignright" type="submit" name="bulk_edit" value="<?php echo attr( $update_text ); ?>" />
<?php } ?>
<input type="hidden" name="post_view" value="<?php echo $m; ?>" />
<br class="clear" />
@ -1278,7 +1278,7 @@ function get_inline_data($post) {
if ( ! current_user_can('edit_' . $post->post_type, $post->ID) )
return;
$title = attribute_escape($post->post_title);
$title = attr($post->post_title);
echo '
<div class="hidden" id="inline_' . $post->ID . '">
@ -1427,22 +1427,22 @@ function _post_row($a_post, $pending_comments, $mode) {
case 'title':
$attributes = 'class="post-title column-title"' . $style;
?>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $post->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $post->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
<?php
if ( 'excerpt' == $mode )
the_excerpt();
$actions = array();
if ( current_user_can('edit_post', $post->ID) ) {
$actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '" title="' . attribute_escape(__('Edit this post')) . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . attribute_escape(__('Edit this post inline')) . '">' . __('Quick&nbsp;Edit') . '</a>';
$actions['delete'] = "<a class='submitdelete' title='" . attribute_escape(__('Delete this post')) . "' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this post '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
$actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '" title="' . attr(__('Edit this post')) . '">' . __('Edit') . '</a>';
$actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . attr(__('Edit this post inline')) . '">' . __('Quick&nbsp;Edit') . '</a>';
$actions['delete'] = "<a class='submitdelete' title='" . attr(__('Delete this post')) . "' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this post '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
}
if ( in_array($post->post_status, array('pending', 'draft')) ) {
if ( current_user_can('edit_post', $post->ID) )
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attribute_escape(sprintf(__('Preview "%s"'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('Preview "%s"'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
} else {
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attribute_escape(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
}
$actions = apply_filters('post_row_actions', $actions, $post);
$action_count = count($actions);
@ -1643,19 +1643,19 @@ foreach ($posts_columns as $column_name=>$column_display_name) {
$attributes = 'class="post-title page-title column-title"' . $style;
$edit_link = get_edit_post_link( $page->ID );
?>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
<?php
$actions = array();
if ( current_user_can('edit_page', $page->ID) ) {
$actions['edit'] = '<a href="' . $edit_link . '" title="' . attribute_escape(__('Edit this page')) . '">' . __('Edit') . '</a>';
$actions['edit'] = '<a href="' . $edit_link . '" title="' . attr(__('Edit this page')) . '">' . __('Edit') . '</a>';
$actions['inline'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
$actions['delete'] = "<a class='submitdelete' title='" . attribute_escape(__('Delete this page')) . "' href='" . wp_nonce_url("page.php?action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $page->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this page '%s'\n 'Cancel' to stop, 'OK' to delete."), $page->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
$actions['delete'] = "<a class='submitdelete' title='" . attr(__('Delete this page')) . "' href='" . wp_nonce_url("page.php?action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $page->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this page '%s'\n 'Cancel' to stop, 'OK' to delete."), $page->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
}
if ( in_array($post->post_status, array('pending', 'draft')) ) {
if ( current_user_can('edit_page', $page->ID) )
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attribute_escape(sprintf(__('Preview "%s"'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attr(sprintf(__('Preview "%s"'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
} else {
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attribute_escape(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
$actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attr(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
}
$actions = apply_filters('page_row_actions', $actions, $page);
$action_count = count($actions);
@ -2114,9 +2114,9 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
comment_text(); ?>
<div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
<textarea class="comment" rows="3" cols="10"><?php echo $comment->comment_content; ?></textarea>
<div class="author-email"><?php if ( $user_can ) echo attribute_escape( $comment->comment_author_email ); ?></div>
<div class="author"><?php if ( $user_can ) echo attribute_escape( $comment->comment_author ); ?></div>
<div class="author-url"><?php echo attribute_escape( $comment->comment_author_url ); ?></div>
<div class="author-email"><?php if ( $user_can ) echo attr( $comment->comment_author_email ); ?></div>
<div class="author"><?php if ( $user_can ) echo attr( $comment->comment_author ); ?></div>
<div class="author-url"><?php echo attr( $comment->comment_author_url ); ?></div>
<div class="comment_status"><?php echo $comment->comment_approved; ?></div>
</div>
<?php
@ -2417,7 +2417,7 @@ function _list_meta_row( $entry, &$count ) {
}
}
$entry['meta_key'] = attribute_escape($entry['meta_key']);
$entry['meta_key'] = attr($entry['meta_key']);
$entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea />
$entry['meta_id'] = (int) $entry['meta_id'];
@ -2427,8 +2427,8 @@ function _list_meta_row( $entry, &$count ) {
$r .= "\n\t\t<td class='left'><label class='hidden' for='meta[{$entry['meta_id']}][key]'>" . __( 'Key' ) . "</label><input name='meta[{$entry['meta_id']}][key]' id='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' />";
$r .= "\n\t\t<div class='submit'><input name='deletemeta[{$entry['meta_id']}]' type='submit' ";
$r .= "class='delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta' tabindex='6' value='".attribute_escape(__( 'Delete' ))."' />";
$r .= "\n\t\t<input name='updatemeta' type='submit' tabindex='6' value='".attribute_escape(__( 'Update' ))."' class='add:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$update_nonce updatemeta' /></div>";
$r .= "class='delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta' tabindex='6' value='".attr(__( 'Delete' ))."' />";
$r .= "\n\t\t<input name='updatemeta' type='submit' tabindex='6' value='".attr(__( 'Update' ))."' class='add:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$update_nonce updatemeta' /></div>";
$r .= wp_nonce_field( 'change-meta', '_ajax_nonce', false, false );
$r .= "</td>";
@ -2472,7 +2472,7 @@ function meta_form() {
<?php
foreach ( $keys as $key ) {
$key = attribute_escape( $key );
$key = attr( $key );
echo "\n<option value='$key'>$key</option>";
}
?>
@ -2782,7 +2782,7 @@ function wp_import_upload_form( $action ) {
<p><strong><?php echo $upload_dir['error']; ?></strong></p></div><?php
else :
?>
<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>">
<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attr($action) ?>">
<p>
<?php wp_nonce_field('import-upload'); ?>
<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>)
@ -2805,7 +2805,7 @@ function wp_import_upload_form( $action ) {
*/
function wp_remember_old_slug() {
global $post;
$name = attribute_escape($post->post_name); // just in case
$name = attr($post->post_name); // just in case
if ( strlen($name) )
echo '<input type="hidden" id="wp-old-slug" name="wp-old-slug" value="' . $name . '" />';
}
@ -3171,15 +3171,15 @@ function find_posts_div($found_action = '') {
/**
* Display the post password.
*
* The password is passed through {@link attribute_escape()} to ensure that it
* The password is passed through {@link attr()} to ensure that it
* is safe for placing in an html attribute.
*
* @uses attribute_escape
* @uses attr
* @since 2.7.0
*/
function the_post_password() {
global $post;
if ( isset( $post->post_password ) ) echo attribute_escape( $post->post_password );
if ( isset( $post->post_password ) ) echo attr( $post->post_password );
}
/**
@ -3297,12 +3297,12 @@ function _draft_or_post_title($post_id = 0)
* A simple wrapper to display the "s" parameter in a GET URI. This function
* should only be used when {@link the_search_query()} cannot.
*
* @uses attribute_escape
* @uses attr
* @since 2.7.0
*
*/
function _admin_search_query() {
echo isset($_GET['s']) ? attribute_escape( stripslashes( $_GET['s'] ) ) : '';
echo isset($_GET['s']) ? attr( stripslashes( $_GET['s'] ) ) : '';
}
/**

16
wp-admin/includes/theme-install.php
View File

@ -158,8 +158,8 @@ function install_theme_search_form() {
<option value="author" <?php selected('author', $type) ?>><?php _e('Author'); ?></option>
<option value="tag" <?php selected('tag', $type) ?>><?php _e('Tag'); ?></option>
</select>
<input type="text" name="s" size="30" value="<?php echo attribute_escape($term) ?>" />
<input type="submit" name="search" value="<?php echo attribute_escape(__('Search')); ?>" class="button" />
<input type="text" name="s" size="30" value="<?php echo attr($term) ?>" />
<input type="submit" name="search" value="<?php echo attr(__('Search')); ?>" class="button" />
</form>
<?php
}
@ -202,7 +202,7 @@ function install_themes_dashboard() {
if ( isset($trans[$feature]) )
$feature_name = $trans[$feature];
$feature_name = wp_specialchars( $feature_name );
$feature = attribute_escape($feature);
$feature = attr($feature);
?>
<li>
@ -218,7 +218,7 @@ function install_themes_dashboard() {
</div>
<br class="clear" />
<input type="submit" name="search" value="<?php echo attribute_escape(__('Find Themes')); ?>" class="button" />
<input type="submit" name="search" value="<?php echo attr(__('Find Themes')); ?>" class="button" />
</form>
<?php
}
@ -301,8 +301,8 @@ function display_theme($theme, $actions = null, $show_details = true) {
if ( !is_array($actions) ) {
$actions = array();
$actions[] = '<a href="' . admin_url('theme-install.php?tab=theme-information&amp;theme=' . $theme->slug .
'&amp;TB_iframe=true&amp;tbWidth=500&amp;tbHeight=350') . '" class="thickbox thickbox-preview onclick" title="' . attribute_escape(sprintf(__('Install "%s"'), $name)) . '">' . __('Install') . '</a>';
$actions[] = '<a href="' . $preview_link . '" class="thickbox thickbox-preview onclick previewlink" title="' . attribute_escape(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>';
'&amp;TB_iframe=true&amp;tbWidth=500&amp;tbHeight=350') . '" class="thickbox thickbox-preview onclick" title="' . attr(sprintf(__('Install "%s"'), $name)) . '">' . __('Install') . '</a>';
$actions[] = '<a href="' . $preview_link . '" class="thickbox thickbox-preview onclick previewlink" title="' . attr(sprintf(__('Preview "%s"'), $name)) . '">' . __('Preview') . '</a>';
$actions = apply_filters('theme_install_action_links', $actions, $theme);
}
@ -310,7 +310,7 @@ function display_theme($theme, $actions = null, $show_details = true) {
?>
<a class='thickbox thickbox-preview screenshot'
href='<? echo clean_url($preview_link); ?>'
title='<?php echo attribute_escape(sprintf(__('Preview "%s"'), $name)); ?>'>
title='<?php echo attr(sprintf(__('Preview "%s"'), $name)); ?>'>
<img src='<?php echo clean_url($theme->screenshot_url); ?>' width='150' />
</a>
<h3><?php echo $name ?></h3>
@ -331,7 +331,7 @@ function display_theme($theme, $actions = null, $show_details = true) {
<p><strong><?php _e('Downloaded:') ?></strong> <?php printf(_n('%s time', '%s times', $theme->downloaded), number_format_i18n($theme->downloaded)) ?></p>
<?php endif; ?>
<div class="star-holder" title="<?php printf(_n('(based on %s rating)', '(based on %s ratings)', $theme->num_ratings), number_format_i18n($theme->num_ratings)) ?>">
<div class="star star-rating" style="width: <?php echo attribute_escape($theme->rating) ?>px"></div>
<div class="star star-rating" style="width: <?php echo attr($theme->rating) ?>px"></div>
<div class="star star5"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('5 stars') ?>" /></div>
<div class="star star4"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('4 stars') ?>" /></div>
<div class="star star3"><img src="<?php echo admin_url('images/star.gif'); ?>" alt="<?php _e('3 stars') ?>" /></div>

