Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Deprecate sanitize_url() and clean_url() in favor of esc_url_raw() and esc_url() 

git-svn-id: http://svn.automattic.com/wordpress/trunk@11383 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith 2009-05-18 16:00:33 +00:00
parent 05c7b40a29
commit 3ebf837ced
45 changed files with 159 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/admin-ajax.php
View File

@ -132,7 +132,7 @@ function _wp_ajax_delete_comment_response( $comment_id ) {
$total = (int) @$_POST['_total'];
$per_page = (int) @$_POST['_per_page'];
$page = (int) @$_POST['_page'];
$url = clean_url( @$_POST['_url'], null, 'url' );
$url = esc_url_raw( @$_POST['_url'] );
// JS didn't send us everything we need to know. Just die with success message
if ( !$total || !$per_page || !$page || !$url )
die( (string) time() );

4
wp-admin/custom-header.php
View File

@ -278,7 +278,7 @@ class Custom_Image_Header {
<h2><?php _e('Your Header Image'); ?></h2>
<p><?php _e('This is your header image. You can change the text color or upload and crop a new image.'); ?></p>
<div id="headimg" style="background-image: url(<?php clean_url(header_image()) ?>);">
<div id="headimg" style="background-image: url(<?php esc_url(header_image()) ?>);">
<h1><a onclick="return false;" href="<?php bloginfo('url'); ?>" title="<?php bloginfo('name'); ?>" id="name"><?php bloginfo('name'); ?></a></h1>
<div id="desc"><?php bloginfo('description');?></div>
</div>
@ -354,7 +354,7 @@ class Custom_Image_Header {
// Add the meta-data
wp_update_attachment_metadata( $id, wp_generate_attachment_metadata( $id, $file ) );
set_theme_mod('header_image', clean_url($url));
set_theme_mod('header_image', esc_url($url));
do_action('wp_create_file_in_uploads', $file, $id); // For replication
return $this->finished();
} elseif ( $width > HEADER_IMAGE_WIDTH ) {

6
wp-admin/edit-form-advanced.php
View File

@ -87,10 +87,10 @@ function post_submit_meta_box($post) {
<div id="preview-action">
<?php
if ( 'publish' == $post->post_status ) {
$preview_link = clean_url(get_permalink($post->ID));
$preview_link = esc_url(get_permalink($post->ID));
$preview_button = __('Preview Changes');
} else {
$preview_link = clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
$preview_link = esc_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
$preview_button = __('Preview');
}
?>
@ -572,7 +572,7 @@ else
<input type="hidden" id="post_author" name="post_author" value="<?php echo esc_attr( $post->post_author ); ?>" />
<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr($post->post_type) ?>" />
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr($post->post_status) ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
<?php
if ( 'draft' != $post->post_status )
wp_original_referer_field(true, 'previous');

2
wp-admin/edit-form-comment.php
View File

@ -130,7 +130,7 @@ $date = date_i18n( $datef, strtotime( $comment->comment_date ) );
<input type="hidden" name="c" value="<?php echo esc_attr($comment->comment_ID) ?>" />
<input type="hidden" name="p" value="<?php echo esc_attr($comment->comment_post_ID) ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
<?php wp_original_referer_field(true, 'previous'); ?>
<input type="hidden" name="noredir" value="1" />

6
wp-admin/edit-page-form.php
View File

@ -81,10 +81,10 @@ function page_submit_meta_box($post) {
<div id="preview-action">
<?php
if ( 'publish' == $post->post_status ) {
$preview_link = clean_url(get_permalink($post->ID));
$preview_link = esc_url(get_permalink($post->ID));
$preview_button = __('Preview Changes');
} else {
$preview_link = clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
$preview_link = esc_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID))));
$preview_button = __('Preview');
}
?>
@ -420,7 +420,7 @@ if (isset($mode) && 'bookmarklet' == $mode)
<?php echo $form_extra ?>
<input type="hidden" id="post_type" name="post_type" value="<?php echo esc_attr($post->post_type) ?>" />
<input type="hidden" id="original_post_status" name="original_post_status" value="<?php echo esc_attr($post->post_status) ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo clean_url(stripslashes(wp_get_referer())); ?>" />
<input name="referredby" type="hidden" id="referredby" value="<?php echo esc_url(stripslashes(wp_get_referer())); ?>" />
<?php if ( 'draft' != $post->post_status ) wp_original_referer_field(true, 'previous'); ?>
<div id="poststuff" class="metabox-holder<?php echo 2 == $screen_layout_columns ? ' has-right-sidebar' : ''; ?>">

4
wp-admin/edit.php
View File

@ -251,8 +251,8 @@ do_action('restrict_manage_posts');
<?php } ?>
<div class="view-switch">
<a href="<?php echo clean_url(add_query_arg('mode', 'list', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'list' == $mode ) echo 'class="current"'; ?> id="view-switch-list" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('List View') ?>" alt="<?php _e('List View') ?>" /></a>
<a href="<?php echo clean_url(add_query_arg('mode', 'excerpt', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'excerpt' == $mode ) echo 'class="current"'; ?> id="view-switch-excerpt" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('Excerpt View') ?>" alt="<?php _e('Excerpt View') ?>" /></a>
<a href="<?php echo esc_url(add_query_arg('mode', 'list', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'list' == $mode ) echo 'class="current"'; ?> id="view-switch-list" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('List View') ?>" alt="<?php _e('List View') ?>" /></a>
<a href="<?php echo esc_url(add_query_arg('mode', 'excerpt', $_SERVER['REQUEST_URI'])) ?>"><img <?php if ( 'excerpt' == $mode ) echo 'class="current"'; ?> id="view-switch-excerpt" src="../wp-includes/images/blank.gif" width="20" height="20" title="<?php _e('Excerpt View') ?>" alt="<?php _e('Excerpt View') ?>" /></a>
</div>
<div class="clear"></div>

6
wp-admin/import/livejournal.php
View File

@ -186,7 +186,7 @@ class LJ_API_Import {
<p class="submit">
<input type="submit" class="button-primary" value="<?php esc_attr_e( 'Continue previous import' ) ?>" />
</p>
<p class="submitbox"><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
<p class="submitbox"><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( $_SERVER['REQUEST_URI'] )) ?>" class="deletion submitdelete"><?php _e( 'Cancel &amp; start a new import' ) ?></a></p>
<p>
<?php else : ?>
<input type="hidden" name="step" value="1" />
@ -724,7 +724,7 @@ class LJ_API_Import {
if ( empty( $this->username ) || empty( $this->password ) ) {
?>
<p><?php _e( 'Please enter your LiveJournal username <em>and</em> password so we can download your posts and comments.' ) ?></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<p><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<?php
return false;
}
@ -736,7 +736,7 @@ class LJ_API_Import {
delete_option( 'ljapi_protected_password' );
?>
<p><?php _e( 'Logging in to LiveJournal failed. Check your username and password and try again.' ) ?></p>
<p><a href="<?php echo clean_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<p><a href="<?php echo esc_url($_SERVER['PHP_SELF'] . '?import=livejournal&amp;step=-1&amp;_wpnonce=' . wp_create_nonce( 'lj-api-import' ) . '&amp;_wp_http_referer=' . esc_attr( str_replace( '&step=1', '', $_SERVER['REQUEST_URI'] ) ) ) ?>"><?php _e( 'Start again' ) ?></a></p>
<?php
return false;
} else {

