mirror of
https://github.com/WordPress/WordPress.git
synced 2024-10-31 15:59:44 +01:00
new function for escaping within attributes: attribute_escape()
git-svn-id: http://svn.automattic.com/wordpress/trunk@4656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
deb53f7027
commit
5a76c03203
@ -13,9 +13,9 @@ function get_out_now() { exit; }
|
||||
add_action( 'shutdown', 'get_out_now', -1 );
|
||||
|
||||
function wp_ajax_meta_row( $pid, $mid, $key, $value ) {
|
||||
$value = wp_specialchars($value, true);
|
||||
$value = attribute_escape($value);
|
||||
$key_js = addslashes(wp_specialchars($key, 'double'));
|
||||
$key = wp_specialchars($key, true);
|
||||
$key = attribute_escape($key);
|
||||
$r .= "<tr id='meta-$mid'><td valign='top'>";
|
||||
$r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater('meta','meta-$mid');\",event);' type='text' size='20' value='$key' />";
|
||||
$r .= "</td><td><textarea name='meta[$mid][value]' tabindex='6' rows='2' cols='30'>$value</textarea></td><td align='center'>";
|
||||
@ -141,7 +141,7 @@ case 'add-cat' : // From Manage->Categories
|
||||
$cat_full_name = $_cat->cat_name . ' — ' . $cat_full_name;
|
||||
$level++;
|
||||
}
|
||||
$cat_full_name = wp_specialchars( $cat_full_name, 1 );
|
||||
$cat_full_name = attribute_escape( $cat_full_name);
|
||||
|
||||
$x = new WP_Ajax_Response( array(
|
||||
'what' => 'cat',
|
||||
|
@ -323,7 +323,7 @@ function get_default_post_to_edit() {
|
||||
else if ( !empty( $post_title ) ) {
|
||||
$text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
|
||||
$text = funky_javascript_fix( $text);
|
||||
$popupurl = wp_specialchars( $_REQUEST['popupurl'] );
|
||||
$popupurl = attribute_escape($_REQUEST['popupurl']);
|
||||
$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
|
||||
}
|
||||
|
||||
@ -380,16 +380,16 @@ function wp_dropdown_roles( $default = false ) {
|
||||
|
||||
function get_user_to_edit( $user_id ) {
|
||||
$user = new WP_User( $user_id );
|
||||
$user->user_login = wp_specialchars( $user->user_login, 1 );
|
||||
$user->user_email = wp_specialchars( $user->user_email, 1 );
|
||||
$user->user_url = wp_specialchars( $user->user_url, 1 );
|
||||
$user->first_name = wp_specialchars( $user->first_name, 1 );
|
||||
$user->last_name = wp_specialchars( $user->last_name, 1 );
|
||||
$user->display_name = wp_specialchars( $user->display_name, 1 );
|
||||
$user->nickname = wp_specialchars( $user->nickname, 1 );
|
||||
$user->aim = wp_specialchars( $user->aim, 1 );
|
||||
$user->yim = wp_specialchars( $user->yim, 1 );
|
||||
$user->jabber = wp_specialchars( $user->jabber, 1 );
|
||||
$user->user_login = attribute_escape( $user->user_login);
|
||||
$user->user_email = attribute_escape( $user->user_email);
|
||||
$user->user_url = attribute_escape( $user->user_url);
|
||||
$user->first_name = attribute_escape( $user->first_name);
|
||||
$user->last_name = attribute_escape( $user->last_name);
|
||||
$user->display_name = attribute_escape( $user->display_name);
|
||||
$user->nickname = attribute_escape( $user->nickname);
|
||||
$user->aim = attribute_escape( $user->aim);
|
||||
$user->yim = attribute_escape( $user->yim);
|
||||
$user->jabber = attribute_escape( $user->jabber);
|
||||
$user->description = wp_specialchars( $user->description );
|
||||
|
||||
return $user;
|
||||
@ -527,13 +527,13 @@ function edit_user( $user_id = 0 ) {
|
||||
function get_link_to_edit( $link_id ) {
|
||||
$link = get_link( $link_id );
|
||||
|
||||
$link->link_url = wp_specialchars( $link->link_url, 1 );
|
||||
$link->link_name = wp_specialchars( $link->link_name, 1 );
|
||||
$link->link_image = wp_specialchars( $link->link_image, 1 );
|
||||
$link->link_description = wp_specialchars( $link->link_description, 1 );
|
||||
$link->link_url = attribute_escape( $link->link_url);
|
||||
$link->link_name = attribute_escape( $link->link_name);
|
||||
$link->link_image = attribute_escape( $link->link_image);
|
||||
$link->link_description = attribute_escape( $link->link_description);
|
||||
$link->link_notes = wp_specialchars( $link->link_notes );
|
||||
$link->link_rss = wp_specialchars( $link->link_rss, 1 );
|
||||
$link->link_rel = wp_specialchars( $link->link_rel, 1 );
|
||||
$link->link_rss = attribute_escape( $link->link_rss);
|
||||
$link->link_rel = attribute_escape( $link->link_rel);
|
||||
$link->post_category = $link->link_category;
|
||||
|
||||
return $link;
|
||||
@ -541,12 +541,12 @@ function get_link_to_edit( $link_id ) {
|
||||
|
||||
function get_default_link_to_edit() {
|
||||
if ( isset( $_GET['linkurl'] ) )
|
||||
$link->link_url = wp_specialchars( $_GET['linkurl'], 1 );
|
||||
$link->link_url = attribute_escape( $_GET['linkurl']);
|
||||
else
|
||||
$link->link_url = '';
|
||||
|
||||
if ( isset( $_GET['name'] ) )
|
||||
$link->link_name = wp_specialchars( $_GET['name'], 1 );
|
||||
$link->link_name = attribute_escape( $_GET['name']);
|
||||
else
|
||||
$link->link_name = '';
|
||||
|
||||
@ -831,7 +831,7 @@ function user_row( $user_object, $style = '' ) {
|
||||
}
|
||||
$r .= "</td>\n\t\t<td>";
|
||||
if ( current_user_can( 'edit_user', $user_object->ID ) ) {
|
||||
$edit_link = wp_specialchars( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) );
|
||||
$edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
|
||||
$r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
|
||||
}
|
||||
$r .= "</td>\n\t</tr>";
|
||||
@ -911,8 +911,8 @@ function list_meta( $meta ) {
|
||||
}
|
||||
|
||||
$key_js = js_escape( $entry['meta_key'] );
|
||||
$entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
|
||||
$entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
|
||||
$entry['meta_key'] = attribute_escape( $entry['meta_key']);
|
||||
$entry['meta_value'] = attribute_escape( $entry['meta_value']);
|
||||
$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
|
||||
$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
|
||||
$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
|
||||
@ -965,7 +965,7 @@ function meta_form() {
|
||||
<?php
|
||||
|
||||
foreach ( $keys as $key ) {
|
||||
$key = wp_specialchars( $key, 1 );
|
||||
$key = attribute_escape( $key);
|
||||
echo "\n\t<option value='$key'>$key</option>";
|
||||
}
|
||||
?>
|
||||
@ -1992,7 +1992,7 @@ function wp_reset_vars( $vars ) {
|
||||
|
||||
function wp_remember_old_slug() {
|
||||
global $post;
|
||||
$name = wp_specialchars($post->post_name); // just in case
|
||||
$name = attribute_escape($post->post_name); // just in case
|
||||
if ( strlen($name) )
|
||||
echo '<input type="hidden" id="wp-old-slug" name="wp-old-slug" value="' . $name . '" />';
|
||||
}
|
||||
|
@ -37,7 +37,7 @@ else
|
||||
|
||||
|
||||
$content = wp_specialchars($_REQUEST['content']);
|
||||
$popupurl = wp_specialchars($_REQUEST['popupurl']);
|
||||
$popupurl = attribute_escape($_REQUEST['popupurl']);
|
||||
if ( !empty($content) ) {
|
||||
$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
|
||||
} else {
|
||||
|
@ -26,11 +26,11 @@ if ( ! empty($cat_ID) ) {
|
||||
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
|
||||
<tr>
|
||||
<th width="33%" scope="row" valign="top"><label for="cat_name"><?php _e('Category name:') ?></label></th>
|
||||
<td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /></td>
|
||||
<td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th scope="row" valign="top"><label for="category_nicename"><?php _e('Category slug:') ?></label></th>
|
||||
<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
|
||||
<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<th scope="row" valign="top"><label for="category_parent"><?php _e('Category parent:') ?></label></th>
|
||||
@ -40,7 +40,7 @@ if ( ! empty($cat_ID) ) {
|
||||
</tr>
|
||||
<tr>
|
||||
<th scope="row" valign="top"><label for="category_description"><?php _e('Description: (optional)') ?></label></th>
|
||||
<td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
|
||||
<td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
|
||||
</tr>
|
||||
</table>
|
||||
<p class="submit"><input type="submit" name="submit" value="<?php echo $submit_text ?>" /></p>
|
||||
|
@ -7,7 +7,7 @@ wp_enqueue_script( 'admin-comments' );
|
||||
|
||||
require_once('admin-header.php');
|
||||
if (empty($_GET['mode'])) $mode = 'view';
|
||||
else $mode = wp_specialchars($_GET['mode'], 1);
|
||||
else $mode = attribute_escape($_GET['mode']);
|
||||
?>
|
||||
|
||||
<script type="text/javascript">
|
||||
@ -42,7 +42,7 @@ function getNumChecked(form)
|
||||
<form name="searchform" action="" method="get" id="editcomments">
|
||||
<fieldset>
|
||||
<legend><?php _e('Show Comments That Contain...') ?></legend>
|
||||
<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
|
||||
<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
|
||||
<input type="submit" name="submit" value="<?php _e('Search') ?>" />
|
||||
<input type="hidden" name="mode" value="<?php echo $mode; ?>" />
|
||||
<?php _e('(Searches within comment text, e-mail, URL, and IP address.)') ?>
|
||||
|
@ -168,11 +168,11 @@ if ('publish' != $post->post_status || 0 == $post_ID) {
|
||||
?>
|
||||
<input name="referredby" type="hidden" id="referredby" value="<?php
|
||||
if ( !empty($_REQUEST['popupurl']) )
|
||||
echo wp_specialchars($_REQUEST['popupurl']);
|
||||
echo attribute_escape(stripslashes($_REQUEST['popupurl']));
|
||||
else if ( url_to_postid(wp_get_referer()) == $post_ID )
|
||||
echo 'redo';
|
||||
else
|
||||
echo wp_specialchars(wp_get_referer());
|
||||
echo attribute_escape(stripslashes(wp_get_referer()));
|
||||
?>" /></p>
|
||||
|
||||
<?php do_action('edit_form_advanced'); ?>
|
||||
|
@ -247,7 +247,7 @@ function xfn_check($class, $value = '', $type = 'check') {
|
||||
<?php if ( $link_id ) : ?>
|
||||
<input type="hidden" name="action" value="save" />
|
||||
<input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
|
||||
<input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
|
||||
<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
|
||||
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
|
||||
<?php else: ?>
|
||||
<input type="hidden" name="action" value="add" />
|
||||
|
@ -13,12 +13,10 @@ if (0 == $post_ID) {
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
|
||||
}
|
||||
|
||||
$sendto = wp_get_referer();
|
||||
$sendto = attribute_escape(stripslashes(wp_get_referer()));
|
||||
|
||||
if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
|
||||
$sendto = 'redo';
|
||||
$sendto = wp_specialchars( $sendto );
|
||||
|
||||
?>
|
||||
|
||||
<form name="post" action="page.php" method="post" id="post">
|
||||
|
@ -13,7 +13,7 @@ require_once('admin-header.php');
|
||||
<form name="searchform" action="" method="get">
|
||||
<fieldset>
|
||||
<legend><?php _e('Search Pages…') ?></legend>
|
||||
<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
|
||||
<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
|
||||
<input type="submit" name="submit" value="<?php _e('Search') ?>" />
|
||||
</fieldset>
|
||||
</form>
|
||||
|
@ -76,7 +76,7 @@ if ( is_month() ) {
|
||||
<form name="searchform" id="searchform" action="" method="get">
|
||||
<fieldset>
|
||||
<legend><?php _e('Search Posts…') ?></legend>
|
||||