18
wp-admin/includes/user.php
View File

@ -366,16 +366,16 @@ function get_others_pending($user_id) {
*/
function get_user_to_edit( $user_id ) {
$user = new WP_User( $user_id );
$user->user_login = attribute_escape($user->user_login);
$user->user_email = attribute_escape($user->user_email);
$user->user_login = attr($user->user_login);
$user->user_email = attr($user->user_email);
$user->user_url = clean_url($user->user_url);
$user->first_name = attribute_escape($user->first_name);
$user->last_name = attribute_escape($user->last_name);
$user->display_name = attribute_escape($user->display_name);
$user->nickname = attribute_escape($user->nickname);
$user->aim = isset( $user->aim ) && !empty( $user->aim ) ? attribute_escape($user->aim) : '';
$user->yim = isset( $user->yim ) && !empty( $user->yim ) ? attribute_escape($user->yim) : '';
$user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? attribute_escape($user->jabber) : '';
$user->first_name = attr($user->first_name);
$user->last_name = attr($user->last_name);
$user->display_name = attr($user->display_name);
$user->nickname = attr($user->nickname);
$user->aim = isset( $user->aim ) && !empty( $user->aim ) ? attr($user->aim) : '';
$user->yim = isset( $user->yim ) && !empty( $user->yim ) ? attr($user->yim) : '';
$user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? attr($user->jabber) : '';
$user->description = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : '';
return $user;

4
wp-admin/link-manager.php
View File

@ -165,7 +165,7 @@ if ( $links ) {
foreach ($links as $link) {
$link = sanitize_bookmark($link);
$link->link_name = attribute_escape($link->link_name);
$link->link_name = attr($link->link_name);
$link->link_category = wp_get_link_cats($link->link_id);
$short_url = str_replace('http://', '', $link->link_url);
$short_url = preg_replace('/^www\./i', '', $short_url);
@ -194,7 +194,7 @@ if ( $links ) {
break;
case 'name':
echo "<td $attributes><strong><a class='row-title' href='$edit_link' title='" . attribute_escape(sprintf(__('Edit "%s"'), $link->link_name)) . "'>$link->link_name</a></strong><br />";
echo "<td $attributes><strong><a class='row-title' href='$edit_link' title='" . attr(sprintf(__('Edit "%s"'), $link->link_name)) . "'>$link->link_name</a></strong><br />";
$actions = array();
$actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("link.php?action=delete&amp;link_id=$link->link_id", 'delete-bookmark_' . $link->link_id) . "' onclick=\"if ( confirm('" . js_escape(sprintf( __("You are about to delete this link '%s'\n 'Cancel' to stop, 'OK' to delete."), $link->link_name )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";

2
wp-admin/load-scripts.php
View File

@ -35,7 +35,7 @@ function add_filter() {}
/**
* @ignore
*/
function attribute_escape() {}
function attr() {}
/**
* @ignore

2
wp-admin/load-styles.php
View File

@ -35,7 +35,7 @@ function add_filter() {}
/**
* @ignore
*/
function attribute_escape() {}
function attr() {}
/**
* @ignore

2
wp-admin/media-upload.php
View File

@ -78,7 +78,7 @@ if ( isset($_GET['inline']) ) {
<?php wp_nonce_field('media-form'); ?>
<div id="media-items"> </div>
<p>
<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
<input type="submit" class="button savebutton" name="save" value="<?php echo attr( __( 'Save all changes' ) ); ?>" />
</p>
</form>
</div>

2
wp-admin/menu.php
View File

@ -39,7 +39,7 @@ $menu[5] = array( __('Posts'), 'edit_posts', 'edit.php', '', 'open-if-no-js menu
if ( $tax->hierarchical || ! in_array('post', (array) $tax->object_type, true) )
continue;
$submenu['edit.php'][$i] = array( attribute_escape($tax->label), 'manage_categories', 'edit-tags.php?taxonomy=' . $tax->name );
$submenu['edit.php'][$i] = array( attr($tax->label), 'manage_categories', 'edit-tags.php?taxonomy=' . $tax->name );
++$i;
}

4
wp-admin/options-discussion.php
View File

@ -54,7 +54,7 @@ include('admin-header.php');
<label for="close_comments_for_old_posts">
<input name="close_comments_for_old_posts" type="checkbox" id="close_comments_for_old_posts" value="1" <?php checked('1', get_option('close_comments_for_old_posts')); ?> />
<?php printf( __('Automatically close comments on articles older than %s days'), '</label><input name="close_comments_days_old" type="text" id="close_comments_days_old" value="' . attribute_escape(get_option('close_comments_days_old')) . '" class="small-text" />') ?>
<?php printf( __('Automatically close comments on articles older than %s days'), '</label><input name="close_comments_days_old" type="text" id="close_comments_days_old" value="' . attr(get_option('close_comments_days_old')) . '" class="small-text" />') ?>
<br />
<label for="thread_comments">
<input name="thread_comments" type="checkbox" id="thread_comments" value="1" <?php checked('1', get_option('thread_comments')); ?> />
@ -83,7 +83,7 @@ $default_comments_page .= '>' . __('last') . '</option><option value="oldest"';
if ( 'oldest' == get_option('default_comments_page') ) $default_comments_page .= ' selected="selected"';
$default_comments_page .= '>' . __('first') . '</option></select>';
printf( __('Break comments into pages with %1$s comments per page and the %2$s page displayed by default'), '</label><label for="comments_per_page"><input name="comments_per_page" type="text" id="comments_per_page" value="' . attribute_escape(get_option('comments_per_page')) . '" class="small-text" />', $default_comments_page );
printf( __('Break comments into pages with %1$s comments per page and the %2$s page displayed by default'), '</label><label for="comments_per_page"><input name="comments_per_page" type="text" id="comments_per_page" value="' . attr(get_option('comments_per_page')) . '" class="small-text" />', $default_comments_page );
?></label>
<br />

8
wp-admin/options-general.php
View File

@ -210,7 +210,7 @@ if (empty($tzstring)) { // set the Etc zone if no timezone string exists
$custom = TRUE;
foreach ( $date_formats as $format ) {
echo "\t<label title='" . attribute_escape($format) . "'><input type='radio' name='date_format' value='" . attribute_escape($format) . "'";
echo "\t<label title='" . attr($format) . "'><input type='radio' name='date_format' value='" . attr($format) . "'";
if ( get_option('date_format') === $format ) { // checked() uses "==" rather than "==="
echo " checked='checked'";
$custom = FALSE;
@ -220,7 +220,7 @@ if (empty($tzstring)) { // set the Etc zone if no timezone string exists
echo ' <label><input type="radio" name="date_format" id="date_format_custom_radio" value="\c\u\s\t\o\m"';
checked( $custom );
echo '/> ' . __('Custom:') . ' </label><input type="text" name="date_format_custom" value="' . attribute_escape( get_option('date_format') ) . '" class="small-text" /> ' . date_i18n( get_option('date_format') ) . "\n";
echo '/> ' . __('Custom:') . ' </label><input type="text" name="date_format_custom" value="' . attr( get_option('date_format') ) . '" class="small-text" /> ' . date_i18n( get_option('date_format') ) . "\n";
echo "\t<p>" . __('<a href="http://codex.wordpress.org/Formatting_Date_and_Time">Documentation on date formatting</a>. Click &quot;Save Changes&quot; to update sample output.') . "</p>\n";
?>
@ -242,7 +242,7 @@ if (empty($tzstring)) { // set the Etc zone if no timezone string exists
$custom = TRUE;
foreach ( $time_formats as $format ) {
echo "\t<label title='" . attribute_escape($format) . "'><input type='radio' name='time_format' value='" . attribute_escape($format) . "'";
echo "\t<label title='" . attr($format) . "'><input type='radio' name='time_format' value='" . attr($format) . "'";
if ( get_option('time_format') === $format ) { // checked() uses "==" rather than "==="
echo " checked='checked'";
$custom = FALSE;
@ -252,7 +252,7 @@ if (empty($tzstring)) { // set the Etc zone if no timezone string exists
echo ' <label><input type="radio" name="time_format" id="time_format_custom_radio" value="\c\u\s\t\o\m"';
checked( $custom );
echo '/> ' . __('Custom:') . ' </label><input type="text" name="time_format_custom" value="' . attribute_escape( get_option('time_format') ) . '" class="small-text" /> ' . date_i18n( get_option('time_format') ) . "\n";
echo '/> ' . __('Custom:') . ' </label><input type="text" name="time_format_custom" value="' . attr( get_option('time_format') ) . '" class="small-text" /> ' . date_i18n( get_option('time_format') ) . "\n";
?>
</fieldset>
</td>

4
wp-admin/options-misc.php
View File

@ -27,14 +27,14 @@ include('admin-header.php');
<table class="form-table">
<tr valign="top">
<th scope="row"><label for="upload_path"><?php _e('Store uploads in this folder'); ?></label></th>
<td><input name="upload_path" type="text" id="upload_path" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_option('upload_path'))); ?>" class="regular-text code" />
<td><input name="upload_path" type="text" id="upload_path" value="<?php echo attr(str_replace(ABSPATH, '', get_option('upload_path'))); ?>" class="regular-text code" />
<span class="setting-description"><?php _e('Default is <code>wp-content/uploads</code>'); ?></span>
</td>
</tr>
<tr valign="top">
<th scope="row"><label for="upload_url_path"><?php _e('Full URL path to files'); ?></label></th>
<td><input name="upload_url_path" type="text" id="upload_url_path" value="<?php echo attribute_escape( get_option('upload_url_path')); ?>" class="regular-text code" />
<td><input name="upload_url_path" type="text" id="upload_url_path" value="<?php echo attr( get_option('upload_url_path')); ?>" class="regular-text code" />
<span class="setting-description"><?php _e('Configuring this is optional. By default, it should be blank.'); ?></span>
</td>
</tr>

6
wp-admin/options-permalink.php
View File

@ -173,7 +173,7 @@ $structures = array(
</label>
</th>
<td>
<input name="permalink_structure" id="permalink_structure" type="text" value="<?php echo attribute_escape($permalink_structure); ?>" class="regular-text code" />
<input name="permalink_structure" id="permalink_structure" type="text" value="<?php echo attr($permalink_structure); ?>" class="regular-text code" />
</td>
</tr>
</table>
@ -188,11 +188,11 @@ $structures = array(
<table class="form-table">
<tr>
<th><label for="category_base"><?php _e('Category base'); ?></label></th>
<td><input name="category_base" id="category_base" type="text" value="<?php echo attribute_escape($category_base); ?>" class="regular-text code" /></td>
<td><input name="category_base" id="category_base" type="text" value="<?php echo attr($category_base); ?>" class="regular-text code" /></td>
</tr>
<tr>
<th><label for="tag_base"><?php _e('Tag base'); ?></label></th>
<td><input name="tag_base" id="tag_base" type="text" value="<?php echo attribute_escape($tag_base); ?>" class="regular-text code" /></td>
<td><input name="tag_base" id="tag_base" type="text" value="<?php echo attr($tag_base); ?>" class="regular-text code" /></td>
</tr>
<?php do_settings_fields('permalink', 'optional'); ?>
</table>

4
wp-admin/options.php
View File

@ -99,7 +99,7 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name
foreach ( (array) $options as $option) :
$disabled = '';
$option->option_name = attribute_escape($option->option_name);
$option->option_name = attr($option->option_name);
if ( is_serialized($option->option_value) ) {
if ( is_serialized_string($option->option_value) ) {
// this is a serialized string, so we should display it
@ -122,7 +122,7 @@ foreach ( (array) $options as $option) :
<td>";
if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . attribute_escape($value) . "'$disabled />";
else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . attr($value) . "'$disabled />";
echo "</td>
</tr>";

