From 5a76c0320311af7292e3eaede18a22f35bf35255 Mon Sep 17 00:00:00 2001 From: markjaquith Date: Thu, 21 Dec 2006 10:10:04 +0000 Subject: [PATCH] new function for escaping within attributes: attribute_escape() git-svn-id: http://svn.automattic.com/wordpress/trunk@4656 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-ajax.php | 6 +-- wp-admin/admin-functions.php | 48 ++++++++++---------- wp-admin/bookmarklet.php | 2 +- wp-admin/edit-category-form.php | 6 +-- wp-admin/edit-comments.php | 4 +- wp-admin/edit-form-advanced.php | 4 +- wp-admin/edit-link-form.php | 2 +- wp-admin/edit-page-form.php | 4 +- wp-admin/edit-pages.php | 2 +- wp-admin/edit.php | 2 +- wp-admin/link-manager.php | 6 +-- wp-admin/options-misc.php | 2 +- wp-admin/options-permalink.php | 4 +- wp-admin/options.php | 2 +- wp-admin/page.php | 2 +- wp-admin/post.php | 2 +- wp-admin/templates.php | 2 +- wp-admin/theme-editor.php | 2 +- wp-admin/upgrade.php | 4 +- wp-admin/upload-functions.php | 10 ++-- wp-admin/upload-js.php | 44 +++++++++--------- wp-admin/upload.php | 2 +- wp-admin/user-edit.php | 2 +- wp-admin/users.php | 8 ++-- wp-content/themes/classic/comments-popup.php | 2 +- wp-content/themes/default/comments-popup.php | 2 +- wp-includes/author-template.php | 4 +- wp-includes/bookmark-template.php | 8 ++-- wp-includes/classes.php | 6 +-- wp-includes/comment-template.php | 2 +- wp-includes/comment.php | 6 +-- wp-includes/formatting.php | 5 ++ wp-includes/functions.php | 10 ++-- wp-includes/general-template.php | 10 ++-- wp-includes/post-template.php | 6 +-- wp-links-opml.php | 4 +- wp-login.php | 12 ++--- 37 files changed, 126 insertions(+), 123 deletions(-) diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 67fe5a9979..ecd13bbd78 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -13,9 +13,9 @@ function get_out_now() { exit; } add_action( 'shutdown', 'get_out_now', -1 ); function wp_ajax_meta_row( $pid, $mid, $key, $value ) { - $value = wp_specialchars($value, true); + $value = attribute_escape($value); $key_js = addslashes(wp_specialchars($key, 'double')); - $key = wp_specialchars($key, true); + $key = attribute_escape($key); $r .= ""; $r .= ""; $r .= ""; @@ -141,7 +141,7 @@ case 'add-cat' : // From Manage->Categories $cat_full_name = $_cat->cat_name . ' — ' . $cat_full_name; $level++; } - $cat_full_name = wp_specialchars( $cat_full_name, 1 ); + $cat_full_name = attribute_escape( $cat_full_name); $x = new WP_Ajax_Response( array( 'what' => 'cat', diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index a50675029d..6a2f6ee32e 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -323,7 +323,7 @@ function get_default_post_to_edit() { else if ( !empty( $post_title ) ) { $text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); $text = funky_javascript_fix( $text); - $popupurl = wp_specialchars( $_REQUEST['popupurl'] ); + $popupurl = attribute_escape($_REQUEST['popupurl']); $post_content = ''.$post_title.''."\n$text"; } @@ -380,16 +380,16 @@ function wp_dropdown_roles( $default = false ) { function get_user_to_edit( $user_id ) { $user = new WP_User( $user_id ); - $user->user_login = wp_specialchars( $user->user_login, 1 ); - $user->user_email = wp_specialchars( $user->user_email, 1 ); - $user->user_url = wp_specialchars( $user->user_url, 1 ); - $user->first_name = wp_specialchars( $user->first_name, 1 ); - $user->last_name = wp_specialchars( $user->last_name, 1 ); - $user->display_name = wp_specialchars( $user->display_name, 1 ); - $user->nickname = wp_specialchars( $user->nickname, 1 ); - $user->aim = wp_specialchars( $user->aim, 1 ); - $user->yim = wp_specialchars( $user->yim, 1 ); - $user->jabber = wp_specialchars( $user->jabber, 1 ); + $user->user_login = attribute_escape( $user->user_login); + $user->user_email = attribute_escape( $user->user_email); + $user->user_url = attribute_escape( $user->user_url); + $user->first_name = attribute_escape( $user->first_name); + $user->last_name = attribute_escape( $user->last_name); + $user->display_name = attribute_escape( $user->display_name); + $user->nickname = attribute_escape( $user->nickname); + $user->aim = attribute_escape( $user->aim); + $user->yim = attribute_escape( $user->yim); + $user->jabber = attribute_escape( $user->jabber); $user->description = wp_specialchars( $user->description ); return $user; @@ -527,13 +527,13 @@ function edit_user( $user_id = 0 ) { function get_link_to_edit( $link_id ) { $link = get_link( $link_id ); - $link->link_url = wp_specialchars( $link->link_url, 1 ); - $link->link_name = wp_specialchars( $link->link_name, 1 ); - $link->link_image = wp_specialchars( $link->link_image, 1 ); - $link->link_description = wp_specialchars( $link->link_description, 1 ); + $link->link_url = attribute_escape( $link->link_url); + $link->link_name = attribute_escape( $link->link_name); + $link->link_image = attribute_escape( $link->link_image); + $link->link_description = attribute_escape( $link->link_description); $link->link_notes = wp_specialchars( $link->link_notes ); - $link->link_rss = wp_specialchars( $link->link_rss, 1 ); - $link->link_rel = wp_specialchars( $link->link_rel, 1 ); + $link->link_rss = attribute_escape( $link->link_rss); + $link->link_rel = attribute_escape( $link->link_rel); $link->post_category = $link->link_category; return $link; @@ -541,12 +541,12 @@ function get_link_to_edit( $link_id ) { function get_default_link_to_edit() { if ( isset( $_GET['linkurl'] ) ) - $link->link_url = wp_specialchars( $_GET['linkurl'], 1 ); + $link->link_url = attribute_escape( $_GET['linkurl']); else $link->link_url = ''; if ( isset( $_GET['name'] ) ) - $link->link_name = wp_specialchars( $_GET['name'], 1 ); + $link->link_name = attribute_escape( $_GET['name']); else $link->link_name = ''; @@ -831,7 +831,7 @@ function user_row( $user_object, $style = '' ) { } $r .= "\n\t\t"; if ( current_user_can( 'edit_user', $user_object->ID ) ) { - $edit_link = wp_specialchars( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) ); + $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" )); $r .= "".__( 'Edit' ).""; } $r .= "\n\t"; @@ -911,8 +911,8 @@ function list_meta( $meta ) { } $key_js = js_escape( $entry['meta_key'] ); - $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true ); - $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true ); + $entry['meta_key'] = attribute_escape( $entry['meta_key']); + $entry['meta_value'] = attribute_escape( $entry['meta_value']); $r .= "\n\t"; $r .= "\n\t\t"; $r .= "\n\t\t"; @@ -965,7 +965,7 @@ function meta_form() { $key"; } ?> @@ -1992,7 +1992,7 @@ function wp_reset_vars( $vars ) { function wp_remember_old_slug() { global $post; - $name = wp_specialchars($post->post_name); // just in case + $name = attribute_escape($post->post_name); // just in case if ( strlen($name) ) echo ''; } diff --git a/wp-admin/bookmarklet.php b/wp-admin/bookmarklet.php index def516e791..cd2b542c7d 100644 --- a/wp-admin/bookmarklet.php +++ b/wp-admin/bookmarklet.php @@ -37,7 +37,7 @@ else $content = wp_specialchars($_REQUEST['content']); -$popupurl = wp_specialchars($_REQUEST['popupurl']); +$popupurl = attribute_escape($_REQUEST['popupurl']); if ( !empty($content) ) { $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) ); } else { diff --git a/wp-admin/edit-category-form.php b/wp-admin/edit-category-form.php index 18c9ecc173..4fd49e4f6c 100644 --- a/wp-admin/edit-category-form.php +++ b/wp-admin/edit-category-form.php @@ -26,11 +26,11 @@ if ( ! empty($cat_ID) ) { - + - + @@ -40,7 +40,7 @@ if ( ! empty($cat_ID) ) { - +

diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index bdfb74330f..52b2bc156d 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -7,7 +7,7 @@ wp_enqueue_script( 'admin-comments' ); require_once('admin-header.php'); if (empty($_GET['mode'])) $mode = 'view'; -else $mode = wp_specialchars($_GET['mode'], 1); +else $mode = attribute_escape($_GET['mode']); ?>