<input type="text" name="s" value="<?php if (isset($s)) echo wp_specialchars($s, 1); ?>" size="17" />
|
||||
<input type="text" name="s" value="<?php if (isset($s)) echo attribute_escape($s); ?>" size="17" />
|
||||
<input type="submit" name="submit" value="<?php _e('Search') ?>" class="button" />
|
||||
</fieldset>
|
||||
</form>
|
||||
|
@ -116,7 +116,7 @@ if ( $links ) {
|
||||
<?php wp_nonce_field('bulk-bookmarks') ?>
|
||||
<input type="hidden" name="link_id" value="" />
|
||||
<input type="hidden" name="action" value="" />
|
||||
<input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
|
||||
<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
|
||||
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
|
||||
<table class="widefat">
|
||||
<thead>
|
||||
@ -130,9 +130,9 @@ if ( $links ) {
|
||||
<tbody id="the-list">
|
||||
<?php
|
||||
foreach ($links as $link) {
|
||||
$link->link_name = wp_specialchars($link->link_name);
|
||||
$link->link_name = attribute_escape($link->link_name);
|
||||
$link->link_description = wp_specialchars($link->link_description);
|
||||
$link->link_url = wp_specialchars($link->link_url);
|
||||
$link->link_url = attribute_escape($link->link_url);
|
||||
$link->link_category = wp_get_link_cats($link->link_id);
|
||||
$short_url = str_replace('http://', '', $link->link_url);
|
||||
$short_url = str_replace('www.', '', $short_url);
|
||||
|
@ -18,7 +18,7 @@ include('admin-header.php');
|
||||
<table class="editform optiontable">
|
||||
<tr valign="top">
|
||||
<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
|
||||
<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_option('upload_path')), 1); ?>" size="40" />
|
||||
<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_option('upload_path'))); ?>" size="40" />
|
||||
<br />
|
||||
<?php _e('Default is <code>wp-content/uploads</code>'); ?>
|
||||
</td>
|
||||
|
@ -149,7 +149,7 @@ checked="checked"
|
||||
</label>
|
||||
<br />
|
||||
</p>
|
||||
<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
|
||||
<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo attribute_escape($permalink_structure); ?>" size="50" /></p>
|
||||
|
||||
<h3><?php _e('Optional'); ?></h3>
|
||||
<?php if ($is_apache) : ?>
|
||||
@ -158,7 +158,7 @@ checked="checked"
|
||||
<p><?php _e('If you like, you may enter a custom prefix for your category <abbr title="Universal Resource Locator">URL</abbr>s here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p>
|
||||
<?php endif; ?>
|
||||
<p>
|
||||
<?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
|
||||
<?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo attribute_escape($category_base); ?>" size="30" />
|
||||
</p>
|
||||
<p class="submit">
|
||||
<input type="submit" name="submit" value="<?php _e('Update Permalink Structure »') ?>" />
|
||||
|
@ -158,7 +158,7 @@ endforeach;
|
||||
?>
|
||||
</table>
|
||||
<?php $options_to_update = implode(',', $options_to_update); ?>
|
||||
<p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p>
|
||||
<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
|
@ -57,7 +57,7 @@ case 'edit':
|
||||
?>
|
||||
<div id='preview' class='wrap'>
|
||||
<h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
|
||||
<iframe src="<?php echo wp_specialchars(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
|
||||
<iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
|
||||
</div>
|
||||
<?php
|
||||
break;
|
||||
|
@ -63,7 +63,7 @@ case 'edit':
|
||||
?>
|
||||
<div id='preview' class='wrap'>
|
||||
<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
|
||||
<iframe src="<?php echo wp_specialchars(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
|
||||
<iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
|
||||
</div>
|
||||
<?php
|
||||
break;
|
||||
|
@ -98,7 +98,7 @@ if ( $recents ) :
|
||||
<?php
|
||||
echo '<ol>';
|
||||
foreach ($recents as $recent) :
|
||||
echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>";
|
||||
echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . get_file_description(basename($recent)) . "</a></li>";
|
||||
endforeach;
|
||||
echo '</ol>';
|
||||
endif;
|
||||
|
@ -88,7 +88,7 @@ default:
|
||||
$theme_name = $a_theme['Name'];
|
||||
if ($theme_name == $theme) $selected = " selected='selected'";
|
||||
else $selected = '';
|
||||
$theme_name = wp_specialchars($theme_name, true);
|
||||
$theme_name = attribute_escape($theme_name);
|
||||
echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
|
||||
}
|
||||
?>
|
||||
|
@ -28,7 +28,7 @@ else
|
||||
<?php
|
||||
switch($step) {
|
||||
case 0:
|
||||
$goback = wp_specialchars(wp_get_referer());
|
||||
$goback = attribute_escape(stripslashes(wp_get_referer()));
|
||||
?>
|
||||
<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
|
||||
<h2 class="step"><a href="upgrade.php?step=1&backto=<?php echo $goback; ?>"><?php _e('Upgrade WordPress »'); ?></a></h2>
|
||||
@ -40,7 +40,7 @@ switch($step) {
|
||||
if ( empty( $_GET['backto'] ) )
|
||||
$backto = __get_option('home');
|
||||
else
|
||||
$backto = wp_specialchars( $_GET['backto'] , 1 );
|
||||
$backto = attribute_escape(stripslashes($_GET['backto']));
|
||||
?>
|
||||
<h2><?php _e('Step 1'); ?></h2>
|
||||
<p><?php printf(__("There's actually only one step. So if you see this, you're done. <a href='%s'>Have fun</a>!"), $backto); ?></p>
|
||||
|
@ -7,7 +7,7 @@ function wp_upload_display( $dims = false, $href = '' ) {
|
||||
list($width,$height) = wp_shrink_dimensions($attachment_data['width'], $attachment_data['height'], 171, 128);
|
||||
ob_start();
|
||||
the_title();
|
||||