10
wp-admin/plugin-editor.php
View File

@ -116,7 +116,7 @@ default:
$docs_select = '<select name="docs-list" id="docs-list">';
$docs_select .= '<option value="">' . __( 'Function Name...' ) . '</option>';
foreach ( $functions as $function) {
$docs_select .= '<option value="' . attribute_escape( $function ) . '">' . htmlspecialchars( $function ) . '()</option>';
$docs_select .= '<option value="' . attr( $function ) . '">' . htmlspecialchars( $function ) . '()</option>';
}
$docs_select .= '</select>';
}
@ -132,7 +132,7 @@ default:
<div id="message" class="updated fade"><p><?php _e('This plugin has been deactivated because your changes resulted in a <strong>fatal error</strong>.') ?></p>
<?php
if ( wp_verify_nonce($_GET['_error_nonce'], 'plugin-activation-error_' . $file) ) { ?>
<iframe style="border:0" width="100%" height="70px" src="<?php bloginfo('wpurl'); ?>/wp-admin/plugins.php?action=error_scrape&amp;plugin=<?php echo attribute_escape($file); ?>&amp;_wpnonce=<?php echo attribute_escape($_GET['_error_nonce']); ?>"></iframe>
<iframe style="border:0" width="100%" height="70px" src="<?php bloginfo('wpurl'); ?>/wp-admin/plugins.php?action=error_scrape&amp;plugin=<?php echo attr($file); ?>&amp;_wpnonce=<?php echo attr($_GET['_error_nonce']); ?>"></iframe>
<?php } ?>
</div>
<?php endif; ?>
@ -150,8 +150,8 @@ default:
$selected = " selected='selected'";
else
$selected = '';
$plugin_name = attribute_escape($plugin_name);
$plugin_key = attribute_escape($plugin_key);
$plugin_name = attr($plugin_name);
$plugin_key = attr($plugin_key);
echo "\n\t<option value=\"$plugin_key\" $selected>$plugin_name</option>";
}
?>
@ -208,7 +208,7 @@ foreach ( $plugin_files as $plugin_file ) :
<input type="hidden" name="plugin" value="<?php echo $plugin ?>" />
</div>
<?php if ( count( $functions ) ) : ?>
<div id="documentation"><label for="docs-list"><?php _e('Documentation:') ?></label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php echo attribute_escape(__( 'Lookup' )) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div>
<div id="documentation"><label for="docs-list"><?php _e('Documentation:') ?></label> <?php echo $docs_select ?> <input type="button" class="button" value=" <?php echo attr(__( 'Lookup' )) ?> " onclick="if ( '' != jQuery('#docs-list').val() ) { window.open( 'http://api.wordpress.org/core/handbook/1.0/?function=' + escape( jQuery( '#docs-list' ).val() ) + '&locale=<?php echo urlencode( get_locale() ) ?>&version=<?php echo urlencode( $wp_version ) ?>&redirect=true'); }" /></div>
<?php endif; ?>
<?php if ( is_writeable($real_file) ) : ?>
<?php if ( in_array($file, (array) get_option('active_plugins')) ) { ?>

10
wp-admin/plugins.php
View File

@ -139,7 +139,7 @@ if ( !empty($action) ) {
<input type="hidden" name="action" value="delete-selected" />
<?php
foreach ( (array)$plugins as $plugin )
echo '<input type="hidden" name="checked[]" value="' . attribute_escape($plugin) . '" />';
echo '<input type="hidden" name="checked[]" value="' . attr($plugin) . '" />';
?>
<?php wp_nonce_field('bulk-manage-plugins') ?>
<input type="submit" name="submit" value="<?php _e('Yes, Delete these files') ?>" class="button" />
@ -194,7 +194,7 @@ if ( !empty($invalid) )
<div id="message" class="updated fade"><p><?php _e('Plugin could not be activated because it triggered a <strong>fatal error</strong>.') ?></p>
<?php
if ( wp_verify_nonce($_GET['_error_nonce'], 'plugin-activation-error_' . $plugin) ) { ?>
<iframe style="border:0" width="100%" height="70px" src="<?php echo admin_url('plugins.php?action=error_scrape&amp;plugin=' . attribute_escape($plugin) . '&amp;_wpnonce=' . attribute_escape($_GET['_error_nonce'])); ?>"></iframe>
<iframe style="border:0" width="100%" height="70px" src="<?php echo admin_url('plugins.php?action=error_scrape&amp;plugin=' . attr($plugin) . '&amp;_wpnonce=' . attr($_GET['_error_nonce'])); ?>"></iframe>
<?php
}
?>
@ -369,7 +369,7 @@ function print_plugins_table($plugins, $context = '') {
$class = $is_active ? 'active' : 'inactive';
echo "
<tr class='$class'>
<th scope='row' class='check-column'><input type='checkbox' name='checked[]' value='" . attribute_escape($plugin_file) . "' /></th>
<th scope='row' class='check-column'><input type='checkbox' name='checked[]' value='" . attr($plugin_file) . "' /></th>
<td class='plugin-title'><strong>{$plugin_data['Title']}</strong>";
$i = 0;
echo '<div class="row-actions">';
@ -432,8 +432,8 @@ function print_plugin_actions($context) {
<form method="post" action="<?php echo admin_url('plugins.php') ?>">
<?php wp_nonce_field('bulk-manage-plugins') ?>
<input type="hidden" name="plugin_status" value="<?php echo attribute_escape($status) ?>" />
<input type="hidden" name="paged" value="<?php echo attribute_escape($page) ?>" />
<input type="hidden" name="plugin_status" value="<?php echo attr($status) ?>" />
<input type="hidden" name="paged" value="<?php echo attr($page) ?>" />
<ul class="subsubsub">
<?php

12
wp-admin/press-this.php
View File

@ -135,12 +135,12 @@ switch ($_REQUEST['ajax']) {
<h3 class="tb"><label for="this_photo_description"><?php _e('Description') ?></label></h3>
<div class="titlediv">
<div class="titlewrap">
<input id="this_photo_description" name="photo_description" class="tbtitle text" onkeypress="if(event.keyCode==13) image_selector();" value="<?php echo attribute_escape($title);?>"/>
<input id="this_photo_description" name="photo_description" class="tbtitle text" onkeypress="if(event.keyCode==13) image_selector();" value="<?php echo attr($title);?>"/>
</div>
</div>
<p class="centered"><input type="hidden" name="this_photo" value="<?php echo attribute_escape($image); ?>" id="this_photo" />
<a href="#" class="select"><img src="<?php echo clean_url($image); ?>" alt="<?php echo attribute_escape(__('Click to insert.')); ?>" title="<?php echo attribute_escape(__('Click to insert.')); ?>" /></a></p>
<p class="centered"><input type="hidden" name="this_photo" value="<?php echo attr($image); ?>" id="this_photo" />
<a href="#" class="select"><img src="<?php echo clean_url($image); ?>" alt="<?php echo attr(__('Click to insert.')); ?>" title="<?php echo attr(__('Click to insert.')); ?>" /></a></p>
<p id="options"><a href="#" class="select button"><?php _e('Insert Image'); ?></a> <a href="#" class="cancel button"><?php _e('Cancel'); ?></a></p>
@ -168,7 +168,7 @@ switch ($_REQUEST['ajax']) {
<h3 class="tb"><label for="photo_description"><?php _e('Description') ?></label></h3>
<div id="titlediv">
<div class="titlewrap">
<input id="this_photo_description" name="photo_description" class="tbtitle text" onkeypress="if(event.keyCode==13) image_selector();" value="<?php echo attribute_escape($title);?>"/>
<input id="this_photo_description" name="photo_description" class="tbtitle text" onkeypress="if(event.keyCode==13) image_selector();" value="<?php echo attr($title);?>"/>
</div>
</div>
@ -377,7 +377,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
jQuery('#extra_fields').show();
switch(tab_name) {
case 'video' :
jQuery('#extra_fields').load('<?php echo clean_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo attribute_escape($selection); ?>'}, function() {
jQuery('#extra_fields').load('<?php echo clean_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo attr($selection); ?>'}, function() {
<?php
$content = '';
if ( preg_match("/youtube\.com\/watch/i", $url) ) {
@ -516,7 +516,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
<div id="titlediv">
<div class="titlewrap">
<input name="title" id="title" class="text" value="<?php echo attribute_escape($title);?>"/>
<input name="title" id="title" class="text" value="<?php echo attr($title);?>"/>
</div>
</div>

2
wp-admin/theme-editor.php
View File

@ -125,7 +125,7 @@ $desc_header = ( $description != $file_show ) ? "<strong>$description</strong> (
$theme_name = $a_theme['Name'];
if ($theme_name == $theme) $selected = " selected='selected'";
else $selected = '';
$theme_name = attribute_escape($theme_name);
$theme_name = attr($theme_name);
echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
}
?>

6
wp-admin/themes.php
View File

@ -188,14 +188,14 @@ foreach ( $cols as $col => $theme_name ) {
$parent_theme = $themes[$theme_name]['Parent Theme'];
$preview_link = clean_url( get_option('home') . '/');
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), $preview_link ) );
$preview_text = attribute_escape( sprintf( __('Preview of "%s"'), $title ) );
$preview_text = attr( sprintf( __('Preview of "%s"'), $title ) );
$tags = $themes[$theme_name]['Tags'];
$thickbox_class = 'thickbox thickbox-preview';
$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=".urlencode($template)."&amp;stylesheet=".urlencode($stylesheet), 'switch-theme_' . $template);
$activate_text = attribute_escape( sprintf( __('Activate "%s"'), $title ) );
$activate_text = attr( sprintf( __('Activate "%s"'), $title ) );
$actions = array();
$actions[] = '<a href="' . $activate_link . '" class="activatelink" title="' . $activate_text . '">' . __('Activate') . '</a>';
$actions[] = '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attribute_escape(sprintf(__('Preview "%s"'), $theme_name)) . '">' . __('Preview') . '</a>';
$actions[] = '<a href="' . $preview_link . '" class="thickbox thickbox-preview" title="' . attr(sprintf(__('Preview "%s"'), $theme_name)) . '">' . __('Preview') . '</a>';
if ( current_user_can('update_themes') )
$actions[] = '<a class="submitdelete deletion" href="' . wp_nonce_url("themes.php?action=delete&amp;template=$stylesheet", 'delete-theme_' . $stylesheet) . '" onclick="' . "if ( confirm('" . js_escape(sprintf( __("You are about to delete this theme '%s'\n 'Cancel' to stop, 'OK' to delete."), $theme_name )) . "') ) {return true;}return false;" . '">' . __('Delete') . '</a>';
$actions = apply_filters('theme_action_links', $actions, $themes[$theme_name]);

2
wp-admin/tools.php
View File

@ -84,7 +84,7 @@ if ( ! $is_opera ) {
<p><?php _e('Use Press This to clip text, images and videos from any web page. Then edit and add more straight from Press This before you save or publish it in a post on your blog.'); ?></p>
<p><?php _e('Drag-and-drop the following link to your bookmarks bar or right click it and add it to your favorites for a posting shortcut.') ?></p>
<p class="pressthis"><a href="<?php echo htmlspecialchars( get_shortcut_link() ); ?>" title="<?php echo attribute_escape(__('Press This')) ?>"><?php _e('Press This') ?></a></p>
<p class="pressthis"><a href="<?php echo htmlspecialchars( get_shortcut_link() ); ?>" title="<?php echo attr(__('Press This')) ?>"><?php _e('Press This') ?></a></p>
</div>
<?php endif; ?>
</div>

4
wp-admin/update-core.php
View File

@ -46,9 +46,9 @@ function list_core_update( $update ) {
echo '<a href="' . $update->package . '" class="button">' . $download . '</a>&nbsp;';
if ( 'en_US' != $update->locale )
if ( !isset( $update->dismissed ) || !$update->dismissed )
echo '<input id="dismiss" class="button" type="submit" value="' . attribute_escape(__('Hide this update')) . '" name="dismiss" />';
echo '<input id="dismiss" class="button" type="submit" value="' . attr(__('Hide this update')) . '" name="dismiss" />';
else
echo '<input id="undismiss" class="button" type="submit" value="' . attribute_escape(__('Bring back this update')) . '" name="undismiss" />';
echo '<input id="undismiss" class="button" type="submit" value="' . attr(__('Bring back this update')) . '" name="undismiss" />';
echo '</p>';
echo '</form>';

