Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk. 

git-svn-id: http://svn.automattic.com/wordpress/trunk@5056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith 2007-03-17 08:46:59 +00:00
parent 7136d65028
commit 611b037efa
18 changed files with 39 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
wp-admin/admin-functions.php
View File

@ -370,7 +370,7 @@ function get_default_post_to_edit() {
else if ( !empty( $post_title ) ) {
$text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
$text = funky_javascript_fix( $text);
$popupurl = attribute_escape($_REQUEST['popupurl']);
$popupurl = clean_url($_REQUEST['popupurl']);
$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
}
@ -429,7 +429,7 @@ function get_user_to_edit( $user_id ) {
$user = new WP_User( $user_id );
$user->user_login = attribute_escape($user->user_login);
$user->user_email = attribute_escape($user->user_email);
$user->user_url = attribute_escape($user->user_url);
$user->user_url = clean_url($user->user_url);
$user->first_name = attribute_escape($user->first_name);
$user->last_name = attribute_escape($user->last_name);
$user->display_name = attribute_escape($user->display_name);
@ -574,11 +574,11 @@ function edit_user( $user_id = 0 ) {
function get_link_to_edit( $link_id ) {
$link = get_link( $link_id );
$link->link_url = attribute_escape($link->link_url);
$link->link_url = clean_url($link->link_url);
$link->link_name = attribute_escape($link->link_name);
$link->link_image = attribute_escape($link->link_image);
$link->link_description = attribute_escape($link->link_description);
$link->link_rss = attribute_escape($link->link_rss);
$link->link_rss = clean_url($link->link_rss);
$link->link_rel = attribute_escape($link->link_rel);
$link->link_notes = wp_specialchars($link->link_notes);
$link->post_category = $link->link_category;
@ -588,7 +588,7 @@ function get_link_to_edit( $link_id ) {
function get_default_link_to_edit() {
if ( isset( $_GET['linkurl'] ) )
$link->link_url = attribute_escape( $_GET['linkurl']);
$link->link_url = clean_url( $_GET['linkurl']);
else
$link->link_url = '';
@ -879,7 +879,7 @@ function user_row( $user_object, $style = '' ) {
}
$r .= "</td>\n\t\t<td>";
if ( current_user_can( 'edit_user', $user_object->ID ) ) {
$edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
$edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
$r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
}
$r .= "</td>\n\t</tr>";

2
wp-admin/bookmarklet.php
View File

@ -37,7 +37,7 @@ else
$content = wp_specialchars($_REQUEST['content']);
$popupurl = attribute_escape($_REQUEST['popupurl']);
$popupurl = clean_url($_REQUEST['popupurl']);
if ( !empty($content) ) {
$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
} else {

12
wp-admin/edit-comments.php
View File

@ -101,7 +101,7 @@ $total_pages = ceil( $total / 20 );
$r = '';
if ( 1 < $page ) {
$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
$r .= '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
$r .= '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
}
if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@ -111,7 +111,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
$p = false;
if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
$r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
$in = true;
elseif ( $in == true ) :
$r .= "...\n";
@ -122,7 +122,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
}
if ( ( $page ) * 20 < $total || -1 == $total ) {
$args['apage'] = $page + 1;
$r .= '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
$r .= '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
}
echo "<p class='pagenav'>$r</p>";
?>
@ -248,7 +248,7 @@ $total_pages = ceil( $total / 20 );
$r = '';
if ( 1 < $page ) {
$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
$r .= '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
$r .= '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
}
if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@ -258,7 +258,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
$p = false;
if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
$r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
$in = true;
elseif ( $in == true ) :
$r .= "...\n";
@ -269,7 +269,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
}
if ( ( $page ) * 20 < $total || -1 == $total ) {
$args['apage'] = $page + 1;
$r .= '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
$r .= '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
}
echo "<p class='pagenav'>$r</p>";
?>