$post_title = wp_specialchars( ob_get_contents(), 1 );
|
||||
$post_title = attribute_escape( ob_get_contents());
|
||||
ob_end_clean();
|
||||
$post_content = apply_filters( 'content_edit_pre', $post->post_content );
|
||||
|
||||
@ -71,9 +71,9 @@ function wp_upload_view() {
|
||||
echo '[ ';
|
||||
echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
|
||||
echo ' | ';
|
||||
echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'edit' ), 1 ) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
|
||||
echo '<a href="' . attribute_escape( add_query_arg( 'action', 'edit' )) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
|
||||
echo ' | ';
|
||||
echo '<a href="' . wp_specialchars( remove_query_arg( array('action', 'ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
|
||||
echo '<a href="' . attribute_escape( remove_query_arg( array('action', 'ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
|
||||
echo ' ]'; ?></span>
|
||||
</div>
|
||||
|
||||
@ -111,9 +111,9 @@ function wp_upload_form() {
|
||||
echo '[ ';
|
||||
echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
|
||||
echo ' | ';
|
||||
echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'view' ), 1 ) . '">' . __('links') . '</a>';
|
||||
echo '<a href="' . attribute_escape( add_query_arg( 'action', 'view' )) . '">' . __('links') . '</a>';
|
||||
echo ' | ';
|
||||
echo '<a href="' . wp_specialchars( remove_query_arg( array('action','ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
|
||||
echo '<a href="' . attribute_escape( remove_query_arg( array('action','ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
|
||||
echo ' ]'; ?></span>
|
||||
</div>
|
||||
|
||||
|
@ -72,22 +72,22 @@ addLoadEvent( function() {
|
||||
var params = $H(this.params);
|
||||
params.ID = '';
|
||||
params.action = '';
|
||||
h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('« Back'), 1); ?></a>";
|
||||
h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('« Back')); ?></a>";
|
||||
} else {
|
||||
h += "<a href='#' onclick='return theFileList.cancelView();' title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('« Back'), 1) ?></a>";
|
||||
h += "<a href='#' onclick='return theFileList.cancelView();' title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('« Back')) ?></a>";
|
||||
}
|
||||
h += "<div id='file-title'>"
|
||||
if ( !this.currentImage.isImage )
|
||||
h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>" + this.currentImage.title + "</a></h2>";
|
||||
h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>" + this.currentImage.title + "</a></h2>";
|
||||
else
|
||||
h += "<h2>" + this.currentImage.title + "</h2>";
|
||||
h += " — <span>";
|
||||
h += "<a href='#' onclick='return theFileList.editView(" + id + ");'><?php echo wp_specialchars(__('Edit'), 1); ?></a>"
|
||||
h += "<a href='#' onclick='return theFileList.editView(" + id + ");'><?php echo attribute_escape(__('Edit')); ?></a>"
|
||||
h += "</span>";
|
||||
h += '</div>'
|
||||
h += "<div id='upload-file-view' class='alignleft'>";
|
||||
if ( this.currentImage.isImage ) {
|
||||
h += "<a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>";
|
||||
h += "<a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>";
|
||||
h += "<img src='" + ( this.currentImage.thumb ? this.currentImage.thumb : this.currentImage.src ) + "' alt='" + this.currentImage.title + "' width='" + this.currentImage.width + "' height='" + this.currentImage.height + "' />";
|
||||
h += "</a>";
|
||||
} else
|
||||
@ -97,20 +97,20 @@ addLoadEvent( function() {
|
||||
h += "<form name='uploadoptions' id='uploadoptions' class='alignleft'>";
|
||||
h += "<table>";
|
||||
if ( this.currentImage.thumb ) {
|
||||
h += "<tr><th style='padding-bottom:.5em'><?php echo wp_specialchars(__('Show:'), 1); ?></th><td style='padding-bottom:.5em'>";
|
||||
h += "<label for='display-thumb'><input type='radio' name='display' id='display-thumb' value='thumb' checked='checked' /> <?php echo wp_specialchars(__('Thumbnail'), 1); ?></label><br />";
|
||||
h += "<label for='display-full'><input type='radio' name='display' id='display-full' value='full' /> <?php echo wp_specialchars(__('Full size'), 1); ?></label>";
|
||||
h += "<tr><th style='padding-bottom:.5em'><?php echo attribute_escape(__('Show:')); ?></th><td style='padding-bottom:.5em'>";
|
||||
h += "<label for='display-thumb'><input type='radio' name='display' id='display-thumb' value='thumb' checked='checked' /> <?php echo attribute_escape(__('Thumbnail')); ?></label><br />";
|
||||
h += "<label for='display-full'><input type='radio' name='display' id='display-full' value='full' /> <?php echo attribute_escape(__('Full size')); ?></label>";
|
||||
h += "</td></tr>";
|
||||
}
|
||||
|
||||
h += "<tr><th><?php echo wp_specialchars(__('Link to:'), 1); ?></th><td>";
|
||||
h += "<label for='link-file'><input type='radio' name='link' id='link-file' value='file' checked='checked'/> <?php echo wp_specialchars(__('File'), 1); ?></label><br />";
|
||||
h += "<label for='link-page'><input type='radio' name='link' id='link-page' value='page' /> <?php echo wp_specialchars(__('Page'), 1); ?></label><br />";
|
||||
h += "<label for='link-none'><input type='radio' name='link' id='link-none' value='none' /> <?php echo wp_specialchars(__('None'), 1); ?></label>";
|
||||
h += "<tr><th><?php echo attribute_escape(__('Link to:')); ?></th><td>";
|
||||
h += "<label for='link-file'><input type='radio' name='link' id='link-file' value='file' checked='checked'/> <?php echo attribute_escape(__('File')); ?></label><br />";
|
||||