6
wp-admin/upload.php
View File

@ -329,10 +329,10 @@ foreach ($arc_result as $arc_row) {
<td class="media-icon"><?php
if ( $thumb = wp_get_attachment_image( $post->ID, array(80, 60), true ) ) { ?>
<a href="media.php?action=edit&amp;attachment_id=<?php echo $post->ID; ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $thumb; ?></a>
<a href="media.php?action=edit&amp;attachment_id=<?php echo $post->ID; ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $thumb; ?></a>
<?php } ?></td>
<td class="media column-media"><strong><a href="<?php echo get_edit_post_link( $post->ID ); ?>" title="<?php echo attribute_escape(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $att_title; ?></a></strong><br />
<td class="media column-media"><strong><a href="<?php echo get_edit_post_link( $post->ID ); ?>" title="<?php echo attr(sprintf(__('Edit "%s"'), $att_title)); ?>"><?php echo $att_title; ?></a></strong><br />
<?php echo strtoupper(preg_replace('/^.*?\.(\w+)$/', '$1', get_attached_file($post->ID))); ?>
<div class="row-actions">
@ -342,7 +342,7 @@ foreach ($arc_result as $arc_row) {
$actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '">' . __('Edit') . '</a>';
if ( current_user_can('delete_post', $post->ID) )
$actions['delete'] = "<a class='submitdelete' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this attachment '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this attachment '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attribute_escape(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
$actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('View "%s"'), $title)) . '" rel="permalink">' . __('View') . '</a>';
if ( current_user_can('edit_post', $post->ID) )
$actions['attach'] = '<a href="#the-list" onclick="findPosts.open(\'media[]\',\''.$post->ID.'\');return false;">'.__('Attach').'</a>';
$actions = apply_filters( 'media_row_actions', $actions, $post );

8
wp-admin/users.php
View File

@ -28,10 +28,10 @@ if ( empty($doaction) ) {
}
if ( empty($_REQUEST) ) {
$referer = '<input type="hidden" name="wp_http_referer" value="'. attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
$referer = '<input type="hidden" name="wp_http_referer" value="'. attr(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
} elseif ( isset($_REQUEST['wp_http_referer']) ) {
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_REQUEST['wp_http_referer']));
$referer = '<input type="hidden" name="wp_http_referer" value="' . attribute_escape($redirect) . '" />';
$referer = '<input type="hidden" name="wp_http_referer" value="' . attr($redirect) . '" />';
} else {
$redirect = 'users.php';
$referer = '';
@ -291,7 +291,7 @@ unset($role_links);
<form class="search-form" action="" method="get">
<p class="search-box">
<label class="hidden" for="user-search-input"><?php _e( 'Search Users' ); ?>:</label>
<input type="text" id="user-search-input" name="usersearch" value="<?php echo attribute_escape($wp_user_search->search_term); ?>" />
<input type="text" id="user-search-input" name="usersearch" value="<?php echo attr($wp_user_search->search_term); ?>" />
<input type="submit" value="<?php _e( 'Search Users' ); ?>" class="button" />
</p>
</form>
@ -388,7 +388,7 @@ foreach ( $wp_user_search->get_results() as $userid ) {
<?php
foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {
$var = 'new_' . $var;
$$var = isset($_REQUEST[$formpost]) ? attribute_escape(stripslashes($_REQUEST[$formpost])) : '';
$$var = isset($_REQUEST[$formpost]) ? attr(stripslashes($_REQUEST[$formpost])) : '';
}
unset($name);
?>

2
wp-admin/widgets.php
View File

@ -356,7 +356,7 @@ $i = 0;
foreach ( $wp_registered_sidebars as $sidebar => $registered_sidebar ) {
if ( 'wp_inactive_widgets' == $sidebar )
continue; ?>
<div id="<?php echo attribute_escape( $sidebar ); ?>" class="widgets-holder-wrap">
<div id="<?php echo attr( $sidebar ); ?>" class="widgets-holder-wrap">
<h3 class="sidebar-name"><?php echo wp_specialchars( $registered_sidebar['name'] ); ?>
<span><img src="images/loading-publish.gif" class="ajax-feedback" title="" alt="" /></span></h3>
<?php wp_list_widget_controls( $sidebar, $i ); // Show the control forms for each of the widgets in this sidebar ?>

12
wp-app.php
View File

@ -352,9 +352,9 @@ class AtomServer {
if( !current_user_can( 'edit_posts' ) )
$this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) );
$entries_url = attribute_escape($this->get_entries_url());
$categories_url = attribute_escape($this->get_categories_url());
$media_url = attribute_escape($this->get_attachments_url());
$entries_url = attr($this->get_entries_url());
$categories_url = attr($this->get_categories_url());
$media_url = attr($this->get_attachments_url());
foreach ($this->media_content_types as $med) {
$accepted_media_types = $accepted_media_types . "<accept>" . $med . "</accept>";
}
@ -392,12 +392,12 @@ EOD;
if( !current_user_can( 'edit_posts' ) )
$this->auth_required( __( 'Sorry, you do not have the right to access this blog.' ) );
$home = attribute_escape(get_bloginfo_rss('home'));
$home = attr(get_bloginfo_rss('home'));
$categories = "";
$cats = get_categories("hierarchical=0&hide_empty=0");
foreach ((array) $cats as $cat) {
$categories .= " <category term=\"" . attribute_escape($cat->name) . "\" />\n";
$categories .= " <category term=\"" . attr($cat->name) . "\" />\n";
}
$output = <<<EOD
<app:categories xmlns:app="$this->ATOMPUB_NS"
@ -1332,7 +1332,7 @@ list($content_type, $content) = prep_atom_text_construct(get_the_content()); ?>
function redirect($url) {
log_app('Status','302: Redirect');
$escaped_url = attribute_escape($url);
$escaped_url = attr($url);
$content = <<<EOD
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>

4
wp-content/themes/classic/comments-popup.php
View File

@ -64,7 +64,7 @@ if ( post_password_required($commentstatus) ) { // and it doesn't match the coo
<form action="<?php echo get_option('siteurl'); ?>/wp-comments-post.php" method="post" id="commentform">
<?php if ( is_user_logged_in() ) : ?>
<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo wp_logout_url(); ?>" title="<?php echo attribute_escape(__('Log out of this account')); ?>"><?php _e('Log out &raquo;'); ?></a></p>
<p><?php printf(__('Logged in as %s.'), '<a href="'.get_option('siteurl').'/wp-admin/profile.php">'.$user_identity.'</a>'); ?> <a href="<?php echo wp_logout_url(); ?>" title="<?php echo attr(__('Log out of this account')); ?>"><?php _e('Log out &raquo;'); ?></a></p>
<?php else : ?>
<p>
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
@ -90,7 +90,7 @@ if ( post_password_required($commentstatus) ) { // and it doesn't match the coo
<p>
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
<input type="hidden" name="redirect_to" value="<?php echo attr($_SERVER["REQUEST_URI"]); ?>" />
<input name="submit" type="submit" tabindex="5" value="<?php _e("Say It!"); ?>" />
</p>
<?php do_action('comment_form', $post->ID); ?>

2
wp-content/themes/classic/comments.php
View File

@ -68,7 +68,7 @@ if ( post_password_required() ) : ?>
<p><textarea name="comment" id="comment" cols="100%" rows="10" tabindex="4"></textarea></p>
<p><input name="submit" type="submit" id="submit" tabindex="5" value="<?php echo attribute_escape(__('Submit Comment')); ?>" />
<p><input name="submit" type="submit" id="submit" tabindex="5" value="<?php echo attr(__('Submit Comment')); ?>" />
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
</p>
<?php do_action('comment_form', $post->ID); ?>

2
wp-content/themes/default/comments-popup.php
View File

@ -89,7 +89,7 @@ if ( post_password_required($post) ) { // and it doesn't match the cookie
<p>
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
<input type="hidden" name="redirect_to" value="<?php echo attr($_SERVER["REQUEST_URI"]); ?>" />
<input name="submit" type="submit" tabindex="5" value="Say It!" />
</p>
<?php do_action('comment_form', $post->ID); ?>

