Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

esc_textarea() and application for obvious textarea escaping. props alexkingorg. fixes #15454 

git-svn-id: http://svn.automattic.com/wordpress/trunk@16431 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith 2010-11-17 17:12:01 +00:00
parent 4beb3ab36e
commit 6482610f9a
22 changed files with 48 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/edit-tag-form.php
View File

@ -61,7 +61,7 @@ do_action($taxonomy . '_pre_edit_form', $tag, $taxonomy); ?>
<?php endif; // is_taxonomy_hierarchical() ?>
<tr class="form-field">
<th scope="row" valign="top"><label for="description"><?php _ex('Description', 'Taxonomy Description'); ?></label></th>
<td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br />
<td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_textarea( $tag->description ); ?></textarea><br />
<span class="description"><?php _e('The description is not prominent by default, however some themes may show it.'); ?></span></td>
</tr>
<?php

2
wp-admin/includes/class-wp-comments-list-table.php
View File

@ -350,7 +350,7 @@ class WP_Comments_List_Table extends WP_List_Table {
comment_text();
if ( $user_can ) { ?>
<div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
<textarea class="comment" rows="1" cols="1"><?php echo esc_html( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
<textarea class="comment" rows="1" cols="1"><?php echo esc_textarea( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
<div class="author-email"><?php echo esc_attr( $comment->comment_author_email ); ?></div>
<div class="author"><?php echo esc_attr( $comment->comment_author ); ?></div>
<div class="author-url"><?php echo esc_attr( $comment->comment_author_url ); ?></div>

2
wp-admin/includes/dashboard.php
View File

@ -518,7 +518,7 @@ function wp_dashboard_quick_press_output() {
<h4 id="content-label"><label for="content"><?php _e('Content') ?></label></h4>
<div class="textarea-wrap">
<textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo $post->post_content; ?></textarea>
<textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo esc_textarea( $post->post_content ); ?></textarea>
</div>
<script type="text/javascript">edCanvas = document.getElementById('content');edInsertContent = null;</script>

2
wp-admin/includes/media.php
View File

@ -1282,7 +1282,7 @@ function get_media_item( $attachment_id, $args = null ) {
if ( !empty( $field[ $field['input'] ] ) )
$item .= $field[ $field['input'] ];
elseif ( $field['input'] == 'textarea' ) {
$item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_html( $field['value'] ) . '</textarea>';
$item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_textarea( $field['value'] ) . '</textarea>';
} else {
$item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "' $aria_required />";
}

6
wp-admin/includes/meta-boxes.php
View File

@ -285,7 +285,7 @@ function post_tags_meta_box($post, $box) {
<div class="jaxtag">
<div class="nojs-tags hide-if-js">
<p><?php echo $taxonomy->labels->add_or_remove_items; ?></p>
<textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_attr(get_terms_to_edit( $post->ID, $tax_name )); ?></textarea></div>
<textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_textarea( get_terms_to_edit( $post->ID, $tax_name ) ); ?></textarea></div>
<?php if ( current_user_can($taxonomy->cap->assign_terms) ) : ?>
<div class="ajaxtag hide-if-no-js">
<label class="screen-reader-text" for="new-tag-<?php echo $tax_name; ?>"><?php echo $box['title']; ?></label>
@ -385,7 +385,7 @@ function post_categories_meta_box( $post, $box ) {
*/
function post_excerpt_meta_box($post) {
?>
<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo $post->post_excerpt ?></textarea>
<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo esc_textarea( $post->post_excerpt ); ?></textarea>
<p><?php _e('Excerpts are optional hand-crafted summaries of your content that can be used in your theme. <a href="http://codex.wordpress.org/Excerpt" target="_blank">Learn more about manual excerpts.</a>'); ?></p>
<?php
}
@ -894,7 +894,7 @@ function link_advanced_meta_box($link) {
</tr>
<tr class="form-field">
<th valign="top" scope="row"><label for="link_notes"><?php _e('Notes') ?></label></th>
<td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo ( isset( $link->link_notes ) ? $link->link_notes : ''); ?></textarea></td>
<td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo esc_textarea( ( isset( $link->link_notes ) ? $link->link_notes : '') ); ?></textarea></td>
</tr>
<tr class="form-field">
<th valign="top" scope="row"><label for="link_rating"><?php _e('Rating') ?></label></th>