6
wp-admin/includes/bookmark.php
View File

@ -30,10 +30,10 @@ function edit_link( $link_id = '' ) {
wp_die( __( 'Cheatin&#8217; uh?' ));
$_POST['link_url'] = esc_html( $_POST['link_url'] );
$_POST['link_url'] = clean_url($_POST['link_url']);
$_POST['link_url'] = esc_url($_POST['link_url']);
$_POST['link_name'] = esc_html( $_POST['link_name'] );
$_POST['link_image'] = esc_html( $_POST['link_image'] );
$_POST['link_rss'] = clean_url($_POST['link_rss']);
$_POST['link_rss'] = esc_url($_POST['link_rss']);
if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] )
$_POST['link_visible'] = 'Y';
@ -54,7 +54,7 @@ function edit_link( $link_id = '' ) {
*/
function get_default_link_to_edit() {
if ( isset( $_GET['linkurl'] ) )
$link->link_url = clean_url( $_GET['linkurl']);
$link->link_url = esc_url( $_GET['linkurl']);
else
$link->link_url = '';

4
wp-admin/includes/class-wp-upgrader.php
View File

@ -932,7 +932,7 @@ class Theme_Installer_Skin extends WP_Upgrader_Skin {
$stylesheet = $this->upgrader->result['destination_name'];
$template = !empty($theme_info['Template']) ? $theme_info['Template'] : $stylesheet;
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(clean_url(get_option('home'))) ) );
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(esc_url(get_option('home'))) ) );
$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
$install_actions = array(
@ -991,7 +991,7 @@ class Theme_Upgrader_Skin extends WP_Upgrader_Skin {
$stylesheet = $this->upgrader->result['destination_name'];
$template = !empty($theme_info['Template']) ? $theme_info['Template'] : $stylesheet;
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(clean_url(get_option('home'))) ) );
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), trailingslashit(esc_url(get_option('home'))) ) );
$activate_link = wp_nonce_url("themes.php?action=activate&amp;template=" . urlencode($template) . "&amp;stylesheet=" . urlencode($stylesheet), 'switch-theme_' . $template);
$update_actions = array(

2
wp-admin/includes/comment.php
View File

@ -89,7 +89,7 @@ function get_comment_to_edit( $id ) {
$comment->comment_author = format_to_edit( $comment->comment_author );
$comment->comment_author_email = format_to_edit( $comment->comment_author_email );
$comment->comment_author_url = clean_url($comment->comment_author_url);
$comment->comment_author_url = esc_url($comment->comment_author_url);
$comment->comment_author_url = format_to_edit( $comment->comment_author_url );
return $comment;

30
wp-admin/includes/dashboard.php
View File

@ -115,12 +115,12 @@ function wp_add_dashboard_widget( $widget_id, $widget_name, $callback, $control_
$wp_dashboard_control_callbacks[$widget_id] = $control_callback;
if ( isset( $_GET['edit'] ) && $widget_id == $_GET['edit'] ) {
list($url) = explode( '#', add_query_arg( 'edit', false ), 2 );
$widget_name .= ' <span class="postbox-title-action"><a href="' . clean_url( $url ) . '">' . __( 'Cancel' ) . '</a></span>';
$widget_name .= ' <span class="postbox-title-action"><a href="' . esc_url( $url ) . '">' . __( 'Cancel' ) . '</a></span>';
add_meta_box( $widget_id, $widget_name, '_wp_dashboard_control_callback', 'dashboard', 'normal', 'core' );
return;
}
list($url) = explode( '#', add_query_arg( 'edit', $widget_id ), 2 );
$widget_name .= ' <span class="postbox-title-action"><a href="' . clean_url( "$url#$widget_id" ) . '" class="edit-box open-box">' . __( 'Configure' ) . '</a></span>';
$widget_name .= ' <span class="postbox-title-action"><a href="' . esc_url( "$url#$widget_id" ) . '" class="edit-box open-box">' . __( 'Configure' ) . '</a></span>';
}
$side_widgets = array('dashboard_quick_press', 'dashboard_recent_drafts', 'dashboard_primary', 'dashboard_secondary');
$location = 'normal';
@ -357,14 +357,14 @@ function wp_dashboard_quick_press() {
$drafts = false;
if ( 'post' === strtolower( $_SERVER['REQUEST_METHOD'] ) && isset( $_POST['action'] ) && 0 === strpos( $_POST['action'], 'post-quickpress' ) && (int) $_POST['post_ID'] ) {
$view = get_permalink( $_POST['post_ID'] );
$edit = clean_url( get_edit_post_link( $_POST['post_ID'] ) );
$edit = esc_url( get_edit_post_link( $_POST['post_ID'] ) );
if ( 'post-quickpress-publish' == $_POST['action'] ) {
if ( current_user_can('publish_posts') )
printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( $view ), $edit );
printf( '<div class="message"><p>' . __( 'Post Published. <a href="%s">View post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( $view ), $edit );
else
printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( add_query_arg( 'preview', 1, $view ) ), $edit );
printf( '<div class="message"><p>' . __( 'Post submitted. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
} else {
printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', clean_url( add_query_arg( 'preview', 1, $view ) ), $edit );
printf( '<div class="message"><p>' . __( 'Draft Saved. <a href="%s">Preview post</a> | <a href="%s">Edit post</a>' ) . '</p></div>', esc_url( add_query_arg( 'preview', 1, $view ) ), $edit );
$drafts_query = new WP_Query( array(
'post_type' => 'post',
'post_status' => 'draft',
@ -384,7 +384,7 @@ function wp_dashboard_quick_press() {
$post = get_default_post_to_edit();
?>
<form name="post" action="<?php echo clean_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
<form name="post" action="<?php echo esc_url( admin_url( 'post.php' ) ); ?>" method="post" id="quick-press">
<h4 id="quick-post-title"><label for="title"><?php _e('Title') ?></label></h4>
<div class="input-text-wrap">
<input type="text" name="post_title" id="title" tabindex="1" autocomplete="off" value="<?php echo esc_attr( $post->post_title ); ?>" />
@ -525,12 +525,12 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
$comment_post_url = get_edit_post_link( $comment->comment_post_ID );
$comment_post_title = strip_tags(get_the_title( $comment->comment_post_ID ));
$comment_post_link = "<a href='$comment_post_url'>$comment_post_title</a>";
$comment_link = '<a class="comment-link" href="' . clean_url(get_comment_link()) . '">#</a>';
$comment_link = '<a class="comment-link" href="' . esc_url(get_comment_link()) . '">#</a>';
$delete_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$approve_url = clean_url( wp_nonce_url( "comment.php?action=approvecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
$unapprove_url = clean_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
$spam_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$delete_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$approve_url = esc_url( wp_nonce_url( "comment.php?action=approvecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
$unapprove_url = esc_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$comment->comment_post_ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
$spam_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$comment->comment_post_ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$actions = array();
@ -641,10 +641,10 @@ function wp_dashboard_incoming_links_output() {
$link = '';
$content = '';
$date = '';
$link = clean_url( strip_tags( $item->get_link() ) );
$link = esc_url( strip_tags( $item->get_link() ) );
$author = $item->get_author();
$site_link = clean_url( strip_tags( $author->get_link() ) );
$site_link = esc_url( strip_tags( $author->get_link() ) );
if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) )
$publisher = __( 'Somebody' );
@ -780,7 +780,7 @@ function wp_dashboard_plugins_output() {
list($link, $frag) = explode( '#', $item->get_link() );
$link = clean_url($link);
$link = esc_url($link);
if ( preg_match( '|/([^/]+?)/?$|', $link, $matches ) )
$slug = $matches[1];
else {