50
wp-content/themes/default/functions.php
View File

@ -166,7 +166,7 @@ function kubrick_theme_page_head() {
kUpdate(ColorPicker_targetInput.id);
}
function PopupWindow_populate(contents) {
contents += '<br /><p style="text-align:center;margin-top:0px;"><input type="button" class="button-secondary" value="<?php echo attribute_escape(__('Close Color Picker')); ?>" onclick="cp.hidePopup(\'prettyplease\')"></input></p>';
contents += '<br /><p style="text-align:center;margin-top:0px;"><input type="button" class="button-secondary" value="<?php echo attr(__('Close Color Picker')); ?>" onclick="cp.hidePopup(\'prettyplease\')"></input></p>';
this.contents = contents;
this.populated = false;
}
@ -380,43 +380,43 @@ function kubrick_theme_page() {
<div id="nonJsForm">
<form method="post" action="">
<?php wp_nonce_field('kubrick-header'); ?>
<div class="zerosize"><input type="submit" name="defaultsubmit" value="<?php echo attribute_escape(__('Save')); ?>" /></div>
<label for="njfontcolor"><?php _e('Font Color:'); ?></label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /> <?php printf(__('Any CSS color (%s or %s or %s)'), '<code>red</code>', '<code>#FF0000</code>', '<code>rgb(255, 0, 0)</code>'); ?><br />
<label for="njuppercolor"><?php _e('Upper Color:'); ?></label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /> <?php printf(__('HEX only (%s or %s)'), '<code>#FF0000</code>', '<code>#F00</code>'); ?><br />
<label for="njlowercolor"><?php _e('Lower Color:'); ?></label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /> <?php printf(__('HEX only (%s or %s)'), '<code>#FF0000</code>', '<code>#F00</code>'); ?><br />
<input type="hidden" name="hi" id="hi" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
<input type="submit" name="toggledisplay" id="toggledisplay" value="<?php echo attribute_escape(__('Toggle Text')); ?>" />
<input type="submit" name="defaults" value="<?php echo attribute_escape(__('Use Defaults')); ?>" />
<div class="zerosize"><input type="submit" name="defaultsubmit" value="<?php echo attr(__('Save')); ?>" /></div>
<label for="njfontcolor"><?php _e('Font Color:'); ?></label><input type="text" name="njfontcolor" id="njfontcolor" value="<?php echo attr(kubrick_header_color()); ?>" /> <?php printf(__('Any CSS color (%s or %s or %s)'), '<code>red</code>', '<code>#FF0000</code>', '<code>rgb(255, 0, 0)</code>'); ?><br />
<label for="njuppercolor"><?php _e('Upper Color:'); ?></label><input type="text" name="njuppercolor" id="njuppercolor" value="#<?php echo attr(kubrick_upper_color()); ?>" /> <?php printf(__('HEX only (%s or %s)'), '<code>#FF0000</code>', '<code>#F00</code>'); ?><br />
<label for="njlowercolor"><?php _e('Lower Color:'); ?></label><input type="text" name="njlowercolor" id="njlowercolor" value="#<?php echo attr(kubrick_lower_color()); ?>" /> <?php printf(__('HEX only (%s or %s)'), '<code>#FF0000</code>', '<code>#F00</code>'); ?><br />
<input type="hidden" name="hi" id="hi" value="<?php echo attr(kubrick_header_image()); ?>" />
<input type="submit" name="toggledisplay" id="toggledisplay" value="<?php echo attr(__('Toggle Text')); ?>" />
<input type="submit" name="defaults" value="<?php echo attr(__('Use Defaults')); ?>" />
<input type="submit" class="defbutton" name="submitform" value="&nbsp;&nbsp;<?php _e('Save'); ?>&nbsp;&nbsp;" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="njform" value="true" />
</form>
</div>
<div id="jsForm">
<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo attribute_escape($_SERVER['REQUEST_URI']); ?>">
<form style="display:inline;" method="post" name="hicolor" id="hicolor" action="<?php echo attr($_SERVER['REQUEST_URI']); ?>">
<?php wp_nonce_field('kubrick-header'); ?>
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="<?php echo attribute_escape(__('Font Color')); ?>"></input>
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="<?php echo attribute_escape(__('Upper Color')); ?>"></input>
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('lowercolor');colorSelect(tgt,'pick3');return false;" name="pick3" id="pick3" value="<?php echo attribute_escape(__('Lower Color')); ?>"></input>
<input type="button" class="button-secondary" name="revert" value="<?php echo attribute_escape(__('Revert')); ?>" onclick="kRevert()" />
<input type="button" class="button-secondary" value="<?php echo attribute_escape(__('Advanced')); ?>" onclick="toggleAdvanced()" />
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('fontcolor');colorSelect(tgt,'pick1');return false;" name="pick1" id="pick1" value="<?php echo attr(__('Font Color')); ?>"></input>
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('uppercolor');colorSelect(tgt,'pick2');return false;" name="pick2" id="pick2" value="<?php echo attr(__('Upper Color')); ?>"></input>
<input type="button" class="button-secondary" onclick="tgt=document.getElementById('lowercolor');colorSelect(tgt,'pick3');return false;" name="pick3" id="pick3" value="<?php echo attr(__('Lower Color')); ?>"></input>
<input type="button" class="button-secondary" name="revert" value="<?php echo attr(__('Revert')); ?>" onclick="kRevert()" />
<input type="button" class="button-secondary" value="<?php echo attr(__('Advanced')); ?>" onclick="toggleAdvanced()" />
<input type="hidden" name="action" value="save" />
<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attribute_escape(kubrick_header_display()); ?>" />
<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attribute_escape(kubrick_header_color()); ?>" />
<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attribute_escape(kubrick_upper_color()); ?>" />
<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attribute_escape(kubrick_lower_color()); ?>" />
<input type="hidden" name="headerimage" id="headerimage" value="<?php echo attribute_escape(kubrick_header_image()); ?>" />
<p class="submit"><input type="submit" name="submitform" class="button-primary" value="<?php echo attribute_escape(__('Update Header')); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
<input type="hidden" name="fontdisplay" id="fontdisplay" value="<?php echo attr(kubrick_header_display()); ?>" />
<input type="hidden" name="fontcolor" id="fontcolor" value="<?php echo attr(kubrick_header_color()); ?>" />
<input type="hidden" name="uppercolor" id="uppercolor" value="<?php echo attr(kubrick_upper_color()); ?>" />
<input type="hidden" name="lowercolor" id="lowercolor" value="<?php echo attr(kubrick_lower_color()); ?>" />
<input type="hidden" name="headerimage" id="headerimage" value="<?php echo attr(kubrick_header_image()); ?>" />
<p class="submit"><input type="submit" name="submitform" class="button-primary" value="<?php echo attr(__('Update Header')); ?>" onclick="cp.hidePopup('prettyplease')" /></p>
</form>
<div id="colorPickerDiv" style="z-index: 100;background:#eee;border:1px solid #ccc;position:absolute;visibility:hidden;"> </div>
<div id="advanced">
<form id="jsAdvanced" style="display:none;" action="">
<?php wp_nonce_field('kubrick-header'); ?>
<label for="advfontcolor"><?php _e('Font Color (CSS):'); ?> </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attribute_escape(kubrick_header_color()); ?>" /><br />
<label for="advuppercolor"><?php _e('Upper Color (HEX):');?> </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attribute_escape(kubrick_upper_color()); ?>" /><br />
<label for="advlowercolor"><?php _e('Lower Color (HEX):'); ?> </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attribute_escape(kubrick_lower_color()); ?>" /><br />
<input type="button" class="button-secondary" name="default" value="<?php echo attribute_escape(__('Select Default Colors')); ?>" onclick="kDefaults()" /><br />
<input type="button" class="button-secondary" onclick="toggleDisplay();return false;" name="pick" id="pick" value="<?php echo attribute_escape(__('Toggle Text Display')); ?>"></input><br />
<label for="advfontcolor"><?php _e('Font Color (CSS):'); ?> </label><input type="text" id="advfontcolor" onchange="advUpdate(this.value, 'fontcolor')" value="<?php echo attr(kubrick_header_color()); ?>" /><br />
<label for="advuppercolor"><?php _e('Upper Color (HEX):');?> </label><input type="text" id="advuppercolor" onchange="advUpdate(this.value, 'uppercolor')" value="#<?php echo attr(kubrick_upper_color()); ?>" /><br />
<label for="advlowercolor"><?php _e('Lower Color (HEX):'); ?> </label><input type="text" id="advlowercolor" onchange="advUpdate(this.value, 'lowercolor')" value="#<?php echo attr(kubrick_lower_color()); ?>" /><br />
<input type="button" class="button-secondary" name="default" value="<?php echo attr(__('Select Default Colors')); ?>" onclick="kDefaults()" /><br />
<input type="button" class="button-secondary" onclick="toggleDisplay();return false;" name="pick" id="pick" value="<?php echo attr(__('Toggle Text Display')); ?>"></input><br />
</form>
</div>
</div>

4
wp-includes/author-template.php
View File

@ -421,7 +421,7 @@ function the_author_posts_link($deprecated = '') {
printf(
'<a href="%1$s" title="%2$s">%3$s</a>',
get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
sprintf( __( 'Posts by %s' ), attribute_escape( get_the_author() ) ),
sprintf( __( 'Posts by %s' ), attr( get_the_author() ) ),
get_the_author()
);
}
@ -544,7 +544,7 @@ function wp_list_authors($args = '') {
if ( ! $hide_empty )
$link = $name;
} else {
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape($author->display_name)) . '">' . $name . '</a>';
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attr($author->display_name)) . '">' . $name . '</a>';
if ( (! empty($feed_image)) || (! empty($feed)) ) {
$link .= ' ';

4
wp-includes/bookmark-template.php
View File

@ -72,8 +72,8 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
if ( !empty($bookmark->link_url) )
$the_link = clean_url($bookmark->link_url);
$desc = attribute_escape(sanitize_bookmark_field('link_description', $bookmark->link_description, $bookmark->link_id, 'display'));
$name = attribute_escape(sanitize_bookmark_field('link_name', $bookmark->link_name, $bookmark->link_id, 'display'));
$desc = attr(sanitize_bookmark_field('link_description', $bookmark->link_description, $bookmark->link_id, 'display'));
$name = attr(sanitize_bookmark_field('link_name', $bookmark->link_name, $bookmark->link_id, 'display'));
$title = $desc;
if ( $show_updated )

4
wp-includes/bookmark.php
View File

@ -345,7 +345,7 @@ function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
if ( in_array($field, $format_to_edit) ) {
$value = format_to_edit($value);
} else {
$value = attribute_escape($value);
$value = attr($value);
}
} else if ( 'db' == $context ) {
$value = apply_filters("pre_$field", $value);
@ -355,7 +355,7 @@ function sanitize_bookmark_field($field, $value, $bookmark_id, $context) {
}
if ( 'attribute' == $context )
$value = attribute_escape($value);
$value = attr($value);
else if ( 'js' == $context )
$value = js_escape($value);

2
wp-includes/category-template.php
View File

@ -661,7 +661,7 @@ function wp_generate_tag_cloud( $tags, $args = '' ) {
$tag_link = '#' != $tag->link ? clean_url( $tag->link ) : '#';
$tag_id = isset($tags[ $key ]->id) ? $tags[ $key ]->id : $key;
$tag_name = $tags[ $key ]->name;
$a[] = "<a href='$tag_link' class='tag-link-$tag_id' title='" . attribute_escape( $topic_count_text_callback( $count ) ) . "'$rel style='font-size: " .
$a[] = "<a href='$tag_link' class='tag-link-$tag_id' title='" . attr( $topic_count_text_callback( $count ) ) . "'$rel style='font-size: " .
( $smallest + ( ( $count - $min_count ) * $font_step ) )
. "$unit;'>$tag_name</a>";
}

4
wp-includes/class.wp-styles.php
View File

@ -48,13 +48,13 @@ class WP_Styles extends WP_Dependencies {
}
if ( isset($this->registered[$handle]->args) )
$media = attribute_escape( $this->registered[$handle]->args );
$media = attr( $this->registered[$handle]->args );
else
$media = 'all';
$href = $this->_css_href( $this->registered[$handle]->src, $ver, $handle );
$rel = isset($this->registered[$handle]->extra['alt']) && $this->registered[$handle]->extra['alt'] ? 'alternate stylesheet' : 'stylesheet';
$title = isset($this->registered[$handle]->extra['title']) ? "title='" . attribute_escape( $this->registered[$handle]->extra['title'] ) . "'" : '';
$title = isset($this->registered[$handle]->extra['title']) ? "title='" . attr( $this->registered[$handle]->extra['title'] ) . "'" : '';
$end_cond = $tag = '';
if ( isset($this->registered[$handle]->extra['conditional']) && $this->registered[$handle]->extra['conditional'] ) {

6
wp-includes/classes.php
View File

@ -1187,7 +1187,7 @@ class Walker_Page extends Walker {
$css_class = implode(' ', apply_filters('page_css_class', $css_class, $page));
$output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . attribute_escape(apply_filters('the_title', $page->post_title)) . '">' . $link_before . apply_filters('the_title', $page->post_title) . $link_after . '</a>';
$output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . attr(apply_filters('the_title', $page->post_title)) . '">' . $link_before . apply_filters('the_title', $page->post_title) . $link_after . '</a>';
if ( !empty($show_date) ) {
if ( 'modified' == $show_date )
@ -1325,13 +1325,13 @@ class Walker_Category extends Walker {
function start_el(&$output, $category, $depth, $args) {
extract($args);
$cat_name = attribute_escape( $category->name);
$cat_name = attr( $category->name);
$cat_name = apply_filters( 'list_cats', $cat_name, $category );
$link = '<a href="' . get_category_link( $category->term_id ) . '" ';
if ( $use_desc_for_title == 0 || empty($category->description) )
$link .= 'title="' . sprintf(__( 'View all posts filed under %s' ), $cat_name) . '"';
else
$link .= 'title="' . attribute_escape( apply_filters( 'category_description', $category->description, $category )) . '"';
$link .= 'title="' . attr( apply_filters( 'category_description', $category->description, $category )) . '"';
$link .= '>';
$link .= $cat_name . '</a>';

2
wp-includes/comment-template.php
View File

@ -945,7 +945,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c
if ( !empty( $css_class ) ) {
echo ' class="'.$css_class.'" ';
}
$title = attribute_escape( get_the_title() );
$title = attr( get_the_title() );
echo apply_filters( 'comments_popup_link_attributes', '' );

4
wp-includes/comment.php
View File

@ -369,14 +369,14 @@ function sanitize_comment_cookies() {
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
$comment_author = stripslashes($comment_author);
$comment_author = attribute_escape($comment_author);
$comment_author = attr($comment_author);
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
}
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
$comment_author_email = stripslashes($comment_author_email);
$comment_author_email = attribute_escape($comment_author_email);
$comment_author_email = attr($comment_author_email);
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
}