2
wp-admin/includes/nav-menu.php
View File

@ -161,7 +161,7 @@ class Walker_Nav_Menu_Edit extends Walker_Nav_Menu {
<p class="field-description description description-wide">
<label for="edit-menu-item-description-<?php echo $item_id; ?>">
<?php _e( 'Description' ); ?><br />
<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $item->description ); ?></textarea>
<textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $item->description ); ?></textarea>
<span class="description"><?php _e('The description will be displayed in the menu if the current theme supports it.'); ?></span>
</label>
</p>

4
wp-admin/includes/template.php
View File

@ -483,7 +483,7 @@ function _list_meta_row( $entry, &$count ) {
}
$entry['meta_key'] = esc_attr($entry['meta_key']);
$entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea />
$entry['meta_value'] = esc_textarea( $entry['meta_value'] ); // using a <textarea />
$entry['meta_id'] = (int) $entry['meta_id'];
$delete_nonce = wp_create_nonce( 'delete-meta_' . $entry['meta_id'] );
@ -718,7 +718,7 @@ function the_attachment_links( $id = false ) {
<col class="widefat" />
<tr>
<th scope="row"><?php _e( 'URL' ) ?></th>
<td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo wp_get_attachment_url(); ?></textarea></td>
<td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo esc_textarea( wp_get_attachment_url() ); ?></textarea></td>
</tr>
<?php if ( $icon ) : ?>
<tr>

2
wp-admin/maint/repair.php
View File

@ -72,7 +72,7 @@ if ( !defined('WP_ALLOW_REPAIR') ) {
$problem_output = array();
foreach ( $problems as $table => $problem )
$problem_output[] = "$table: $problem";
echo '<textarea name="errors" id="errors" rows="20" cols="60">' . format_to_edit(implode("\n", $problem_output)) . '</textarea>';
echo '<textarea name="errors" id="errors" rows="20" cols="60">' . esc_textarea( implode("\n", $problem_output) ) . '</textarea>';
} else {
echo '<p>'.__('Repairs complete. Please remove the following line from wp-config.php to prevent this page from being used by unauthorized users.')."</p><code>define('WP_ALLOW_REPAIR', true);</code>";
}

6
wp-admin/network.php
View File

@ -368,7 +368,7 @@ define( 'BLOG_ID_CURRENT_SITE', 1 );</textarea>
echo _n( 'This unique authentication key is also missing from your <code>wp-config.php</code> file.', 'These unique authentication keys are also missing from your <code>wp-config.php</code> file.', $num_keys_salts ); ?> <?php _e( 'To make your installation more secure, you should also add:' ) ?></p>
<textarea class="code" readonly="readonly" cols="100" rows="<?php echo $num_keys_salts; ?>"><?php
foreach ( $keys_salts as $c => $v ) {
echo "\ndefine( '$c', '" . wp_htmledit_pre( $v ) . "' );";
echo "\ndefine( '$c', '" . esc_textarea( $v ) . "' );";
}
?></textarea>
<?php
@ -456,7 +456,7 @@ define( 'BLOG_ID_CURRENT_SITE', 1 );</textarea>
?>
<li><p><?php printf( __( 'Add the following to your <code>web.config</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
<textarea class="code" readonly="readonly" cols="100" rows="20">
<?php echo wp_htmledit_pre( $web_config_file ); ?>
<?php echo esc_textarea( $web_config_file ); ?>
</textarea></li>
</ol>
@ -485,7 +485,7 @@ RewriteRule ^ - [L]';
?>
<li><p><?php printf( __( 'Add the following to your <code>.htaccess</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
<textarea class="code" readonly="readonly" cols="100" rows="<?php echo $subdomain_install ? 11 : 16; ?>">
<?php echo wp_htmledit_pre( $htaccess_file ); ?></textarea></li>
<?php echo esc_textarea( $htaccess_file ); ?></textarea></li>
</ol>
<?php endif; // end IIS/Apache code branches.