h += "<label for='link-page'><input type='radio' name='link' id='link-page' value='page' /> <?php echo attribute_escape(__('Page')); ?></label><br />";
|
||||
h += "<label for='link-none'><input type='radio' name='link' id='link-none' value='none' /> <?php echo attribute_escape(__('None')); ?></label>";
|
||||
h += "</td></tr>";
|
||||
|
||||
h += "<tr><td colspan='2'><p class='submit'>";
|
||||
h += "<input type='button' class='button' name='send' onclick='theFileList.sendToEditor(" + id + ")' value='<?php echo wp_specialchars(__('Send to editor »'), 1); ?>' />";
|
||||
h += "<input type='button' class='button' name='send' onclick='theFileList.sendToEditor(" + id + ")' value='<?php echo attribute_escape(__('Send to editor »')); ?>' />";
|
||||
h += "</p></td></tr></table>";
|
||||
h += "</form>";
|
||||
|
||||
@ -134,17 +134,17 @@ addLoadEvent( function() {
|
||||
var params = $H(this.params);
|
||||
params.ID = '';
|
||||
params.action = '';
|
||||
h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('« Back'), 1); ?></a>";
|
||||
h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('« Back')); ?></a>";
|
||||
} else {
|
||||
h += "<a href='#' onclick='return theFileList.cancelView();' title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('« Back'), 1); ?></a>";
|
||||
h += "<a href='#' onclick='return theFileList.cancelView();' title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('« Back')); ?></a>";
|
||||
}
|
||||
h += "<div id='file-title'>"
|
||||
if ( !this.currentImage.isImage )
|
||||
h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>" + this.currentImage.title + "</a></h2>";
|
||||
h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>" + this.currentImage.title + "</a></h2>";
|
||||
else
|
||||
h += "<h2>" + this.currentImage.title + "</h2>";
|
||||
h += " — <span>";
|
||||
h += "<a href='#' onclick='return theFileList.imageView(" + id + ");'><?php wp_specialchars(__('Insert'), 1); ?></a>"
|
||||
h += "<a href='#' onclick='return theFileList.imageView(" + id + ");'><?php attribute_escape(__('Insert')); ?></a>"
|
||||
h += "</span>";
|
||||
h += '</div>'
|
||||
h += "<div id='upload-file-view' class='alignleft'>";
|
||||
@ -158,20 +158,20 @@ addLoadEvent( function() {
|
||||
|
||||
|
||||
h += "<table><col /><col class='widefat' /><tr>"
|
||||
h += "<th scope='row'><label for='url'><?php echo wp_specialchars(__('URL'), 1); ?></label></th>";
|
||||
h += "<th scope='row'><label for='url'><?php echo attribute_escape(__('URL')); ?></label></th>";
|
||||
h += "<td><input type='text' id='url' class='readonly' value='" + this.currentImage.srcBase + this.currentImage.src + "' readonly='readonly' /></td>";
|
||||
h += "</tr><tr>";
|
||||
h += "<th scope='row'><label for='post_title'><?php echo wp_specialchars(__('Title'), 1); ?></label></th>";
|
||||
h += "<th scope='row'><label for='post_title'><?php echo attribute_escape(__('Title')); ?></label></th>";
|
||||
h += "<td><input type='text' id='post_title' name='post_title' value='" + this.currentImage.title + "' /></td>";
|
||||
h += "</tr><tr>";
|
||||
h += "<th scope='row'><label for='post_content'><?php echo wp_specialchars(__('Description'), 1); ?></label></th>";
|
||||
h += "<th scope='row'><label for='post_content'><?php echo attribute_escape(__('Description')); ?></label></th>";
|
||||
h += "<td><textarea name='post_content' id='post_content'>" + this.currentImage.description + "</textarea></td>";
|
||||
h += "</tr><tr id='buttons' class='submit'><td colspan='2'><input type='button' id='delete' name='delete' class='delete alignleft' value='<?php echo wp_specialchars(__('Delete File'), 1); ?>' onclick='theFileList.deleteFile(" + id + ");' />";
|
||||
h += "</tr><tr id='buttons' class='submit'><td colspan='2'><input type='button' id='delete' name='delete' class='delete alignleft' value='<?php echo attribute_escape(__('Delete File')); ?>' onclick='theFileList.deleteFile(" + id + ");' />";
|
||||
h += "<input type='hidden' name='from_tab' value='" + this.tab + "' />";
|
||||
h += "<input type='hidden' name='action' id='action-value' value='save' />";
|
||||
h += "<input type='hidden' name='ID' value='" + id + "' />";
|
||||
h += "<input type='hidden' name='_wpnonce' value='" + this.nonce + "' />";
|
||||
h += "<div class='submit'><input type='submit' value='<?php echo wp_specialchars(__('Save »'), 1); ?>' /></div>";
|
||||
h += "<div class='submit'><input type='submit' value='<?php echo attribute_escape(__('Save »')); ?>' /></div>";
|
||||
h += "</td></tr></table></form>";
|
||||
|
||||
new Insertion.Top('upload-content', h);
|
||||
|
@ -87,7 +87,7 @@ foreach ( $wp_upload_tabs as $t => $tab_array ) { // We've already done the curr
|
||||
$href = add_query_arg( array('tab' => $t, 'ID' => '', 'action' => '', 'paged' => '') );
|
||||
if ( isset($tab_array[4]) && is_array($tab_array[4]) )
|
||||
add_query_arg( $tab_array[4], $href );
|
||||
$_href = wp_specialchars( $href, 1 );
|
||||
$_href = attribute_escape( $href);
|
||||
$page_links = '';
|
||||
$class = 'upload-tab alignleft';
|
||||
if ( $tab == $t ) {
|
||||
|
@ -55,7 +55,7 @@ include ('admin-header.php');
|
||||
<div id="message" class="updated fade">
|
||||
<p><strong><?php _e('User updated.') ?></strong></p>
|
||||
<?php if ( $wp_http_referer ) : ?>
|
||||
<p><a href="<?php echo wp_specialchars($wp_http_referer); ?>"><?php _e('« Back to Authors and Users'); ?></a></p>
|
||||
<p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('« Back to Authors and Users'); ?></a></p>
|
||||
<?php endif; ?>
|
||||
</div>
|
||||
<?php endif; ?>
|
||||
|
@ -12,10 +12,10 @@ $action = $_REQUEST['action'];
|
||||