12
wp-admin/includes/media.php
View File

@ -77,7 +77,7 @@ function the_media_upload_tabs() {
if ( $current == $callback )
$class = " class='current'";
$href = add_query_arg(array('tab'=>$callback, 's'=>false, 'paged'=>false, 'post_mime_type'=>false, 'm'=>false));
$link = "<a href='" . clean_url($href) . "'$class>$text</a>";
$link = "<a href='" . esc_url($href) . "'$class>$text</a>";
echo "\t<li id='" . esc_attr("tab-$callback") . "'>$link</li>\n";
}
echo "</ul>\n";
@ -107,7 +107,7 @@ function get_image_send_to_editor($id, $alt, $title, $align, $url='', $rel = fal
$rel = $rel ? ' rel="attachment wp-att-' . esc_attr($id).'"' : '';
if ( $url )
$html = '<a href="' . clean_url($url) . "\"$rel>$html</a>";
$html = '<a href="' . esc_url($url) . "\"$rel>$html</a>";
$html = apply_filters( 'image_send_to_editor', $html, $id, $alt, $title, $align, $url, $size );
@ -1745,7 +1745,7 @@ if ( empty($_GET['post_mime_type']) || $_GET['post_mime_type'] == 'all' )
$class = ' class="current"';
else
$class = '';
$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>";
$type_links[] = "<li><a href='" . esc_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>";
foreach ( $post_mime_types as $mime_type => $label ) {
$class = '';
@ -1755,7 +1755,7 @@ foreach ( $post_mime_types as $mime_type => $label ) {
if ( isset($_GET['post_mime_type']) && wp_match_mime_types($mime_type, $_GET['post_mime_type']) )
$class = ' class="current"';
$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(_n($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
$type_links[] = "<li><a href='" . esc_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(_n($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
}
echo implode(' | </li>', $type_links) . '</li>';
unset($type_links);
@ -2059,7 +2059,7 @@ add_filter('flash_uploader', 'media_upload_use_flash');
*/
function media_upload_flash_bypass() {
echo '<p class="upload-flash-bypass">';
printf( __('You are using the Flash uploader. Problems? Try the <a href="%s">Browser uploader</a> instead.'), clean_url(add_query_arg('flash', 0)) );
printf( __('You are using the Flash uploader. Problems? Try the <a href="%s">Browser uploader</a> instead.'), esc_url(add_query_arg('flash', 0)) );
echo '</p>';
}
@ -2074,7 +2074,7 @@ function media_upload_html_bypass($flash = true) {
if ( $flash ) {
// the user manually selected the browser uploader, so let them switch back to Flash
echo ' ';
printf( __('Try the <a href="%s">Flash uploader</a> instead.'), clean_url(add_query_arg('flash', 1)) );
printf( __('Try the <a href="%s">Flash uploader</a> instead.'), esc_url(add_query_arg('flash', 1)) );
}
echo "</p>\n";
}

6
wp-admin/includes/plugin-install.php
View File

@ -138,7 +138,7 @@ function install_dashboard() {
$tags = array();
foreach ( (array)$api_tags as $tag )
$tags[ $tag['name'] ] = (object) array(
'link' => clean_url( admin_url('plugin-install.php?tab=search&type=tag&s=' . urlencode($tag['name'])) ),
'link' => esc_url( admin_url('plugin-install.php?tab=search&type=tag&s=' . urlencode($tag['name'])) ),
'name' => $tag['name'],
'id' => sanitize_title_with_dashes($tag['name']),
'count' => $tag['count'] );
@ -273,7 +273,7 @@ function display_plugins_table($plugins, $page = 1, $totalpages = 1){
<?php do_action('install_plugins_table_header'); ?>
</div>
<?php
$url = clean_url($_SERVER['REQUEST_URI']);
$url = esc_url($_SERVER['REQUEST_URI']);
if ( ! empty($term) )
$url = add_query_arg('s', $term, $url);
if ( ! empty($type) )
@ -427,7 +427,7 @@ function install_plugin_information() {
$class = ( $section_name == $section ) ? ' class="current"' : '';
$href = add_query_arg( array('tab' => $tab, 'section' => $section_name) );
$href = clean_url($href);
$href = esc_url($href);
$san_title = esc_attr(sanitize_title_with_dashes($title));
echo "\t<li><a name='$san_title' target='' href='$href'$class>$title</a></li>\n";
}

2
wp-admin/includes/post.php
View File

@ -333,7 +333,7 @@ function get_default_post_to_edit() {
else if ( !empty( $post_title ) ) {
$text = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) );
$text = funky_javascript_fix( $text);
$popupurl = clean_url($_REQUEST['popupurl']);
$popupurl = esc_url($_REQUEST['popupurl']);
$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
}