42
wp-includes/default-widgets.php
View File

@ -60,8 +60,8 @@ class WP_Widget_Pages extends WP_Widget {
function form( $instance ) {
//Defaults
$instance = wp_parse_args( (array) $instance, array( 'sortby' => 'post_title', 'title' => '', 'exclude' => '') );
$title = attribute_escape( $instance['title'] );
$exclude = attribute_escape( $instance['exclude'] );
$title = attr( $instance['title'] );
$exclude = attr( $instance['exclude'] );
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo $title; ?>" /></label></p>
<p>
@ -210,7 +210,7 @@ class WP_Widget_Archives extends WP_Widget {
if ( $d ) {
?>
<select name="archive-dropdown" onchange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php echo attribute_escape(__('Select Month')); ?></option> <?php wp_get_archives("type=monthly&format=option&show_post_count=$c"); ?> </select>
<select name="archive-dropdown" onchange='document.location.href=this.options[this.selectedIndex].value;'> <option value=""><?php echo attr(__('Select Month')); ?></option> <?php wp_get_archives("type=monthly&format=option&show_post_count=$c"); ?> </select>
<?php
} else {
?>
@ -239,7 +239,7 @@ class WP_Widget_Archives extends WP_Widget {
$count = $instance['count'] ? 'checked="checked"' : '';
$dropdown = $instance['dropdown'] ? 'checked="checked"' : '';
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attribute_escape($title); ?>" /></label></p>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attr($title); ?>" /></label></p>
<p>
<label for="<?php echo $this->get_field_id('count'); ?>"><input class="checkbox" type="checkbox" <?php echo $count; ?> id="<?php echo $this->get_field_id('count'); ?>" name="<?php echo $this->get_field_name('count'); ?>" /> <?php _e('Show post counts'); ?></label>
<br />
@ -273,9 +273,9 @@ class WP_Widget_Meta extends WP_Widget {
<ul>
<?php wp_register(); ?>
<li><?php wp_loginout(); ?></li>
<li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php echo attribute_escape(__('Syndicate this site using RSS 2.0')); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
<li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php echo attribute_escape(__('The latest comments to all posts in RSS')); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
<li><a href="http://wordpress.org/" title="<?php echo attribute_escape(__('Powered by WordPress, state-of-the-art semantic personal publishing platform.')); ?>">WordPress.org</a></li>
<li><a href="<?php bloginfo('rss2_url'); ?>" title="<?php echo attr(__('Syndicate this site using RSS 2.0')); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
<li><a href="<?php bloginfo('comments_rss2_url'); ?>" title="<?php echo attr(__('The latest comments to all posts in RSS')); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
<li><a href="http://wordpress.org/" title="<?php echo attr(__('Powered by WordPress, state-of-the-art semantic personal publishing platform.')); ?>">WordPress.org</a></li>
<?php wp_meta(); ?>
</ul>
<?php
@ -293,7 +293,7 @@ class WP_Widget_Meta extends WP_Widget {
$instance = wp_parse_args( (array) $instance, array( 'title' => '' ) );
$title = strip_tags($instance['title']);
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attribute_escape($title); ?>" /></label></p>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attr($title); ?>" /></label></p>
<?php
}
}
@ -333,7 +333,7 @@ class WP_Widget_Calendar extends WP_Widget {
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>">
<?php _e('Title:'); ?>
<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attribute_escape($title); ?>" />
<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attr($title); ?>" />
</label></p>
<?php
}
@ -381,7 +381,7 @@ class WP_Widget_Text extends WP_Widget {
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>">
<?php _e('Title:'); ?>
<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attribute_escape($title); ?>" />
<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo attr($title); ?>" />
</label></p>
<textarea class="widefat" rows="16" cols="20" id="<?php echo $this->get_field_id('text'); ?>" name="<?php echo $this->get_field_name('text'); ?>"><?php echo $text; ?></textarea>
@ -463,7 +463,7 @@ class WP_Widget_Categories extends WP_Widget {
function form( $instance ) {
//Defaults
$instance = wp_parse_args( (array) $instance, array( 'title' => '') );
$title = attribute_escape( $instance['title'] );
$title = attr( $instance['title'] );
$count = (bool) $instance['count'];
$hierarchical = (bool) $instance['hierarchical'];
$dropdown = (bool) $instance['dropdown'];
@ -566,7 +566,7 @@ class WP_Widget_Recent_Posts extends WP_Widget {
}
function form( $instance ) {
$title = attribute_escape($instance['title']);
$title = attr($instance['title']);
if ( !$number = (int) $instance['number'] )
$number = 5;
?>
@ -653,7 +653,7 @@ class WP_Widget_Recent_Comments extends WP_Widget {
}
function form( $instance ) {
$title = attribute_escape($instance['title']);
$title = attr($instance['title']);
if ( !$number = (int) $instance['number'] )
$number = 5;
?>
@ -702,7 +702,7 @@ class WP_Widget_RSS extends WP_Widget {
$link = '';
if ( ! is_wp_error($rss) ) {
$desc = attribute_escape(strip_tags(@html_entity_decode($rss->get_description(), ENT_QUOTES, get_option('blog_charset'))));
$desc = attr(strip_tags(@html_entity_decode($rss->get_description(), ENT_QUOTES, get_option('blog_charset'))));
if ( empty($title) )
$title = htmlentities(strip_tags($rss->get_title()));
$link = clean_url(strip_tags($rss->get_permalink()));
@ -716,7 +716,7 @@ class WP_Widget_RSS extends WP_Widget {
$title = apply_filters('widget_title', $title );
$url = clean_url(strip_tags($url));
$icon = includes_url('images/rss.png');
$title = "<a class='rsswidget' href='$url' title='" . attribute_escape(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
$title = "<a class='rsswidget' href='$url' title='" . attr(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
echo $before_widget;
echo $before_title . $title . $after_title;
@ -787,11 +787,11 @@ function wp_widget_rss_output( $rss, $args = array() ) {
while ( stristr($link, 'http') != $link )
$link = substr($link, 1);
$link = clean_url(strip_tags($link));
$title = attribute_escape(strip_tags($item->get_title()));
$title = attr(strip_tags($item->get_title()));
if ( empty($title) )
$title = __('Untitled');
$desc = str_replace(array("\n", "\r"), ' ', attribute_escape(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset')))));
$desc = str_replace(array("\n", "\r"), ' ', attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset')))));
$desc = wp_html_excerpt( $desc, 360 ) . ' [&hellip;]';
$desc = wp_specialchars( $desc );
@ -850,9 +850,9 @@ function wp_widget_rss_form( $args, $inputs = null ) {
extract( $args );
extract( $inputs, EXTR_SKIP);
$number = attribute_escape( $number );
$title = attribute_escape( $title );
$url = attribute_escape( $url );
$number = attr( $number );
$title = attr( $title );
$url = attr( $url );
$items = (int) $items;
if ( $items < 1 || 20 < $items )
$items = 10;
@ -984,7 +984,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>">
<?php _e('Title:') ?>
<input type="text" class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" value="<?php echo attribute_escape( $instance['title'] ); ?>" />
<input type="text" class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" value="<?php echo attr( $instance['title'] ); ?>" />
</label></p>
<?php
}

4
wp-includes/deprecated.php
View File

@ -1006,8 +1006,8 @@ function get_links($category = -1, $before = '', $after = '<br />', $between = '
if ( '' != $rel )
$rel = ' rel="' . $rel . '"';
$desc = attribute_escape(sanitize_bookmark_field('link_description', $row->link_description, $row->link_id, 'display'));
$name = attribute_escape(sanitize_bookmark_field('link_name', $row->link_name, $row->link_id, 'display'));
$desc = attr(sanitize_bookmark_field('link_description', $row->link_description, $row->link_id, 'display'));
$name = attr(sanitize_bookmark_field('link_name', $row->link_name, $row->link_id, 'display'));
$title = $desc;
if ( $show_updated )

4
wp-includes/feed-atom-comments.php
View File

@ -18,7 +18,7 @@ echo '<?xml version="1.0" encoding="' . get_option('blog_charset') . '" ?' . '>'
if ( is_singular() )
printf(ent2ncr(__('Comments on: %s')), get_the_title_rss());
elseif ( is_search() )
printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), attribute_escape(get_search_query()));
printf(ent2ncr(__('Comments for %1$s searching on %2$s')), get_bloginfo_rss( 'name' ), attr(get_search_query()));
else
printf(ent2ncr(__('Comments for %s')), get_bloginfo_rss( 'name' ) . get_wp_title_rss());
?></title>
@ -32,7 +32,7 @@ echo '<?xml version="1.0" encoding="' . get_option('blog_charset') . '" ?' . '>'
<link rel="self" type="application/atom+xml" href="<?php echo get_post_comments_feed_link('', 'atom'); ?>" />
<id><?php echo get_post_comments_feed_link('', 'atom'); ?></id>
<?php } elseif(is_search()) { ?>
<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo get_option('home') . '?s=' . attribute_escape(get_search_query()); ?>" />
<link rel="alternate" type="<?php bloginfo_rss('html_type'); ?>" href="<?php echo get_option('home') . '?s=' . attr(get_search_query()); ?>" />
<link rel="self" type="application/atom+xml" href="<?php echo get_search_comments_feed_link('', 'atom'); ?>" />
<id><?php echo get_search_comments_feed_link('', 'atom'); ?></id>
<?php } else { ?>

2
wp-includes/feed-rss2-comments.php
View File

@ -20,7 +20,7 @@ echo '<?xml version="1.0" encoding="'.get_option('blog_charset').'"?'.'>';
if ( is_singular() )
printf(ent2ncr(__('Comments on: %s')), get_the_title_rss());
elseif ( is_search() )
printf(ent2ncr(__('Comments for %s searching on %s')), get_bloginfo_rss( 'name' ), attribute_escape($wp_query->query_vars['s']));
printf(ent2ncr(__('Comments for %s searching on %s')), get_bloginfo_rss( 'name' ), attr($wp_query->query_vars['s']));
else
printf(ent2ncr(__('Comments for %s')), get_bloginfo_rss( 'name' ) . get_wp_title_rss());
?></title>

2
wp-includes/feed.php
View File

@ -338,7 +338,7 @@ function get_the_category_rss($type = 'rss') {
if ( 'rdf' == $type )
$the_list .= "\t\t<dc:subject><![CDATA[$cat_name]]></dc:subject>\n";
elseif ( 'atom' == $type )
$the_list .= sprintf( '<category scheme="%1$s" term="%2$s" />', attribute_escape( apply_filters( 'get_bloginfo_rss', get_bloginfo( 'url' ) ) ), attribute_escape( $cat_name ) );
$the_list .= sprintf( '<category scheme="%1$s" term="%2$s" />', attr( apply_filters( 'get_bloginfo_rss', get_bloginfo( 'url' ) ) ), attr( $cat_name ) );
else
$the_list .= "\t\t<category><![CDATA[" . @html_entity_decode( $cat_name, ENT_COMPAT, get_option('blog_charset') ) . "]]></category>\n";
}

2
wp-includes/formatting.php
View File

@ -1270,7 +1270,7 @@ function translate_smiley($smiley) {
$smiley = trim(reset($smiley));
$img = $wpsmiliestrans[$smiley];
$smiley_masked = attribute_escape($smiley);
$smiley_masked = attr($smiley);
return " <img src='$siteurl/wp-includes/images/smilies/$img' alt='$smiley_masked' class='wp-smiley' /> ";
}