$update = '';
|
||||
|
||||
if ( empty($_POST) ) {
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="'. wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="'. attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
||||
} elseif ( isset($_POST['wp_http_referer']) ) {
|
||||
$redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_POST['wp_http_referer']));
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="' . wp_specialchars($redirect) . '" />';
|
||||
$referer = '<input type="hidden" name="wp_http_referer" value="' . attribute_escape($redirect) . '" />';
|
||||
} else {
|
||||
$redirect = 'users.php';
|
||||
}
|
||||
@ -338,7 +338,7 @@ default:
|
||||
<?php endif; ?>
|
||||
|
||||
<form action="" method="get" name="search" id="search">
|
||||
<p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term, 1); ?>" /> <input type="submit" value="<?php _e('Search users »'); ?>" class="button" /></p>
|
||||
<p><input type="text" name="usersearch" id="usersearch" value="<?php echo attribute_escape($wp_user_search->search_term); ?>" /> <input type="submit" value="<?php _e('Search users »'); ?>" class="button" /></p>
|
||||
</form>
|
||||
|
||||
<?php if ( is_wp_error( $wp_user_search->search_errors ) ) : ?>
|
||||
@ -429,7 +429,7 @@ foreach ( (array) $roleclass as $user_object ) {
|
||||
if ( is_wp_error($add_user_errors) ) {
|
||||
foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {
|
||||
$var = 'new_' . $var;
|
||||
$$var = wp_specialchars(stripslashes($_POST[$formpost]));
|
||||
$$var = attribute_escape(stripslashes($_POST[$formpost]));
|
||||
}
|
||||
unset($name);
|
||||
}
|
||||
|
@ -60,7 +60,7 @@ if (!empty($commentstatus->post_password) && $_COOKIE['wp-postpass_'. COOKIEHASH
|
||||
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
|
||||
<label for="author"><?php _e("Name"); ?></label>
|
||||
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
@ -60,7 +60,7 @@ if (!empty($post->post_password) && $_COOKIE['wp-postpass_'. COOKIEHASH] != $pos
|
||||
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
|
||||
<label for="author">Name</label>
|
||||
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
|
||||
</p>
|
||||
|
||||
<p>
|
||||
|
@ -139,7 +139,7 @@ function the_author_posts() {
|
||||
function the_author_posts_link($deprecated = '') {
|
||||
global $authordata;
|
||||
|
||||
echo '<a href="' . get_author_posts_url($authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars(get_the_author())) . '">' . get_the_author() . '</a>';
|
||||
echo '<a href="' . get_author_posts_url($authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape(get_the_author())) . '">' . get_the_author() . '</a>';
|
||||
}
|
||||
|
||||
function get_author_posts_url($author_id, $author_nicename = '') {
|
||||
@ -202,7 +202,7 @@ function wp_list_authors($args = '') {
|
||||
if ( !$hide_empty )
|
||||
$link = $name;
|
||||
} else {
|
||||
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars($author->display_name)) . '">' . $name . '</a>';
|
||||
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape($author->display_name)) . '">' . $name . '</a>';
|
||||
|
||||
if ( (! empty($feed_image)) || (! empty($feed)) ) {
|
||||
$link .= ' ';
|
||||
|
@ -101,8 +101,8 @@ function get_links($category = -1,
|
||||
if ( '' != $rel )
|
||||
$rel = ' rel="' . $rel . '"';
|
||||
|
||||
$desc = wp_specialchars($row->link_description, ENT_QUOTES);
|
||||
$name = wp_specialchars($row->link_name, ENT_QUOTES);
|
||||
$desc = attribute_escape($row->link_description);
|
||||
$name = attribute_escape($row->link_name);
|
||||
$title = $desc;
|
||||
|
||||
if ( $show_updated )
|
||||
@ -266,8 +266,8 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
|
||||
if ( '' != $rel )
|
||||
$rel = ' rel="' . $rel . '"';
|
||||
|
||||
$desc = wp_specialchars($bookmark->link_description, ENT_QUOTES);
|
||||
$name = wp_specialchars($bookmark->link_name, ENT_QUOTES);
|
||||
$desc = attribute_escape($bookmark->link_description);
|
||||
$name = attribute_escape($bookmark->link_name);
|
||||
$title = $desc;
|
||||
|
||||
if ( $show_updated )
|
||||
|
@ -509,7 +509,7 @@ class Walker_Page extends Walker {
|
||||
elseif ( $_current_page && $page->ID == $_current_page->post_parent )
|
||||
$css_class .= ' current_page_parent';
|
||||
|
||||
$output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . wp_specialchars($page->post_title, 1) . '">' . $page->post_title . '</a>';
|
||||
$output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . attribute_escape($page->post_title) . '">' . $page->post_title . '</a>';
|
||||
|
||||
if ( !empty($show_date) ) {
|
||||
if ( 'modified' == $show_date )
|
||||
@ -575,12 +575,12 @@ class Walker_Category extends Walker {
|
||||
function start_el($output, $category, $depth, $args) {
|
||||
extract($args);
|
||||
|
||||
$cat_name = wp_specialchars( $category->cat_name, 1 );
|
||||
$cat_name = attribute_escape( $category->cat_name);
|
||||
$link = '<a href="' . get_category_link( $category->cat_ID ) . '" ';
|
||||
if ( $use_desc_for_title == 0 || empty($category->category_description) )
|
||||
$link .= 'title="' . sprintf(__( 'View all posts filed under %s' ), $cat_name) . '"';
|
||||
else
|
||||
$link .= 'title="' . wp_specialchars( apply_filters( 'category_description', $category->category_description, $category ), 1 ) . '"';
|
||||
$link .= 'title="' . attribute_escape( apply_filters( 'category_description', $category->category_description, $category )) . '"';
|
||||
$link .= '>';
|
||||
$link .= apply_filters( 'list_cats', $category->cat_name, $category ).'</a>';
|
||||
|
||||
|