10
wp-admin/includes/template.php
View File

@ -1897,7 +1897,7 @@ function user_row( $user_object, $style = '', $role = '' ) {
if ($current_user->ID == $user_object->ID) {
$edit_link = 'profile.php';
} else {
$edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( clean_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" ) );
$edit_link = esc_url( add_query_arg( 'wp_http_referer', urlencode( esc_url( stripslashes( $_SERVER['REQUEST_URI'] ) ) ), "user-edit.php?user_id=$user_object->ID" ) );
}
$edit = "<strong><a href=\"$edit_link\">$user_object->user_login</a></strong><br />";
@ -2092,10 +2092,10 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
else
$ptime = mysql2date(__('Y/m/d \a\t g:i A'), $comment->comment_date );
$delete_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$approve_url = clean_url( wp_nonce_url( "comment.php?action=approvecomment&p=$post->ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
$unapprove_url = clean_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$post->ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
$spam_url = clean_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$delete_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
$approve_url = esc_url( wp_nonce_url( "comment.php?action=approvecomment&p=$post->ID&c=$comment->comment_ID", "approve-comment_$comment->comment_ID" ) );
$unapprove_url = esc_url( wp_nonce_url( "comment.php?action=unapprovecomment&p=$post->ID&c=$comment->comment_ID", "unapprove-comment_$comment->comment_ID" ) );
$spam_url = esc_url( wp_nonce_url( "comment.php?action=deletecomment&dt=spam&p=$post->ID&c=$comment->comment_ID", "delete-comment_$comment->comment_ID" ) );
echo "<tr id='comment-$comment->comment_ID' class='$the_comment_status'>";
$columns = get_column_headers('edit-comments');

8
wp-admin/includes/theme-install.php
View File

@ -309,9 +309,9 @@ function display_theme($theme, $actions = null, $show_details = true) {
$actions = implode ( ' | ', $actions );
?>
<a class='thickbox thickbox-preview screenshot'
href='<? echo clean_url($preview_link); ?>'
href='<? echo esc_url($preview_link); ?>'
title='<?php echo esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $name)); ?>'>
<img src='<?php echo clean_url($theme->screenshot_url); ?>' width='150' />
<img src='<?php echo esc_url($theme->screenshot_url); ?>' width='150' />
</a>
<h3><?php echo $name ?></h3>
<span class='action-links'><?php echo $actions ?></span>
@ -374,7 +374,7 @@ function display_themes($themes, $page = 1, $totalpages = 1) {
<div class="tablenav">
<div class="alignleft actions"><?php do_action('install_themes_table_header'); ?></div>
<?php
$url = clean_url($_SERVER['REQUEST_URI']);
$url = esc_url($_SERVER['REQUEST_URI']);
if ( ! empty($term) )
$url = add_query_arg('s', $term, $url);
if ( ! empty($type) )
@ -502,7 +502,7 @@ function install_theme_information() {
?>
<div class='available-theme'>
<img src='<?php echo clean_url($api->screenshot_url) ?>' width='300' class="theme-preview-img" />
<img src='<?php echo esc_url($api->screenshot_url) ?>' width='300' class="theme-preview-img" />
<h3><?php echo $api->name; ?></h3>
<p><?php printf(__('by %s'), $api->author); ?></p>
<p><?php printf(__('Version: %s'), $api->version); ?></p>

6
wp-admin/includes/update.php
View File

@ -159,11 +159,11 @@ function wp_plugin_update_row( $file, $plugin_data ) {
echo '<tr><td colspan="5" class="plugin-update">';
if ( ! current_user_can('update_plugins') )
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version );
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version );
else if ( empty($r->package) )
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version );
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> <em>automatic upgrade unavailable for this plugin</em>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version );
else
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> or <a href="%5$s">upgrade automatically</a>.'), $plugin_name, clean_url($details_url), esc_attr($plugin_name), $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) );
printf( __('There is a new version of %1$s available. <a href="%2$s" class="thickbox" title="%3$s">View version %4$s Details</a> or <a href="%5$s">upgrade automatically</a>.'), $plugin_name, esc_url($details_url), esc_attr($plugin_name), $r->new_version, wp_nonce_url('update.php?action=upgrade-plugin&plugin=' . $file, 'upgrade-plugin_' . $file) );
do_action( "in_plugin_update_message-$file", $plugin_data, $r );

4
wp-admin/includes/user.php
View File

@ -91,7 +91,7 @@ function edit_user( $user_id = 0 ) {
if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
$user->user_url = '';
} else {
$user->user_url = clean_url( trim( $_POST['url'] ));
$user->user_url = esc_url( trim( $_POST['url'] ));
$user->user_url = preg_match('/^(https?|ftps?|mailto|news|irc|gopher|nntp|feed|telnet):/is', $user->user_url) ? $user->user_url : 'http://'.$user->user_url;
}
}
@ -372,7 +372,7 @@ function get_user_to_edit( $user_id ) {
$user = new WP_User( $user_id );
$user->user_login = esc_attr($user->user_login);
$user->user_email = esc_attr($user->user_email);
$user->user_url = clean_url($user->user_url);
$user->user_url = esc_url($user->user_url);
$user->first_name = esc_attr($user->first_name);
$user->last_name = esc_attr($user->last_name);
$user->display_name = esc_attr($user->display_name);

2
wp-admin/includes/widgets.php
View File

@ -169,7 +169,7 @@ function wp_widget_control( $sidebar_args ) {
<div class="widget-top">
<div class="widget-title-action">
<a class="widget-action hide-if-no-js" href="#available-widgets"></a>
<a class="widget-control-edit hide-if-js" href="<?php echo clean_url( add_query_arg( $query_arg ) ); ?>"><span class="edit"><?php _e('Edit'); ?></span><span class="add"><?php _e('Add'); ?></span></a>
<a class="widget-control-edit hide-if-js" href="<?php echo esc_url( add_query_arg( $query_arg ) ); ?>"><span class="edit"><?php _e('Edit'); ?></span><span class="add"><?php _e('Add'); ?></span></a>
</div>
<div class="widget-title"><h4><?php echo $widget_title ?><span class="in-widget-title"></span></h4></div>
</div>

2
wp-admin/js/revisions-js.php
View File

@ -12,7 +12,7 @@ function dvortr( $str ) {
);
}
$j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$j = esc_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
$n = esc_html( $GLOBALS['current_user']->data->display_name );
$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );

2
wp-admin/media.php
View File

@ -84,7 +84,7 @@ case 'edit' :
<?php screen_icon(); ?>
<h2><?php _e( 'Edit Media' ); ?></h2>
<form method="post" action="<?php echo clean_url( remove_query_arg( 'message' ) ); ?>" class="media-upload-form" id="media-single-form">
<form method="post" action="<?php echo esc_url( remove_query_arg( 'message' ) ); ?>" class="media-upload-form" id="media-single-form">
<div class="media-single">
<div id='media-item-<?php echo $att_id; ?>' class='media-item'>
<?php echo get_media_item( $att_id, array( 'toggle' => false, 'send' => false, 'delete' => false, 'show_title' => false, 'errors' => $errors ) ); ?>

