Upstream/WordPress
1
0
Fork 0
mirror of https://github.com/WordPress/WordPress.git synced 2024-06-23 05:15:00 +02:00
Code Issues Projects Releases Wiki Activity

Make it more obvious we're escaping values in options.php. fixes #12417

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@13471 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2010-02-27 22:50:00 +00:00
parent 9deb08bade
commit 473ef7d459
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
wp-admin/options.php
View File

@ -152,24 +152,23 @@ default:
<div class="wrap">
<?php screen_icon(); ?>
<h2><?php _e('All Settings'); ?></h2>
<h2><?php esc_html_e('All Settings'); ?></h2>
<form name="form" action="options.php" method="post" id="all-options">
<?php wp_nonce_field('options-options') ?>
<input type="hidden" name="action" value="update" />
<input type='hidden' name='option_page' value='options' />
<table class="form-table">
<?php
$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
$options = $wpdb->get_results( "SELECT * FROM $wpdb->options ORDER BY option_name" );
foreach ( (array) $options as $option) :
foreach ( (array) $options as $option ) :
$disabled = '';
$option->option_name = esc_attr($option->option_name);
if ( $option->option_name == '' )
continue;
if ( is_serialized($option->option_value) ) {
if ( is_serialized_string($option->option_value) ) {
if ( is_serialized( $option->option_value ) ) {
if ( is_serialized_string( $option->option_value ) ) {
// this is a serialized string, so we should display it
$value = maybe_unserialize($option->option_value);
$value = maybe_unserialize( $option->option_value );
$options_to_update[] = $option->option_name;
$class = 'all-options';
} else {
@ -182,21 +181,21 @@ foreach ( (array) $options as $option) :
$options_to_update[] = $option->option_name;
$class = 'all-options';
}
$name = esc_attr( $option->option_name );
echo "
<tr>
<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
<th scope='row'><label for='$'>" . esc_html( $option->option_name ) . "</label></th>
<td>";
if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>";
else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />";
if ( strpos( $value, "\n" ) !== false )
echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
else
echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'$disabled />";
echo "</td>
</tr>";
endforeach;
?>
</table>
<?php $options_to_update = implode(',', $options_to_update); ?>
<p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Save Changes') ?>" class="button-primary" /></p>
<p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr( implode( ',', $options_to_update ) ); ?>" /><input type="submit" name="Update" value="<?php esc_attr_e( 'Save Changes' ); ?>" class="button-primary" /></p>
</form>
</div>