Upstream
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

After [33148]: 

Don't nest `esc_attr()` and `htmlspecialchars()` when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.

Built from https://develop.svn.wordpress.org/trunk@33271


git-svn-id: http://core.svn.wordpress.org/trunk@33243 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Scott Taylor 2015-07-14 17:56:26 +00:00
parent 4d34e37311
commit 7c218ab59a
3 changed files with 7 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/edit-form-advanced.php
View File

@ -494,7 +494,7 @@ do_action( 'edit_form_top', $post ); ?>
$title_placeholder = apply_filters( 'enter_title_here', __( 'Enter title here' ), $post );
?>
<label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo $title_placeholder; ?></label>
<input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" spellcheck="true" autocomplete="off" />
<input type="text" name="post_title" size="30" value="<?php echo esc_attr( $post->post_title ); ?>" id="title" spellcheck="true" autocomplete="off" />
</div>
<?php
/**

21
wp-includes/formatting.php
View File

@ -752,25 +752,14 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals
$quote_style = ENT_NOQUOTES;
}
// Handle double encoding ourselves
if ( $double_encode ) {
$string = @htmlspecialchars( $string, $quote_style, $charset );
} else {
// Decode &amp; into &
$string = wp_specialchars_decode( $string, $_quote_style );
// Guarantee every &entity; is valid or re-encode the &
if ( ! $double_encode ) {
// Guarantee every &entity; is valid, convert &garbage; into &amp;garbage;
// This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
$string = wp_kses_normalize_entities( $string );
// Now re-encode everything except &entity;
$string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
$string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
}
$string = implode( '', $string );
}
$string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
// Backwards compatibility
if ( 'single' === $_quote_style )
$string = str_replace( "'", '&#039;', $string );

2
wp-includes/version.php
View File

@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
$wp_version = '4.3-beta2-33270';
$wp_version = '4.3-beta2-33271';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.