@ -353,7 +353,7 @@ function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Com
|
||||
if (!empty($CSSclass)) {
|
||||
echo ' class="'.$CSSclass.'"';
|
||||
}
|
||||
$title = wp_specialchars(apply_filters('the_title', get_the_title()), true);
|
||||
$title = attribute_escape(apply_filters('the_title', get_the_title()));
|
||||
echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">';
|
||||
comments_number($zero, $one, $more, $number);
|
||||
echo '</a>';
|
||||
|
@ -155,21 +155,21 @@ function sanitize_comment_cookies() {
|
||||
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
|
||||
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
|
||||
$comment_author = stripslashes($comment_author);
|
||||
$comment_author = wp_specialchars($comment_author, true);
|
||||
$comment_author = attribute_escape($comment_author);
|
||||
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
|
||||
}
|
||||
|
||||
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
|
||||
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
|
||||
$comment_author_email = stripslashes($comment_author_email);
|
||||
$comment_author_email = wp_specialchars($comment_author_email, true);
|
||||
$comment_author_email = attribute_escape($comment_author_email);
|
||||
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
|
||||
}
|
||||
|
||||
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
|
||||
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
|
||||
$comment_author_url = stripslashes($comment_author_url);
|
||||
$comment_author_url = wp_specialchars($comment_author_url, true);
|
||||
$comment_author_url = attribute_escape($comment_author_url);
|
||||
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
|
||||
}
|
||||
}
|
||||
|
@ -1081,6 +1081,11 @@ function js_escape($text) {
|
||||
return preg_replace("/\r?\n/", "\\n", addslashes($text));
|
||||
}
|
||||
|
||||
// Escaping for HTML attributes like
|
||||
function attribute_escape($text) {
|
||||
return wp_specialchars($text, true);
|
||||
}
|
||||
|
||||
function wp_make_link_relative( $link ) {
|
||||
return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );
|
||||
}
|
||||
|
@ -231,7 +231,7 @@ function get_option($setting) {
|
||||
}
|
||||
|
||||
function form_option($option) {
|
||||
echo wp_specialchars( get_option($option), 1 );
|
||||
echo attribute_escape( get_option($option));
|
||||
}
|
||||
|
||||
function get_alloptions() {
|
||||
@ -914,16 +914,16 @@ function wp_nonce_field($action = -1) {
|
||||
}
|
||||
|
||||
function wp_referer_field() {
|
||||
$ref = wp_specialchars($_SERVER['REQUEST_URI']);
|
||||
$ref = attribute_escape($_SERVER['REQUEST_URI']);
|
||||
echo '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';
|
||||
if ( wp_get_original_referer() ) {
|
||||
$original_ref = wp_specialchars(stripslashes(wp_get_original_referer()));
|
||||
$original_ref = attribute_escape(stripslashes(wp_get_original_referer()));
|
||||
echo '<input type="hidden" name="_wp_original_http_referer" value="'. $original_ref . '" />';
|
||||
}
|
||||
}
|
||||
|
||||
function wp_original_referer_field() {
|
||||
echo '<input type="hidden" name="_wp_original_http_referer" value="' . wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
||||
echo '<input type="hidden" name="_wp_original_http_referer" value="' . attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
|
||||
}
|
||||
|
||||
function wp_get_referer() {
|
||||
@ -1190,7 +1190,7 @@ function wp_nonce_ays($action) {
|
||||
foreach ( (array) $q as $a ) {
|
||||
$v = substr(strstr($a, '='), 1);
|
||||
$k = substr($a, 0, -(strlen($v)+1));
|
||||
$html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
|
||||
$html .= "\t\t<input type='hidden' name='" . attribute_escape( urldecode($k)) . "' value='" . attribute_escape( urldecode($v)) . "' />\n";
|
||||
}
|
||||
$html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
|
||||
$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_explain_nonce($action) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
|
||||
|
@ -279,7 +279,7 @@ function single_month_title($prefix = '', $display = true ) {
|
||||
/* link navigation hack by Orien http://icecode.com/ */
|
||||
function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
|
||||
$text = wptexturize($text);
|
||||
$title_text = wp_specialchars($text, 1);
|
||||
$title_text = attribute_escape($text);
|
||||
|
||||
if ('link' == $format)
|
||||
return "\t<link rel='archives' title='$title_text' href='$url' />\n";
|
||||
@ -901,7 +901,7 @@ function the_editor($content, $id = 'content', $prev_id = 'title') {
|
||||
|
||||
function the_search_query() {
|
||||
global $s;
|
||||
echo wp_specialchars( stripslashes($s), 1 );
|
||||
echo attribute_escape( stripslashes($s));
|
||||
}
|
||||
|
||||
function language_attributes() {
|
||||
@ -956,7 +956,7 @@ function paginate_links( $arg = '' ) {
|
||||
$link = str_replace('%#%', $current - 1, $link);
|
||||
if ( $add_args )
|
||||
$link = add_query_arg( $add_args, $link );
|
||||
$page_links[] = "<a class='prev page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$prev_text</a>";
|
||||
$page_links[] = "<a class='prev page-numbers' href='" . attribute_escape( $link) . "'>$prev_text</a>";
|
||||
endif;
|
||||
for ( $n = 1; $n <= $total; $n++ ) :
|
||||
if ( $n == $current ) :
|
||||
@ -968,7 +968,7 @@ function paginate_links( $arg = '' ) {
|
||||
$link = str_replace('%#%', $n, $link);
|
||||
if ( $add_args )
|
||||
$link = add_query_arg( $add_args, $link );
|
||||
$page_links[] = "<a class='page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$n</a>";
|
||||