10
wp-includes/functions.php
View File

@ -385,7 +385,7 @@ function wp_protect_special_option( $option ) {
/**
* Print option value after sanitizing for forms.
*
* @uses attribute_escape Sanitizes value.
* @uses attr Sanitizes value.
* @since 1.5.0
* @package WordPress
* @subpackage Option
@ -393,7 +393,7 @@ function wp_protect_special_option( $option ) {
* @param string $option Option name.
*/
function form_option( $option ) {
echo attribute_escape (get_option( $option ) );
echo attr (get_option( $option ) );
}
/**
@ -1741,7 +1741,7 @@ function wp_nonce_url( $actionurl, $action = -1 ) {
* @return string Nonce field.
*/
function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $echo = true ) {
$name = attribute_escape( $name );
$name = attr( $name );
$nonce_field = '<input type="hidden" id="' . $name . '" name="' . $name . '" value="' . wp_create_nonce( $action ) . '" />';
if ( $echo )
echo $nonce_field;
@ -1766,7 +1766,7 @@ function wp_nonce_field( $action = -1, $name = "_wpnonce", $referer = true , $ec
* @return string Referer field.
*/
function wp_referer_field( $echo = true) {
$ref = attribute_escape( $_SERVER['REQUEST_URI'] );
$ref = attr( $_SERVER['REQUEST_URI'] );
$referer_field = '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';
if ( $echo )
@ -1792,7 +1792,7 @@ function wp_referer_field( $echo = true) {
function wp_original_referer_field( $echo = true, $jump_back_to = 'current' ) {
$jump_back_to = ( 'previous' == $jump_back_to ) ? wp_get_referer() : $_SERVER['REQUEST_URI'];
$ref = ( wp_get_original_referer() ) ? wp_get_original_referer() : $jump_back_to;
$orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . attribute_escape( stripslashes( $ref ) ) . '" />';
$orig_referer_field = '<input type="hidden" name="_wp_original_http_referer" value="' . attr( stripslashes( $ref ) ) . '" />';
if ( $echo )
echo $orig_referer_field;
return $orig_referer_field;

26
wp-includes/general-template.php
View File

@ -120,8 +120,8 @@ function get_search_form() {
$form = '<form role="search" method="get" id="searchform" action="' . get_option('home') . '/" >
<div><label class="hidden" for="s">' . __('Search for:') . '</label>
<input type="text" value="' . attribute_escape(apply_filters('the_search_query', get_search_query())) . '" name="s" id="s" />
<input type="submit" id="searchsubmit" value="'.attribute_escape(__('Search')).'" />
<input type="text" value="' . attr(apply_filters('the_search_query', get_search_query())) . '" name="s" id="s" />
<input type="submit" id="searchsubmit" value="'.attr(__('Search')).'" />
</div>
</form>';
@ -688,7 +688,7 @@ function single_month_title($prefix = '', $display = true ) {
*/
function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
$text = wptexturize($text);
$title_text = attribute_escape($text);
$title_text = attr($text);
$url = clean_url($url);
if ('link' == $format)
@ -1434,8 +1434,8 @@ function feed_links( $args ) {
$args = wp_parse_args( $args, $defaults );
echo '<link rel="alternate" type="' . feed_content_type() . '" title="' . attribute_escape(sprintf( $args['feedtitle'], get_bloginfo('name') )) . '" href="' . get_feed_link() . "\" />\n";
echo '<link rel="alternate" type="' . feed_content_type() . '" title="' . attribute_escape(sprintf( $args['comstitle'], get_bloginfo('name') )) . '" href="' . get_feed_link( 'comments_' . get_default_feed() ) . "\" />\n";
echo '<link rel="alternate" type="' . feed_content_type() . '" title="' . attr(sprintf( $args['feedtitle'], get_bloginfo('name') )) . '" href="' . get_feed_link() . "\" />\n";
echo '<link rel="alternate" type="' . feed_content_type() . '" title="' . attr(sprintf( $args['comstitle'], get_bloginfo('name') )) . '" href="' . get_feed_link( 'comments_' . get_default_feed() ) . "\" />\n";
}
/**
@ -1467,27 +1467,27 @@ function feed_links_extra( $args ) {
$post = &get_post( $id = 0 );
if ( comments_open() || pings_open() || $post->comment_count > 0 ) {
$title = attribute_escape(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) ));
$title = attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) ));
$href = get_post_comments_feed_link( $post->ID );
}
} elseif ( is_category() ) {
$cat_id = intval( get_query_var('cat') );
$title = attribute_escape(sprintf( $args['cattitle'], get_bloginfo('name'), $args['separator'], get_cat_name( $cat_id ) ));
$title = attr(sprintf( $args['cattitle'], get_bloginfo('name'), $args['separator'], get_cat_name( $cat_id ) ));
$href = get_category_feed_link( $cat_id );
} elseif ( is_tag() ) {
$tag_id = intval( get_query_var('tag_id') );
$tag = get_tag( $tag_id );
$title = attribute_escape(sprintf( $args['tagtitle'], get_bloginfo('name'), $args['separator'], $tag->name ));
$title = attr(sprintf( $args['tagtitle'], get_bloginfo('name'), $args['separator'], $tag->name ));
$href = get_tag_feed_link( $tag_id );
} elseif ( is_author() ) {
$author_id = intval( get_query_var('author') );
$title = attribute_escape(sprintf( $args['authortitle'], get_bloginfo('name'), $args['separator'], get_author_name( $author_id ) ));
$title = attr(sprintf( $args['authortitle'], get_bloginfo('name'), $args['separator'], get_author_name( $author_id ) ));
$href = get_author_feed_link( $author_id );
} elseif ( is_search() ) {
$title = attribute_escape(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query() ));
$title = attr(sprintf( $args['searchtitle'], get_bloginfo('name'), $args['separator'], get_search_query() ));
$href = get_search_feed_link();
}
@ -1678,14 +1678,14 @@ function get_search_query() {
/**
* Display the contents of the search query variable.
*
* The search query string is passed through {@link attribute_escape()}
* The search query string is passed through {@link attr()}
* to ensure that it is safe for placing in an html attribute.
*
* @uses attribute_escape
* @uses attr
* @since 2.1.0
*/
function the_search_query() {
echo attribute_escape( apply_filters( 'the_search_query', get_search_query() ) );
echo attr( apply_filters( 'the_search_query', get_search_query() ) );
}
/**

18
wp-includes/link-template.php
View File

@ -619,9 +619,9 @@ function edit_tag_link( $link = '', $before = '', $after = '', $tag = null ) {
*/
function get_search_feed_link($search_query = '', $feed = '') {
if ( empty($search_query) )
$search = attribute_escape(get_search_query());
$search = attr(get_search_query());
else
$search = attribute_escape(stripslashes($search_query));
$search = attr(stripslashes($search_query));
if ( empty($feed) )
$feed = get_default_feed();
@ -644,9 +644,9 @@ function get_search_feed_link($search_query = '', $feed = '') {
*/
function get_search_comments_feed_link($search_query = '', $feed = '') {
if ( empty($search_query) )
$search = attribute_escape(get_search_query());
$search = attr(get_search_query());
else
$search = attribute_escape(stripslashes($search_query));
$search = attr(stripslashes($search_query));
if ( empty($feed) )
$feed = get_default_feed();
@ -730,7 +730,7 @@ function edit_post_link( $link = 'Edit This', $before = '', $after = '' ) {
return;
}
$link = '<a class="post-edit-link" href="' . get_edit_post_link( $post->ID ) . '" title="' . attribute_escape( __( 'Edit post' ) ) . '">' . $link . '</a>';
$link = '<a class="post-edit-link" href="' . get_edit_post_link( $post->ID ) . '" title="' . attr( __( 'Edit post' ) ) . '">' . $link . '</a>';
echo $before . apply_filters( 'edit_post_link', $link, $post->ID ) . $after;
}
@ -940,7 +940,7 @@ function get_adjacent_post_rel_link($title = '%title', $in_same_cat = false, $ex
$title = apply_filters('the_title', $title, $post);
$link = $previous ? "<link rel='prev' title='" : "<link rel='next' title='";
$link .= attribute_escape( $title );
$link .= attr( $title );
$link .= "' href='" . get_permalink($post) . "' />\n";
$adjacent = $previous ? 'previous' : 'next';
@ -1064,7 +1064,7 @@ function get_boundary_post_rel_link($title = '%title', $in_same_cat = false, $ex
$title = apply_filters('the_title', $title, $post);
$link = $start ? "<link rel='start' title='" : "<link rel='end' title='";
$link .= attribute_escape($title);
$link .= attr($title);
$link .= "' href='" . get_permalink($post) . "' />\n";
$boundary = $start ? 'start' : 'end';
@ -1092,7 +1092,7 @@ function start_post_rel_link($title = '%title', $in_same_cat = false, $excluded_
* @return string
*/
function get_index_rel_link() {
$link = "<link rel='index' title='" . attribute_escape(get_bloginfo('name')) . "' href='" . get_bloginfo('siteurl') . "' />\n";
$link = "<link rel='index' title='" . attr(get_bloginfo('name')) . "' href='" . get_bloginfo('siteurl') . "' />\n";
return apply_filters( "index_rel_link", $link );
}
@ -1127,7 +1127,7 @@ function get_parent_post_rel_link($title = '%title') {
$title = apply_filters('the_title', $title, $post);
$link = "<link rel='up' title='";
$link .= attribute_escape( $title );
$link .= attr( $title );
$link .= "' href='" . get_permalink($post) . "' />\n";
return apply_filters( "parent_post_rel_link", $link );

6
wp-includes/media.php
View File

@ -200,10 +200,10 @@ function get_image_tag($id, $alt, $title, $align, $size='medium') {
list( $img_src, $width, $height ) = image_downsize($id, $size);
$hwstring = image_hwstring($width, $height);
$class = 'align'.attribute_escape($align).' size-'.attribute_escape($size).' wp-image-'.$id;
$class = 'align'.attr($align).' size-'.attr($size).' wp-image-'.$id;
$class = apply_filters('get_image_tag_class', $class, $id, $align, $size);
$html = '<img src="'.attribute_escape($img_src).'" alt="'.attribute_escape($alt).'" title="'.attribute_escape($title).'" '.$hwstring.'class="'.$class.'" />';
$html = '<img src="'.attr($img_src).'" alt="'.attr($alt).'" title="'.attr($title).'" '.$hwstring.'class="'.$class.'" />';
$html = apply_filters( 'get_image_tag', $html, $id, $alt, $title, $align, $size );
@ -542,7 +542,7 @@ function wp_get_attachment_image($attachment_id, $size = 'thumbnail', $icon = fa
'title' => trim(strip_tags( $attachment->post_title )),
);
$attr = apply_filters( 'wp_get_attachment_image_attributes', $attr, $attachment );
$attr = array_map( 'attribute_escape', $attr );
$attr = array_map( 'attr', $attr );
$html = rtrim("<img $hwstring");
foreach ( $attr as $name => $value ) {
$html .= " $name=" . '"' . $value . '"';

2
wp-includes/pluggable.php
View File

@ -1499,7 +1499,7 @@ function get_avatar( $id_or_email, $size = '96', $default = '', $alt = false ) {
if ( false === $alt)
$safe_alt = '';
else
$safe_alt = attribute_escape( $alt );
$safe_alt = attr( $alt );
if ( !is_numeric($size) )
$size = '96';