4
wp-admin/plugins.php
View File

@ -134,7 +134,7 @@ if ( !empty($action) ) {
?>
</ul>
<p><?php _e('Are you sure you wish to delete these files?') ?></p>
<form method="post" action="<?php echo clean_url($_SERVER['REQUEST_URI']); ?>" style="display:inline;">
<form method="post" action="<?php echo esc_url($_SERVER['REQUEST_URI']); ?>" style="display:inline;">
<input type="hidden" name="verify-delete" value="1" />
<input type="hidden" name="action" value="delete-selected" />
<?php
@ -144,7 +144,7 @@ if ( !empty($action) ) {
<?php wp_nonce_field('bulk-manage-plugins') ?>
<input type="submit" name="submit" value="<?php esc_attr_e('Yes, Delete these files') ?>" class="button" />
</form>
<form method="post" action="<?php echo clean_url(wp_get_referer()); ?>" style="display:inline;">
<form method="post" action="<?php echo esc_url(wp_get_referer()); ?>" style="display:inline;">
<input type="submit" name="submit" value="<?php esc_attr_e('No, Return me to the plugin list') ?>" class="button" />
</form>

14
wp-admin/press-this.php
View File

@ -97,7 +97,7 @@ if ( ! empty($selection) ) {
$selection = preg_replace('/(\r?\n|\r)/', '</p><p>', $selection);
$selection = '<p>'.str_replace('<p></p>', '', $selection).'</p>';
}
$url = isset($_GET['u']) ? clean_url($_GET['u']) : '';
$url = isset($_GET['u']) ? esc_url($_GET['u']) : '';
$image = isset($_GET['i']) ? $_GET['i'] : '';
if ( !empty($_REQUEST['ajax']) ) {
@ -140,7 +140,7 @@ switch ($_REQUEST['ajax']) {
</div>
<p class="centered"><input type="hidden" name="this_photo" value="<?php echo esc_attr($image); ?>" id="this_photo" />
<a href="#" class="select"><img src="<?php echo clean_url($image); ?>" alt="<?php echo esc_attr(__('Click to insert.')); ?>" title="<?php echo esc_attr(__('Click to insert.')); ?>" /></a></p>
<a href="#" class="select"><img src="<?php echo esc_url($image); ?>" alt="<?php echo esc_attr(__('Click to insert.')); ?>" title="<?php echo esc_attr(__('Click to insert.')); ?>" /></a></p>
<p id="options"><a href="#" class="select button"><?php _e('Insert Image'); ?></a> <a href="#" class="cancel button"><?php _e('Cancel'); ?></a></p>
@ -205,7 +205,7 @@ switch ($_REQUEST['ajax']) {
$src = 'http://'.str_replace('//','/', $host['host'].'/'.$src);
else
$src = 'http://'.str_replace('//','/', $host['host'].'/'.dirname($host['path']).'/'.$src);
$sources[] = clean_url($src);
$sources[] = esc_url($src);
}
return "'" . implode("','", $sources) . "'";
}
@ -222,7 +222,7 @@ switch ($_REQUEST['ajax']) {
var my_src = eval(
jQuery.ajax({
type: "GET",
url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
cache : false,
async : false,
data: "ajax=photo_images&u=<?php echo urlencode($url); ?>",
@ -233,7 +233,7 @@ switch ($_REQUEST['ajax']) {
var my_src = eval(
jQuery.ajax({
type: "GET",
url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
cache : false,
async : false,
data: "ajax=photo_images&u=<?php echo urlencode($url); ?>",
@ -377,7 +377,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
jQuery('#extra_fields').show();
switch(tab_name) {
case 'video' :
jQuery('#extra_fields').load('<?php echo clean_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo esc_attr($selection); ?>'}, function() {
jQuery('#extra_fields').load('<?php echo esc_url($_SERVER['PHP_SELF']); ?>', { ajax: 'video', s: '<?php echo esc_attr($selection); ?>'}, function() {
<?php
$content = '';
if ( preg_match("/youtube\.com\/watch/i", $url) ) {
@ -406,7 +406,7 @@ var ajaxurl = '<?php echo admin_url('admin-ajax.php'); ?>';
jQuery.ajax({
type: "GET",
cache : false,
url: "<?php echo clean_url($_SERVER['PHP_SELF']); ?>",
url: "<?php echo esc_url($_SERVER['PHP_SELF']); ?>",
data: "ajax=photo_js&u=<?php echo urlencode($url)?>",
dataType : "script",
success : function() {

2
wp-admin/themes.php
View File

@ -194,7 +194,7 @@ foreach ( $cols as $col => $theme_name ) {
$stylesheet_dir = $themes[$theme_name]['Stylesheet Dir'];
$template_dir = $themes[$theme_name]['Template Dir'];
$parent_theme = $themes[$theme_name]['Parent Theme'];
$preview_link = clean_url( get_option('home') . '/');
$preview_link = esc_url( get_option('home') . '/');
$preview_link = htmlspecialchars( add_query_arg( array('preview' => 1, 'template' => $template, 'stylesheet' => $stylesheet, 'TB_iframe' => 'true' ), $preview_link ) );
$preview_text = esc_attr( sprintf( __('Preview of &#8220;%s&#8221;'), $title ) );
$tags = $themes[$theme_name]['Tags'];

2
wp-admin/update-core.php
View File

@ -44,7 +44,7 @@ function list_core_update( $update ) {
echo '<input id="upgrade" class="button" type="submit" value="' . esc_attr($submit) . '" name="upgrade" />&nbsp;';
echo '<input name="version" value="'. esc_attr($update->current) .'" type="hidden"/>';
echo '<input name="locale" value="'. esc_attr($update->locale) .'" type="hidden"/>';
echo '<a href="' . clean_url($update->package) . '" class="button">' . $download . '</a>&nbsp;';
echo '<a href="' . esc_url($update->package) . '" class="button">' . $download . '</a>&nbsp;';
if ( 'en_US' != $update->locale )
if ( !isset( $update->dismissed ) || !$update->dismissed )
echo '<input id="dismiss" class="button" type="submit" value="' . esc_attr__('Hide this update') . '" name="dismiss" />';

4
wp-admin/upgrade.php
View File

@ -57,7 +57,7 @@ $step = (int) $step;
switch ( $step ) :
case 0:
$goback = stripslashes( wp_get_referer() );
$goback = clean_url( $goback, null, 'url' );
$goback = esc_url_raw( $goback );
$goback = urlencode( $goback );
?>
<h2><?php _e( 'Database Upgrade Required' ); ?></h2>
@ -73,7 +73,7 @@ switch ( $step ) :
$backto = __get_option( 'home' ) . '/';
else {
$backto = stripslashes( urldecode( $_GET['backto'] ) );
$backto = clean_url( $backto, null, 'url' );
$backto = esc_urlaw( $backto );
}
?>
<h2><?php _e( 'Upgrade Complete' ); ?></h2>