4
wp-admin/edit-form-advanced.php
View File

@ -168,11 +168,11 @@ if ('publish' != $post->post_status || 0 == $post_ID) {
?>
<input name="referredby" type="hidden" id="referredby" value="<?php
if ( !empty($_REQUEST['popupurl']) )
echo attribute_escape(stripslashes($_REQUEST['popupurl']));
echo clean_url(stripslashes($_REQUEST['popupurl']));
else if ( url_to_postid(wp_get_referer()) == $post_ID )
echo 'redo';
else
echo attribute_escape(stripslashes(wp_get_referer()));
echo clean_url(stripslashes(wp_get_referer()));
?>" /></p>
<?php do_action('edit_form_advanced'); ?>

2
wp-admin/edit-page-form.php
View File

@ -13,7 +13,7 @@ if (0 == $post_ID) {
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
}
$sendto = attribute_escape(stripslashes(wp_get_referer()));
$sendto = clean_url(stripslashes(wp_get_referer()));
if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
$sendto = 'redo';

2
wp-admin/link-manager.php
View File

@ -133,7 +133,7 @@ if ( $links ) {
foreach ($links as $link) {
$link->link_name = attribute_escape(apply_filters('link_title', $link->link_name));
$link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description));
$link->link_url = attribute_escape($link->link_url);
$link->link_url = clean_url($link->link_url);
$link->link_category = wp_get_link_cats($link->link_id);
$short_url = str_replace('http://', '', $link->link_url);
$short_url = str_replace('www.', '', $short_url);

2
wp-admin/page.php
View File

@ -64,7 +64,7 @@ case 'edit':
?>
<div id='preview' class='wrap'>
<h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
<iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
<iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
</div>
<?php
break;

2
wp-admin/post.php
View File

@ -69,7 +69,7 @@ case 'edit':
?>
<div id='preview' class='wrap'>
<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
<iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
<iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
</div>
<?php
break;

4
wp-admin/upgrade.php
View File

@ -35,7 +35,7 @@ else
<?php else :
switch($step) :
case 0:
$goback = attribute_escape(stripslashes(wp_get_referer()));
$goback = clean_url(stripslashes(wp_get_referer()));
?>
<h2><?php _e('Database Upgrade Required'); ?></h2>
<p><?php _e('Your WordPress database is out-of-date, and must be upgraded before you can continue.'); ?></p>
@ -49,7 +49,7 @@ switch($step) :
if ( empty( $_GET['backto'] ) )
$backto = __get_option('home') . '/';
else
$backto = attribute_escape(stripslashes($_GET['backto']));
$backto = clean_url(stripslashes($_GET['backto']));
?>
<h2><?php _e('Upgrade Complete'); ?></h2>
<p><?php _e('Your WordPress database has been successfully upgraded!'); ?></p>

8
wp-admin/upload-functions.php
View File

@ -83,9 +83,9 @@ function wp_upload_view() {
echo '[&nbsp;';
echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
echo '&nbsp;|&nbsp;';
echo '<a href="' . attribute_escape(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
echo '&nbsp;|&nbsp;';
echo '<a href="' . attribute_escape(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
echo '&nbsp;]'; ?></span>
</div>
@ -123,9 +123,9 @@ function wp_upload_form() {
echo '[&nbsp;';
echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
echo '&nbsp;|&nbsp;';
echo '<a href="' . attribute_escape(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
echo '&nbsp;|&nbsp;';
echo '<a href="' . attribute_escape(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
echo '&nbsp;]'; ?></span>
</div>

2
wp-admin/upload.php
View File

@ -90,7 +90,7 @@ foreach ( $wp_upload_tabs as $t => $tab_array ) { // We've already done the curr
$href = add_query_arg( array('tab' => $t, 'ID' => '', 'action' => '', 'paged' => '') );
if ( isset($tab_array[4]) && is_array($tab_array[4]) )
add_query_arg( $tab_array[4], $href );
$_href = attribute_escape( $href);
$_href = clean_url( $href);
$page_links = '';
$class = 'upload-tab alignleft';
if ( $tab == $t ) {