$page_links[] = "<a class='page-numbers' href='" . attribute_escape( $link) . "'>$n</a>";
|
||||
$dots = true;
|
||||
elseif ( $dots && !$show_all ) :
|
||||
$page_links[] = "<span class='page-numbers dots'>...</span>";
|
||||
@ -981,7 +981,7 @@ function paginate_links( $arg = '' ) {
|
||||
$link = str_replace('%#%', $current + 1, $link);
|
||||
if ( $add_args )
|
||||
$link = add_query_arg( $add_args, $link );
|
||||
$page_links[] = "<a class='next page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$next_text</a>";
|
||||
$page_links[] = "<a class='next page-numbers' href='" . attribute_escape( $link) . "'>$next_text</a>";
|
||||
endif;
|
||||
switch ( $type ) :
|
||||
case 'array' :
|
||||
|
@ -334,7 +334,7 @@ function get_the_attachment_link($id = 0, $fullsize = false, $max_dims = false)
|
||||
if ( ('attachment' != $_post->post_type) || ('' == $_post->guid) )
|
||||
return __('Missing Attachment');
|
||||
|
||||
$post_title = wp_specialchars( $_post->post_title, 1 );
|
||||
$post_title = attribute_escape( $_post->post_title);
|
||||
|
||||
if (! empty($_post->guid) ) {
|
||||
$innerHTML = get_attachment_innerHTML($_post->ID, $fullsize, $max_dims);
|
||||
@ -420,7 +420,7 @@ function get_attachment_icon($id = 0, $fullsize = false, $max_dims = false) {
|
||||
}
|
||||
}
|
||||
|
||||
$post_title = wp_specialchars( $post->post_title, 1 );
|
||||
$post_title = attribute_escape( $post->post_title);
|
||||
|
||||
$icon = "<img src='$src' title='$post_title' alt='$post_title' $constraint/>";
|
||||
|
||||
@ -435,7 +435,7 @@ function get_attachment_innerHTML($id = 0, $fullsize = false, $max_dims = false)
|
||||
|
||||
$post = & get_post($id);
|
||||
|
||||
$innerHTML = wp_specialchars( $post->post_title, 1 );
|
||||
$innerHTML = attribute_escape( $post->post_title);
|
||||
|
||||
return apply_filters('attachment_innerHTML', $innerHTML, $post->ID);
|
||||
}
|
||||
|
@ -30,13 +30,13 @@ else
|
||||
|
||||
foreach ((array) $cats as $cat) {
|
||||
?>
|
||||
<outline type="category" title="<?php echo wp_specialchars($cat->cat_name); ?>">
|
||||
<outline type="category" title="<?php echo attribute_escape($cat->cat_name); ?>">
|
||||
<?php
|
||||
|
||||
$bookmarks = get_bookmarks("category={$cat->cat_ID}");
|
||||
foreach ((array) $bookmarks as $bookmark) {
|
||||
?>
|
||||
<outline text="<?php echo wp_specialchars($bookmark->link_name); ?>" type="link" xmlUrl="<?php echo wp_specialchars($bookmark->link_rss); ?>" htmlUrl="<?php echo wp_specialchars($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
|
||||
<outline text="<?php echo attribute_escape($bookmark->link_name); ?>" type="link" xmlUrl="<?php echo attribute_escape($bookmark->link_rss); ?>" htmlUrl="<?php echo attribute_escape($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
|
||||
<?php
|
||||
|
||||
}
|
||||
|
12
wp-login.php
12
wp-login.php
@ -138,11 +138,11 @@ case 'retrievepassword' :
|
||||
<form name="lostpasswordform" id="lostpasswordform" action="wp-login.php?action=lostpassword" method="post">
|
||||
<p>
|
||||
<label><?php _e('Username:') ?><br />
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($_POST['user_login']), 1); ?>" size="20" tabindex="10" /></label>
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label>
|
||||
</p>
|
||||
<p>
|
||||
<label><?php _e('E-mail:') ?><br />
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo wp_specialchars(stripslashes($_POST['user_email']), 1); ?>" size="25" tabindex="20" /></label>
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_email'])); ?>" size="25" tabindex="20" /></label>
|
||||
</p>
|
||||
<?php do_action('lostpassword_form'); ?>
|
||||
<p class="submit"><input type="submit" name="submit" id="submit" value="<?php _e('Get New Password »'); ?>" tabindex="100" /></p>
|
||||
@ -257,11 +257,11 @@ case 'register' :
|
||||
<form name="registerform" id="registerform" action="wp-login.php?action=register" method="post">
|
||||
<p>
|
||||
<label><?php _e('Username:') ?><br />
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($user_login), 1); ?>" size="20" tabindex="10" /></label>
|
||||
<input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
|
||||
</p>
|
||||
<p>
|
||||
<label><?php _e('E-mail:') ?><br />
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo wp_specialchars(stripslashes($user_email), 1); ?>" size="25" tabindex="20" /></label>
|
||||
<input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label>
|
||||
</p>
|
||||
<?php do_action('register_form'); ?>
|
||||
<p id="reg_passmail"><?php _e('A password will be e-mailed to you.') ?></p>
|
||||
@ -344,7 +344,7 @@ default:
|
||||
<form name="loginform" id="loginform" action="wp-login.php" method="post">
|
||||
<p>
|
||||
<label><?php _e('Username:') ?><br />
|
||||
<input type="text" name="log" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($user_login), 1); ?>" size="20" tabindex="10" /></label>
|
||||
<input type="text" name="log" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
|
||||
</p>
|
||||
<p>
|
||||
<label><?php _e('Password:') ?><br />
|
||||
@ -354,7 +354,7 @@ default:
|
||||
<p><label><input name="rememberme" type="checkbox" id="rememberme" value="forever" tabindex="90" /> <?php _e('Remember me'); ?></label></p>
|
||||
<p class="submit">
|
||||
<input type="submit" name="submit" id="submit" value="<?php _e('Login'); ?> »" tabindex="100" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($redirect_to); ?>" />
|
||||
<input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" />
|
||||
</p>
|
||||
</form>
|
||||
</div>
|
||||
|
Loading…
Reference in New Issue
Block a user