2
wp-admin/user-edit.php
View File

@ -120,7 +120,7 @@ include ('admin-header.php');
<form id="your-profile" action="" method="post">
<?php wp_nonce_field('update-user_' . $user_id) ?>
<?php if ( $wp_http_referer ) : ?>
<input type="hidden" name="wp_http_referer" value="<?php echo clean_url($wp_http_referer); ?>" />
<input type="hidden" name="wp_http_referer" value="<?php echo esc_url($wp_http_referer); ?>" />
<?php endif; ?>
<p>
<input type="hidden" name="from" value="profile" />

2
wp-comments-post.php
View File

@ -81,7 +81,7 @@ if ( !$user->ID ) {
$comment_cookie_lifetime = apply_filters('comment_cookie_lifetime', 30000000);
setcookie('comment_author_' . COOKIEHASH, $comment->comment_author, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
setcookie('comment_author_email_' . COOKIEHASH, $comment->comment_author_email, time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
setcookie('comment_author_url_' . COOKIEHASH, clean_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
setcookie('comment_author_url_' . COOKIEHASH, esc_url($comment->comment_author_url), time() + $comment_cookie_lifetime, COOKIEPATH, COOKIE_DOMAIN);
}
$location = empty($_POST['redirect_to']) ? get_comment_link($comment_id) : $_POST['redirect_to'] . '#comment-' . $comment_id;

2
wp-includes/bookmark-template.php
View File

@ -70,7 +70,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
$the_link = '#';
if ( !empty($bookmark->link_url) )
$the_link = clean_url($bookmark->link_url);
$the_link = esc_url($bookmark->link_url);
$desc = esc_attr(sanitize_bookmark_field('link_description', $bookmark->link_description, $bookmark->link_id, 'display'));
$name = esc_attr(sanitize_bookmark_field('link_name', $bookmark->link_name, $bookmark->link_id, 'display'));

2
wp-includes/category-template.php
View File

@ -659,7 +659,7 @@ function wp_generate_tag_cloud( $tags, $args = '' ) {
foreach ( $tags as $key => $tag ) {
$count = $counts[ $key ];
$tag_link = '#' != $tag->link ? clean_url( $tag->link ) : '#';
$tag_link = '#' != $tag->link ? esc_url( $tag->link ) : '#';
$tag_id = isset($tags[ $key ]->id) ? $tags[ $key ]->id : $key;
$tag_name = $tags[ $key ]->name;
$a[] = "<a href='$tag_link' class='tag-link-$tag_id' title='" . esc_attr( $topic_count_text_callback( $count ) ) . "'$rel style='font-size: " .

2
wp-includes/class.wp-scripts.php
View File

@ -115,7 +115,7 @@ class WP_Scripts extends WP_Dependencies {
}
$src = add_query_arg('ver', $ver, $src);
$src = clean_url(apply_filters( 'script_loader_src', $src, $handle ));
$src = esc_url(apply_filters( 'script_loader_src', $src, $handle ));
if ( $this->do_concat )
$this->print_html .= "<script type='text/javascript' src='$src'></script>\n";

2
wp-includes/class.wp-styles.php
View File

@ -102,7 +102,7 @@ class WP_Styles extends WP_Dependencies {
$src = add_query_arg('ver', $ver, $src);
$src = apply_filters( 'style_loader_src', $src, $handle );
return clean_url( $src );
return esc_url( $src );
}
function in_default_dir($src) {

4
wp-includes/comment-template.php
View File

@ -995,9 +995,9 @@ function get_comment_reply_link($args = array(), $comment = null, $post = null)
$link = '';
if ( get_option('comment_registration') && !$user_ID )
$link = '<a rel="nofollow" class="comment-reply-login" href="' . clean_url( wp_login_url( get_permalink() ) ) . '">' . $login_text . '</a>';
$link = '<a rel="nofollow" class="comment-reply-login" href="' . esc_url( wp_login_url( get_permalink() ) ) . '">' . $login_text . '</a>';
else
$link = "<a rel='nofollow' class='comment-reply-link' href='" . clean_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . "#" . $respond_id . "' onclick='return addComment.moveForm(\"$add_below-$comment->comment_ID\", \"$comment->comment_ID\", \"$respond_id\", \"$post->ID\")'>$reply_text</a>";
$link = "<a rel='nofollow' class='comment-reply-link' href='" . esc_url( add_query_arg( 'replytocom', $comment->comment_ID ) ) . "#" . $respond_id . "' onclick='return addComment.moveForm(\"$add_below-$comment->comment_ID\", \"$comment->comment_ID\", \"$respond_id\", \"$post->ID\")'>$reply_text</a>";
return apply_filters('comment_reply_link', $before . $link . $after, $args, $comment, $post);
}

4
wp-includes/default-filters.php
View File

@ -43,7 +43,7 @@ $filters = array('pre_comment_author_url', 'pre_user_url', 'pre_link_url', 'pre_
foreach ( $filters as $filter ) {
add_filter($filter, 'strip_tags');
add_filter($filter, 'trim');
add_filter($filter, 'sanitize_url');
add_filter($filter, 'esc_url_raw');
add_filter($filter, 'wp_filter_kses');
}
@ -52,7 +52,7 @@ $filters = array('user_url', 'link_url', 'link_image', 'link_rss', 'comment_url'
foreach ( $filters as $filter ) {
add_filter($filter, 'strip_tags');
add_filter($filter, 'trim');
add_filter($filter, 'clean_url');
add_filter($filter, 'esc_url');
add_filter($filter, 'wp_filter_kses');
}