14
wp-includes/post-template.php
View File

@ -63,7 +63,7 @@ function the_title($before = '', $after = '', $echo = true) {
* an array. See the function for what can be override in the $args parameter.
*
* The title before it is displayed will have the tags stripped and {@link
* attribute_escape()} before it is passed to the user or displayed. The default
* attr()} before it is passed to the user or displayed. The default
* as with {@link the_title()}, is to display the title.
*
* @since 2.3.0
@ -83,7 +83,7 @@ function the_title_attribute( $args = '' ) {
$title = $before . $title . $after;
$title = attribute_escape(strip_tags($title));
$title = attr(strip_tags($title));
if ( $echo )
echo $title;
@ -924,10 +924,10 @@ function wp_get_attachment_link($id = 0, $size = 'thumbnail', $permalink = false
if ( $permalink )
$url = get_attachment_link($_post->ID);
$post_title = attribute_escape($_post->post_title);
$post_title = attr($_post->post_title);
if ( $text ) {
$link_text = attribute_escape($text);
$link_text = attr($text);
} elseif ( ( is_int($size) && $size != 0 ) or ( is_string($size) && $size != 'none' ) or $size != false ) {
$link_text = wp_get_attachment_image($id, $size, $icon);
}
@ -961,7 +961,7 @@ function get_the_attachment_link($id = 0, $fullsize = false, $max_dims = false,
if ( $permalink )
$url = get_attachment_link($_post->ID);
$post_title = attribute_escape($_post->post_title);
$post_title = attr($_post->post_title);
$innerHTML = get_attachment_innerHTML($_post->ID, $fullsize, $max_dims);
return "<a href='$url' title='$post_title'>$innerHTML</a>";
@ -1057,7 +1057,7 @@ function get_attachment_icon( $id = 0, $fullsize = false, $max_dims = false ) {
$constraint = '';
}
$post_title = attribute_escape($post->post_title);
$post_title = attr($post->post_title);
$icon = "<img src='$src' title='$post_title' alt='$post_title' $constraint/>";
@ -1085,7 +1085,7 @@ function get_attachment_innerHTML($id = 0, $fullsize = false, $max_dims = false)
return $innerHTML;
$innerHTML = attribute_escape($post->post_title);
$innerHTML = attr($post->post_title);
return apply_filters('attachment_innerHTML', $innerHTML, $post->ID);
}

4
wp-includes/post.php
View File

@ -869,7 +869,7 @@ function sanitize_post_field($field, $value, $post_id, $context) {
else
$value = format_to_edit($value);
} else {
$value = attribute_escape($value);
$value = attr($value);
}
} else if ( 'db' == $context ) {
if ( $prefixed ) {
@ -888,7 +888,7 @@ function sanitize_post_field($field, $value, $post_id, $context) {
}
if ( 'attribute' == $context )
$value = attribute_escape($value);
$value = attr($value);
else if ( 'js' == $context )
$value = js_escape($value);

2
wp-includes/rss.php
View File

@ -873,7 +873,7 @@ function wp_rss( $url, $num_items = -1 ) {
printf(
'<li><a href="%1$s" title="%2$s">%3$s</a></li>',
clean_url( $item['link'] ),
attribute_escape( strip_tags( $item['description'] ) ),
attr( strip_tags( $item['description'] ) ),
htmlentities( $item['title'] )
);
}

18
wp-includes/script-loader.php
View File

@ -74,10 +74,10 @@ function wp_default_scripts( &$scripts ) {
$scripts->localize( 'quicktags', 'quicktagsL10n', array(
'quickLinks' => __('(Quick Links)'),
'wordLookup' => __('Enter a word to look up:'),
'dictionaryLookup' => attribute_escape(__('Dictionary lookup')),
'lookup' => attribute_escape(__('lookup')),
'closeAllOpenTags' => attribute_escape(__('Close all open tags')),
'closeTags' => attribute_escape(__('close tags')),
'dictionaryLookup' => attr(__('Dictionary lookup')),
'lookup' => attr(__('lookup')),
'closeAllOpenTags' => attr(__('Close all open tags')),
'closeTags' => attr(__('close tags')),
'enterURL' => __('Enter the URL'),
'enterImageURL' => __('Enter the URL of the image'),
'enterImageDescription' => __('Enter a description of the image'),
@ -212,7 +212,7 @@ function wp_default_scripts( &$scripts ) {
$scripts->add( 'ajaxcat', "/wp-admin/js/cat$suffix.js", array( 'wp-lists' ), '20090102' );
$scripts->add_data( 'ajaxcat', 'group', 1 );
$scripts->localize( 'ajaxcat', 'catL10n', array(
'add' => attribute_escape(__('Add')),
'add' => attr(__('Add')),
'how' => __('Separate multiple categories with commas.'),
'l10n_print_after' => 'try{convertEntities(catL10n);}catch(e){};'
) );
@ -266,8 +266,8 @@ function wp_default_scripts( &$scripts ) {
$scripts->add_data( 'post', 'group', 1 );
$scripts->localize( 'post', 'postL10n', array(
'tagsUsed' => __('Tags used on this post:'),
'add' => attribute_escape(__('Add')),
'addTag' => attribute_escape(__('Add new tag')),
'add' => attr(__('Add')),
'addTag' => attr(__('Add new tag')),
'separate' => __('Separate tags with commas'),
'cancel' => __('Cancel'),
'edit' => __('Edit'),
@ -604,7 +604,7 @@ function _print_scripts() {
$ver = md5("$wp_scripts->concat_version");
$src = $wp_scripts->base_url . "/wp-admin/load-scripts.php?c={$zip}&load=" . trim($wp_scripts->concat, ', ') . "&ver=$ver";
echo "<script type='text/javascript' src='" . attribute_escape($src) . "'></script>\n";
echo "<script type='text/javascript' src='" . attr($src) . "'></script>\n";
}
if ( !empty($wp_scripts->print_html) )
@ -671,7 +671,7 @@ function print_admin_styles() {
$dir = $wp_styles->text_direction;
$ver = md5("$wp_styles->concat_version{$dir}");
$href = $wp_styles->base_url . "/wp-admin/load-styles.php?c={$zip}&dir={$dir}&load=" . trim($wp_styles->concat, ', ') . "&ver=$ver";
echo "<link rel='stylesheet' href='" . attribute_escape($href) . "' type='text/css' media='all' />\n";
echo "<link rel='stylesheet' href='" . attr($href) . "' type='text/css' media='all' />\n";
}
if ( !empty($wp_styles->print_html) )

6
wp-includes/taxonomy.php
View File

@ -991,7 +991,7 @@ function sanitize_term_field($field, $value, $term_id, $taxonomy, $context) {
if ( 'description' == $field )
$value = format_to_edit($value);
else
$value = attribute_escape($value);
$value = attr($value);
} else if ( 'db' == $context ) {
$value = apply_filters("pre_term_$field", $value, $taxonomy);
$value = apply_filters("pre_${taxonomy}_$field", $value);
@ -1009,7 +1009,7 @@ function sanitize_term_field($field, $value, $term_id, $taxonomy, $context) {
}
if ( 'attribute' == $context )
$value = attribute_escape($value);
$value = attr($value);
else if ( 'js' == $context )
$value = js_escape($value);
@ -2260,7 +2260,7 @@ function get_the_taxonomies($post = 0) {
$links = array();
foreach ( $terms as $term )
$links[] = "<a href='" . attribute_escape(get_term_link($term, $taxonomy)) . "'>$term->name</a>";
$links[] = "<a href='" . attr(get_term_link($term, $taxonomy)) . "'>$term->name</a>";
if ( $links )
$taxonomies[$taxonomy] = wp_sprintf($t['template'], $t['label'], $links, $terms);

2
wp-includes/theme.php
View File

@ -932,7 +932,7 @@ function preview_theme_ob_filter_callback( $matches ) {
$link = add_query_arg( array('preview' => 1, 'template' => $_GET['template'], 'stylesheet' => @$_GET['stylesheet'] ), $matches[3] );
if ( 0 === strpos($link, 'preview=1') )
$link = "?$link";
return $matches[1] . attribute_escape( $link ) . $matches[4];
return $matches[1] . attr( $link ) . $matches[4];
}
/**

6
wp-includes/update.php
View File

@ -62,15 +62,15 @@ function wp_version_check() {
foreach( explode( "\n\n", $body ) as $entry) {
$returns = explode("\n", $entry);
$new_option = new stdClass();
$new_option->response = attribute_escape( $returns[0] );
$new_option->response = attr( $returns[0] );
if ( isset( $returns[1] ) )
$new_option->url = clean_url( $returns[1] );
if ( isset( $returns[2] ) )
$new_option->package = clean_url( $returns[2] );
if ( isset( $returns[3] ) )
$new_option->current = attribute_escape( $returns[3] );
$new_option->current = attr( $returns[3] );
if ( isset( $returns[4] ) )
$new_option->locale = attribute_escape( $returns[4] );
$new_option->locale = attr( $returns[4] );
$new_options[] = $new_option;
}

8
wp-links-opml.php
View File

@ -29,7 +29,7 @@ if ((empty ($link_cat)) || ($link_cat == 'all') || ($link_cat == '0')) {
<?php the_generator( 'comment' ); ?>
<opml version="1.0">
<head>
<title>Links for <?php echo attribute_escape(get_bloginfo('name', 'display').$cat_name); ?></title>
<title>Links for <?php echo attr(get_bloginfo('name', 'display').$cat_name); ?></title>
<dateCreated><?php echo gmdate("D, d M Y H:i:s"); ?> GMT</dateCreated>
</head>
<body>
@ -44,14 +44,14 @@ foreach ((array) $cats as $cat) {
$catname = apply_filters('link_category', $cat->name);
?>
<outline type="category" title="<?php echo attribute_escape($catname); ?>">
<outline type="category" title="<?php echo attr($catname); ?>">
<?php
$bookmarks = get_bookmarks("category={$cat->term_id}");
foreach ((array) $bookmarks as $bookmark) {
$title = attribute_escape(apply_filters('link_title', $bookmark->link_name));
$title = attr(apply_filters('link_title', $bookmark->link_name));
?>
<outline text="<?php echo $title; ?>" type="link" xmlUrl="<?php echo attribute_escape($bookmark->link_rss); ?>" htmlUrl="<?php echo attribute_escape($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
<outline text="<?php echo $title; ?>" type="link" xmlUrl="<?php echo attr($bookmark->link_rss); ?>" htmlUrl="<?php echo attr($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
<?php
}

10
wp-login.php
View File

@ -307,7 +307,7 @@ case 'retrievepassword' :
<form name="lostpasswordform" id="lostpasswordform" action="<?php echo site_url('wp-login.php?action=lostpassword', 'login_post') ?>" method="post">
<p>
<label><?php _e('Username or E-mail:') ?><br />
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape($user_login); ?>" size="20" tabindex="10" /></label>
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attr($user_login); ?>" size="20" tabindex="10" /></label>
</p>
<?php do_action('lostpassword_form'); ?>
<p class="submit"><input type="submit" name="wp-submit" id="wp-submit" value="<?php _ea('Get New Password'); ?>" tabindex="100" /></p>
@ -374,11 +374,11 @@ case 'register' :
<form name="registerform" id="registerform" action="<?php echo site_url('wp-login.php?action=register', 'login_post') ?>" method="post">
<p>
<label><?php _e('Username') ?><br />
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attr(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
</p>
<p>
<label><?php _e('E-mail') ?><br />
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label>
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo attr(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label>
</p>
<?php do_action('register_form'); ?>
<p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
@ -460,7 +460,7 @@ default:
login_header(__('Log In'), '', $errors);
if ( isset($_POST['log']) )
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? attribute_escape(stripslashes($_POST['log'])) : '';
$user_login = ( 'incorrect_password' == $errors->get_error_code() || 'empty_password' == $errors->get_error_code() ) ? attr(stripslashes($_POST['log'])) : '';
?>
<?php if ( !isset($_GET['checkemail']) || !in_array( $_GET['checkemail'], array('confirm', 'newpass') ) ) : ?>
@ -477,7 +477,7 @@ default:
<p class="forgetmenot"><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php _ea('Remember Me'); ?></label></p>
<p class="submit">
<input type="submit" name="wp-submit" id="wp-submit" value="<?php _ea('Log In'); ?>" tabindex="100" />
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" />
<input type="hidden" name="redirect_to" value="<?php echo attr($redirect_to); ?>" />
<input type="hidden" name="testcookie" value="1" />
</p>
</form>