14
wp-admin/network/settings.php
View File

@ -121,7 +121,7 @@ if (isset($_GET['updated'])) {
<?php $limited_email_domains = get_site_option( 'limited_email_domains' );
$limited_email_domains = str_replace( ' ', "\n", $limited_email_domains ); ?>
<textarea name="limited_email_domains" id="limited_email_domains" cols="45" rows="5">
<?php echo wp_htmledit_pre( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
<?php echo esc_textarea( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
<br />
<?php _e( 'If you want to limit site registrations to certain domains. One domain per line.' ) ?>
</td>
@ -131,7 +131,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="banned_email_domains"><?php _e('Banned Email Domains') ?></label></th>
<td>
<textarea name="banned_email_domains" id="banned_email_domains" cols="45" rows="5">
<?php echo wp_htmledit_pre( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
<?php echo esc_textarea( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
<br />
<?php _e( 'If you want to ban domains from site registrations. One domain per line.' ) ?>
</td>
@ -145,7 +145,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="welcome_email"><?php _e( 'Welcome Email' ) ?></label></th>
<td>
<textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text">
<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
<br />
<?php _e( 'The welcome email sent to new site owners.' ) ?>
</td>
@ -154,7 +154,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="welcome_user_email"><?php _e( 'Welcome User Email' ) ?></label></th>
<td>
<textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text">
<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
<br />
<?php _e( 'The welcome email sent to new users.' ) ?>
</td>
@ -163,7 +163,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="first_post"><?php _e( 'First Post' ) ?></label></th>
<td>
<textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text">
<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
<br />
<?php _e( 'The first post on a new site.' ) ?>
</td>
@ -172,7 +172,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="first_page"><?php _e( 'First Page' ) ?></label></th>
<td>
<textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text">
<?php echo wp_htmledit_pre( stripslashes( get_site_option('first_page') ) ) ?></textarea>
<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea>
<br />
<?php _e( 'The first page on a new site.' ) ?>
</td>
@ -181,7 +181,7 @@ if (isset($_GET['updated'])) {
<th scope="row"><label for="first_comment"><?php _e( 'First Comment' ) ?></label></th>
<td>
<textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text">
<?php echo wp_htmledit_pre( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
<br />
<?php _e( 'The first comment on a new site.' ) ?>
</td>

2
wp-admin/network/site-options.php
View File

@ -106,7 +106,7 @@ if ( ! empty( $messages ) ) {
?>
<tr class="form-field">
<th scope="row"><?php echo ucwords( str_replace( "_", " ", $option->option_name ) ) ?></th>
<td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo wp_htmledit_pre( $option->option_value ) ?></textarea></td>
<td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo esc_textarea( $option->option_value ) ?></textarea></td>
</tr>
<?php
} else {

4
wp-admin/options-discussion.php
View File

@ -141,7 +141,7 @@ printf( __('Comments should be displayed with the %s comments at the top of each
<p><label for="moderation_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be held in the <a href="edit-comments.php?comment_status=moderated">moderation queue</a>. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
<p>
<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php form_option('moderation_keys'); ?></textarea>
<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php esc_textarea( get_option( 'moderation_keys' ) ); ?></textarea>
</p>
</fieldset></td>
</tr>
@ -150,7 +150,7 @@ printf( __('Comments should be displayed with the %s comments at the top of each
<td><fieldset><legend class="screen-reader-text"><span><?php _e('Comment Blacklist') ?></span></legend>
<p><label for="blacklist_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be marked as spam. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
<p>
<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php form_option('blacklist_keys'); ?></textarea>
<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php esc_textarea( get_option( 'blacklist_keys' ) ); ?></textarea>
</p>
</fieldset></td>
</tr>

6
wp-admin/options-permalink.php
View File

@ -230,14 +230,14 @@ $structures = array(
<p><?php _e('If your <code>web.config</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this rule inside of the <code>/&lt;configuration&gt;/&lt;system.webServer&gt;/&lt;rewrite&gt;/&lt;rules&gt;</code> element in <code>web.config</code> file.') ?></p>
<form action="options-permalink.php" method="post">
<?php wp_nonce_field('update-permalink') ?>
<p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p>
<p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules() ); ?></textarea></p>
</form>
<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.') ?></p>
<?php else : ?>
<p><?php _e('If the root directory of your site were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Create a new file, called <code>web.config</code> in the root directory of your site. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this code into the <code>web.config</code> file.') ?></p>
<form action="options-permalink.php" method="post">
<?php wp_nonce_field('update-permalink') ?>
<p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules(true)); ?></textarea></p>
<p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules(true) ); ?></textarea></p>
</form>
<p><?php _e('If you temporarily make your site&#8217;s root directory writable for us to generate the <code>web.config</code> file automatically, do not forget to revert the permissions after the file has been created.') ?></p>
<?php endif; ?>
@ -247,7 +247,7 @@ $structures = array(
<p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p>
<form action="options-permalink.php" method="post">
<?php wp_nonce_field('update-permalink') ?>
<p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p>
<p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->mod_rewrite_rules() ); ?></textarea></p>
</form>
<?php endif; ?>
<?php endif; ?>