14
wp-includes/default-widgets.php
View File

@ -659,7 +659,7 @@ class WP_Widget_Recent_Comments extends WP_Widget {
<?php if ( $title ) echo $before_title . $title . $after_title; ?>
<ul id="recentcomments"><?php
if ( $comments ) : foreach ( (array) $comments as $comment) :
echo '<li class="recentcomments">' . /* translators: comments widget: 1: comment author, 2: post link */ sprintf(_x('%1$s on %2$s', 'widgets'), get_comment_author_link(), '<a href="' . clean_url( get_comment_link($comment->comment_ID) ) . '">' . get_the_title($comment->comment_post_ID) . '</a>') . '</li>';
echo '<li class="recentcomments">' . /* translators: comments widget: 1: comment author, 2: post link */ sprintf(_x('%1$s on %2$s', 'widgets'), get_comment_author_link(), '<a href="' . esc_url( get_comment_link($comment->comment_ID) ) . '">' . get_the_title($comment->comment_post_ID) . '</a>') . '</li>';
endforeach; endif;?></ul>
<?php echo $after_widget; ?>
<?php
@ -730,7 +730,7 @@ class WP_Widget_RSS extends WP_Widget {
$desc = esc_attr(strip_tags(@html_entity_decode($rss->get_description(), ENT_QUOTES, get_option('blog_charset'))));
if ( empty($title) )
$title = htmlentities(strip_tags($rss->get_title()));
$link = clean_url(strip_tags($rss->get_permalink()));
$link = esc_url(strip_tags($rss->get_permalink()));
while ( stristr($link, 'http') != $link )
$link = substr($link, 1);
}
@ -739,7 +739,7 @@ class WP_Widget_RSS extends WP_Widget {
$title = empty($desc) ? __('Unknown Feed') : $desc;
$title = apply_filters('widget_title', $title );
$url = clean_url(strip_tags($url));
$url = esc_url(strip_tags($url));
$icon = includes_url('images/rss.png');
if ( $title )
$title = "<a class='rsswidget' href='$url' title='" . esc_attr(__('Syndicate this content')) ."'><img style='background:orange;color:white;border:none;' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link' title='$desc'>$title</a>";
@ -813,7 +813,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
$link = $item->get_link();
while ( stristr($link, 'http') != $link )
$link = substr($link, 1);
$link = clean_url(strip_tags($link));
$link = esc_url(strip_tags($link));
$title = esc_attr(strip_tags($item->get_title()));
if ( empty($title) )
$title = __('Untitled');
@ -879,7 +879,7 @@ function wp_widget_rss_form( $args, $inputs = null ) {
$number = esc_attr( $number );
$title = esc_attr( $title );
$url = clean_url( $url );
$url = esc_url( $url );
$items = (int) $items;
if ( $items < 1 || 20 < $items )
$items = 10;
@ -958,7 +958,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) {
$items = (int) $widget_rss['items'];
if ( $items < 1 || 20 < $items )
$items = 10;
$url = sanitize_url(strip_tags( $widget_rss['url'] ));
$url = esc_url_raw(strip_tags( $widget_rss['url'] ));
$title = trim(strip_tags( $widget_rss['title'] ));
$show_summary = (int) $widget_rss['show_summary'];
$show_author = (int) $widget_rss['show_author'];
@ -971,7 +971,7 @@ function wp_widget_rss_process( $widget_rss, $check_feed = true ) {
if ( is_wp_error($rss) ) {
$error = $rss->get_error_message();
} else {
$link = clean_url(strip_tags($rss->get_permalink()));
$link = esc_url(strip_tags($rss->get_permalink()));
while ( stristr($link, 'http') != $link )
$link = substr($link, 1);
}

2
wp-includes/deprecated.php
View File

@ -1001,7 +1001,7 @@ function get_links($category = -1, $before = '', $after = '<br />', $between = '
$output .= get_option('links_recently_updated_prepend');
$the_link = '#';
if ( !empty($row->link_url) )
$the_link = clean_url($row->link_url);
$the_link = esc_url($row->link_url);
$rel = $row->link_rel;
if ( '' != $rel )
$rel = ' rel="' . $rel . '"';

4
wp-includes/feed.php
View File

@ -255,7 +255,7 @@ function get_comment_guid($comment_id = null) {
* @since 1.5.0
*/
function comment_link() {
echo clean_url( get_comment_link() );
echo esc_url( get_comment_link() );
}
/**
@ -503,7 +503,7 @@ function prep_atom_text_construct($data) {
function self_link() {
$host = @parse_url(get_option('home'));
$host = $host['host'];
echo clean_url(
echo esc_url(
'http'
. ( (isset($_SERVER['https']) && $_SERVER['https'] == 'on') ? 's' : '' ) . '://'
. $host

50
wp-includes/formatting.php
View File

@ -1149,7 +1149,7 @@ function antispambot($emailaddy, $mailto=0) {
*/
function _make_url_clickable_cb($matches) {
$url = $matches[2];
$url = clean_url($url);
$url = esc_url($url);
if ( empty($url) )
return $matches[0];
return $matches[1] . "<a href=\"$url\" rel=\"nofollow\">$url</a>";
@ -1171,7 +1171,7 @@ function _make_web_ftp_clickable_cb($matches) {
$ret = '';
$dest = $matches[2];
$dest = 'http://' . $dest;
$dest = clean_url($dest);
$dest = esc_url($dest);
if ( empty($dest) )
return $matches[0];
// removed trailing [,;:] from URL
@ -1988,7 +1988,7 @@ function wp_htmledit_pre($output) {
* Checks and cleans a URL.
*
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) amperstands are also replaced. The 'clean_url' filter
* (the default behaviour) amperstands are also replaced. The 'esc_url' filter
* is applied to the returned cleaned URL.
*
* @since 1.2.0
@ -2032,9 +2032,47 @@ function clean_url( $url, $protocols = null, $context = 'display' ) {
}
/**
* Performs clean_url() for database usage.
* Checks and cleans a URL.
*
* @see clean_url()
* A number of characters are removed from the URL. If the URL is for displaying
* (the default behaviour) amperstands are also replaced. The 'esc_url' filter
* is applied to the returned cleaned URL.
*
* @since 2.8.0
* @uses esc_url()
* @uses wp_kses_bad_protocol() To only permit protocols in the URL set
* via $protocols or the common ones set in the function.
*
* @param string $url The URL to be cleaned.
* @param array $protocols Optional. An array of acceptable protocols.
* Defaults to 'http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet' if not set.
* @return string The cleaned $url after the 'cleaned_url' filter is applied.
*/
function esc_url( $url, $protocols = null ) {
return clean_url( $url, $protocols, 'display' );
}
/**
* Performs esc_url() for database usage.
*
* @see esc_url()
* @see esc_url()
*
* @since 2.8.0
*
* @param string $url The URL to be cleaned.
* @param array $protocols An array of acceptable protocols.
* @return string The cleaned URL.
*/
function esc_url_raw( $url, $protocols = null ) {
return clean_url( $url, $protocols, 'db' );
}
/**
* Performs esc_url() for database or redirect usage.
*
* @see esc_url()
* @deprecated 2.8.0
*
* @since 2.3.1
*
@ -2280,7 +2318,7 @@ function sanitize_option($option, $value) {
case 'siteurl':
case 'home':
$value = stripslashes($value);
$value = clean_url($value);
$value = esc_url($value);
break;
default :
$value = apply_filters("sanitize_option_{$option}", $value, $option);

2
wp-includes/functions.php
View File

@ -2336,7 +2336,7 @@ function wp_nonce_ays( $action ) {
$title = __( 'WordPress Failure Notice' );
$html = esc_html( wp_explain_nonce( $action ) );
if ( wp_get_referer() )
$html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
$html .= "</p><p><a href='" . esc_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
elseif ( 'log-out' == $action )
$html .= "</p><p>" . sprintf( __( "Do you really want to <a href='%s'>log out</a>?"), wp_logout_url() );