2
wp-admin/user-edit.php
View File

@ -55,7 +55,7 @@ include ('admin-header.php');
<div id="message" class="updated fade">
<p><strong><?php _e('User updated.') ?></strong></p>
<?php if ( $wp_http_referer ) : ?>
<p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
<p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
<?php endif; ?>
</div>
<?php endif; ?>

4
wp-includes/bookmark-template.php
View File

@ -96,7 +96,7 @@ function get_links($category = -1,
$output .= get_option('links_recently_updated_prepend');
$the_link = '#';
if ( !empty($row->link_url) )
$the_link = wp_specialchars($row->link_url);
$the_link = clean_url($row->link_url);
$rel = $row->link_rel;
if ( '' != $rel )
$rel = ' rel="' . $rel . '"';
@ -260,7 +260,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
$the_link = '#';
if ( !empty($bookmark->link_url) )
$the_link = wp_specialchars($bookmark->link_url);
$the_link = clean_url($bookmark->link_url);
$rel = $bookmark->link_rel;
if ( '' != $rel )

2
wp-includes/comment.php
View File

@ -169,7 +169,7 @@ function sanitize_comment_cookies() {
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
$comment_author_url = stripslashes($comment_author_url);
$comment_author_url = attribute_escape($comment_author_url);
$comment_author_url = clean_url($comment_author_url);
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
}
}

4
wp-includes/functions.php
View File

@ -1272,7 +1272,7 @@ function wp_nonce_ays($action) {
$adminurl = get_option('siteurl') . '/wp-admin';
if ( wp_get_referer() )
$adminurl = attribute_escape(wp_get_referer());
$adminurl = clean_url(wp_get_referer());
$title = __('WordPress Confirmation');
// Remove extra layer of slashes.
@ -1289,7 +1289,7 @@ function wp_nonce_ays($action) {
$html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
} else {
$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
}
$html .= "</body>\n</html>";
wp_die($html, $title);

7
wp-includes/general-template.php
View File

@ -297,6 +297,7 @@ function single_month_title($prefix = '', $display = true ) {
function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
$text = wptexturize($text);
$title_text = attribute_escape($text);
$url = clean_url($url);
if ('link' == $format)
return "\t<link rel='archives' title='$title_text' href='$url' />\n";
@ -985,7 +986,7 @@ function paginate_links( $arg = '' ) {
$link = str_replace('%#%', $current - 1, $link);
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
endif;
for ( $n = 1; $n <= $total; $n++ ) :
if ( $n == $current ) :
@ -997,7 +998,7 @@ function paginate_links( $arg = '' ) {
$link = str_replace('%#%', $n, $link);
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
$dots = true;
elseif ( $dots && !$show_all ) :
$page_links[] = "<span class='page-numbers dots'>...</span>";
@ -1010,7 +1011,7 @@ function paginate_links( $arg = '' ) {
$link = str_replace('%#%', $current + 1, $link);
if ( $add_args )
$link = add_query_arg( $add_args, $link );
$page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
endif;
switch ( $type ) :
case 'array' :

4
wp-includes/link-template.php
View File

@ -503,7 +503,7 @@ function get_next_posts_page_link($max_page = 0) {
}
function next_posts($max_page = 0) {
echo attribute_escape(get_next_posts_page_link($max_page));
echo clean_url(get_next_posts_page_link($max_page));
}
function next_posts_link($label='Next Page &raquo;', $max_page=0) {
@ -533,7 +533,7 @@ function get_previous_posts_page_link() {
}
function previous_posts() {
echo attribute_escape(get_previous_posts_page_link());
echo clean_url(get_previous_posts_page_link());
}
function previous_posts_link($label='&laquo; Previous Page') {

2
wp-includes/script-loader.php
View File

@ -150,7 +150,7 @@ class WP_Scripts {
$ver .= '&amp;' . $this->args[$handle];
$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
$src = add_query_arg('ver', $ver, $src);
$src = attribute_escape(apply_filters( 'script_loader_src', $src ));
$src = clean_url(apply_filters( 'script_loader_src', $src ));
echo "<script type='text/javascript' src='$src'></script>\n";
$this->print_scripts_l10n( $handle );
}