2
wp-admin/options-writing.php
View File

@ -137,7 +137,7 @@ wp_dropdown_categories(array('hide_empty' => 0, 'name' => 'default_email_categor
<p><label for="ping_sites"><?php _e('When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see <a href="http://codex.wordpress.org/Update_Services">Update Services</a> on the Codex. Separate multiple service <abbr title="Universal Resource Locator">URL</abbr>s with line breaks.') ?></label></p>
<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php form_option('ping_sites'); ?></textarea>
<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php esc_textarea( get_option('ping_sites') ); ?></textarea>
<?php else : ?>

2
wp-admin/options.php
View File

@ -201,7 +201,7 @@ foreach ( (array) $options as $option ) :
<th scope='row'><label for='$name'>" . esc_html( $option->option_name ) . "</label></th>
<td>";
if ( strpos( $value, "\n" ) !== false )
echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . esc_textarea( $value ) . "</textarea>";
else
echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'" . disabled( $disabled, true, false ) . " />";
echo "</td>

2
wp-admin/plugin-editor.php
View File

@ -136,7 +136,7 @@ default:
}
}
$content = htmlspecialchars( $content );
$content = esc_textarea( $content );
?>
<?php if (isset($_GET['a'])) : ?>
<div id="message" class="updated"><p><?php _e('File edited successfully.') ?></p></div>

2
wp-admin/press-this.php
View File

@ -113,7 +113,7 @@ if ( !empty($_REQUEST['ajax']) ) {
<div class="postbox">
<h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2>
<div class="inside">
<textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea>
<textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo esc_textarea( $selection ); ?></textarea>
<p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p>
</div>
</div>

2
wp-admin/theme-editor.php
View File

@ -116,7 +116,7 @@ default:
$docs_select .= '</select>';
}
$content = htmlspecialchars( $content );
$content = esc_textarea( $content );
}
?>

2
wp-admin/user-edit.php
View File

@ -340,7 +340,7 @@ if ( is_multisite() && is_network_admin() && current_user_can( 'manage_network_o
<table class="form-table">
<tr>
<th><label for="description"><?php _e('Biographical Info'); ?></label></th>
<td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br />
<td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_textarea( $profileuser->description ); ?></textarea><br />
<span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td>
</tr>

2
wp-includes/default-widgets.php
View File

@ -399,7 +399,7 @@ class WP_Widget_Text extends WP_Widget {
function form( $instance ) {
$instance = wp_parse_args( (array) $instance, array( 'title' => '', 'text' => '' ) );
$title = strip_tags($instance['title']);
$text = format_to_edit($instance['text']);
$text = esc_textarea($instance['text']);
?>
<p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label>
<input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr($title); ?>" /></p>

13
wp-includes/formatting.php
View File

@ -2352,6 +2352,19 @@ function esc_attr( $text ) {
return apply_filters( 'attribute_escape', $safe_text, $text );
}
/**
* Escaping for textarea values.
*
* @since 3.1
*
* @param string $text
* @return string
*/
function esc_textarea( $text ) {
$safe_text = htmlspecialchars( $text );
return apply_filters( 'esc_textarea', $safe_text, $text );
}
/**
* Escape a HTML tag name.
*

2
wp-includes/post.php
View File

@ -5123,7 +5123,7 @@ function wp_quickpress_form( $args = array(), $post_type = 'post'){
'capability' => '',
'output' => '<h4 id="%s-content-label"><label for="content">'. __('Content') .'</label></h4>
<div class="textarea-wrap">
<textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. $post->post_content.'</textarea>
<textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. esc_textarea( $post->post_content ) .'</textarea>
</div>
'." <script type='text/javascript'>edCanvas = document.getElementById('content');edInsertContent = null;</script>
"