16
wp-includes/general-template.php
View File

@ -141,9 +141,9 @@ function get_search_form() {
*/
function wp_loginout($redirect = '') {
if ( ! is_user_logged_in() )
$link = '<a href="' . clean_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
$link = '<a href="' . esc_url( wp_login_url($redirect) ) . '">' . __('Log in') . '</a>';
else
$link = '<a href="' . clean_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';
$link = '<a href="' . esc_url( wp_logout_url($redirect) ) . '">' . __('Log out') . '</a>';
echo apply_filters('loginout', $link);
}
@ -689,7 +689,7 @@ function single_month_title($prefix = '', $display = true ) {
function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
$text = wptexturize($text);
$title_text = esc_attr($text);
$url = clean_url($url);
$url = esc_url($url);
if ('link' == $format)
$link_html = "\t<link rel='archives' title='$title_text' href='$url' />\n";
@ -1807,7 +1807,7 @@ function paginate_links( $args = '' ) {
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$link .= $add_fragment;
$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
$page_links[] = "<a class='prev page-numbers' href='" . esc_url($link) . "'>$prev_text</a>";
endif;
for ( $n = 1; $n <= $total; $n++ ) :
$n_display = number_format_i18n($n);
@ -1821,7 +1821,7 @@ function paginate_links( $args = '' ) {
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$link .= $add_fragment;
$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n_display</a>";
$page_links[] = "<a class='page-numbers' href='" . esc_url($link) . "'>$n_display</a>";
$dots = true;
elseif ( $dots && !$show_all ) :
$page_links[] = "<span class='page-numbers dots'>...</span>";
@ -1835,7 +1835,7 @@ function paginate_links( $args = '' ) {
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$link .= $add_fragment;
$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
$page_links[] = "<a class='next page-numbers' href='" . esc_url($link) . "'>$next_text</a>";
endif;
switch ( $type ) :
case 'array' :
@ -1935,9 +1935,9 @@ function wp_admin_css( $file = 'wp-admin', $force_echo = false ) {
return;
}
echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . clean_url( wp_admin_css_uri( $file ) ) . "' type='text/css' />\n", $file );
echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . esc_url( wp_admin_css_uri( $file ) ) . "' type='text/css' />\n", $file );
if ( 'rtl' == get_bloginfo( 'text_direction' ) )
echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . clean_url( wp_admin_css_uri( "$file-rtl" ) ) . "' type='text/css' />\n", "$file-rtl" );
echo apply_filters( 'wp_admin_css', "<link rel='stylesheet' href='" . esc_url( wp_admin_css_uri( "$file-rtl" ) ) . "' type='text/css' />\n", "$file-rtl" );
}
/**

8
wp-includes/link-template.php
View File

@ -1315,7 +1315,7 @@ function get_next_posts_page_link($max_page = 0) {
* @param boolean $echo Optional. Echo or return;
*/
function next_posts( $max_page = 0, $echo = true ) {
$output = clean_url( get_next_posts_page_link( $max_page ) );
$output = esc_url( get_next_posts_page_link( $max_page ) );
if ( $echo )
echo $output;
@ -1393,7 +1393,7 @@ function get_previous_posts_page_link() {
* @param boolean $echo Optional. Echo or return;
*/
function previous_posts( $echo = true ) {
$output = clean_url( get_previous_posts_page_link() );
$output = esc_url( get_previous_posts_page_link() );
if ( $echo )
echo $output;
@ -1550,7 +1550,7 @@ function get_next_comments_link( $label = '', $max_page = 0 ) {
if ( empty($label) )
$label = __('Newer Comments &raquo;');
return '<a href="' . clean_url( get_comments_pagenum_link( $nextpage, $max_page ) ) . '" ' . apply_filters( 'next_comments_link_attributes', '' ) . '>'. preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
return '<a href="' . esc_url( get_comments_pagenum_link( $nextpage, $max_page ) ) . '" ' . apply_filters( 'next_comments_link_attributes', '' ) . '>'. preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
}
/**
@ -1587,7 +1587,7 @@ function get_previous_comments_link( $label = '' ) {
if ( empty($label) )
$label = __('&laquo; Older Comments');
return '<a href="' . clean_url( get_comments_pagenum_link( $prevpage ) ) . '" ' . apply_filters( 'previous_comments_link_attributes', '' ) . '>' . preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
return '<a href="' . esc_url( get_comments_pagenum_link( $prevpage ) ) . '" ' . apply_filters( 'previous_comments_link_attributes', '' ) . '>' . preg_replace('/&([^#])(?![a-z]{1,8};)/', '&#038;$1', $label) .'</a>';
}
/**

2
wp-includes/rss.php
View File

@ -872,7 +872,7 @@ function wp_rss( $url, $num_items = -1 ) {
foreach ( (array) $rss->items as $item ) {
printf(
'<li><a href="%1$s" title="%2$s">%3$s</a></li>',
clean_url( $item['link'] ),
esc_url( $item['link'] ),
esc_attr( strip_tags( $item['description'] ) ),
htmlentities( $item['title'] )
);

4
wp-includes/theme.php
View File

@ -185,7 +185,7 @@ function get_theme_data( $theme_file ) {
$name = $theme = '';
if ( preg_match( '|Theme URI:(.*)$|mi', $theme_data, $theme_uri ) )
$theme_uri = clean_url( _cleanup_header_comment($theme_uri[1]) );
$theme_uri = esc_url( _cleanup_header_comment($theme_uri[1]) );
else
$theme_uri = '';
@ -195,7 +195,7 @@ function get_theme_data( $theme_file ) {
$description = '';
if ( preg_match( '|Author URI:(.*)$|mi', $theme_data, $author_uri ) )
$author_uri = clean_url( _cleanup_header_comment($author_uri[1]) );
$author_uri = esc_url( _cleanup_header_comment($author_uri[1]) );
else
$author_uri = '';

4
wp-includes/update.php
View File

@ -67,9 +67,9 @@ function wp_version_check() {
$new_option = new stdClass();
$new_option->response = esc_attr( $returns[0] );
if ( isset( $returns[1] ) )
$new_option->url = clean_url( $returns[1] );
$new_option->url = esc_url( $returns[1] );
if ( isset( $returns[2] ) )
$new_option->package = clean_url( $returns[2] );
$new_option->package = esc_url( $returns[2] );
if ( isset( $returns[3] ) )
$new_option->current = esc_attr( $returns[3] );
if ( isset( $returns[4] ) )

2
wp-includes/version.php
View File

@ -15,6 +15,6 @@ $wp_version = '2.8-beta1-11380';
*
* @global int $wp_db_version
*/
$wp_db_version = 10850;
$wp_db_version = 10851;
?>