Prophylactic escapes

git-svn-id: http://svn.automattic.com/wordpress/trunk@11838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2009-08-18 16:05:07 +00:00
parent 491b68752b
commit 8513b29792
7 changed files with 35 additions and 25 deletions

View File

@ -132,7 +132,7 @@ function the_author_meta($field = '', $user_id = false) {
*/ */
function the_author_link() { function the_author_link() {
if ( get_the_author_meta('url') ) { if ( get_the_author_meta('url') ) {
echo '<a href="' . get_the_author_meta('url') . '" title="' . sprintf(__("Visit %s&#8217;s website"), get_the_author()) . '" rel="external">' . get_the_author() . '</a>'; echo '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="external">' . get_the_author() . '</a>';
} else { } else {
the_author(); the_author();
} }
@ -181,7 +181,7 @@ function the_author_posts_link($deprecated = '') {
printf( printf(
'<a href="%1$s" title="%2$s">%3$s</a>', '<a href="%1$s" title="%2$s">%3$s</a>',
get_author_posts_url( $authordata->ID, $authordata->user_nicename ), get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ), esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
get_the_author() get_the_author()
); );
} }
@ -292,7 +292,7 @@ function wp_list_authors($args = '') {
if ( ! $hide_empty ) if ( ! $hide_empty )
$link = $name; $link = $name;
} else { } else {
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), esc_attr($author->display_name)) . '">' . $name . '</a>'; $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . esc_attr( sprintf(__("Posts by %s"), $author->display_name) ) . '">' . $name . '</a>';
if ( (! empty($feed_image)) || (! empty($feed)) ) { if ( (! empty($feed_image)) || (! empty($feed)) ) {
$link .= ' '; $link .= ' ';
@ -301,8 +301,8 @@ function wp_list_authors($args = '') {
$link .= '<a href="' . get_author_feed_link($author->ID) . '"'; $link .= '<a href="' . get_author_feed_link($author->ID) . '"';
if ( !empty($feed) ) { if ( !empty($feed) ) {
$title = ' title="' . $feed . '"'; $title = ' title="' . esc_attr($feed) . '"';
$alt = ' alt="' . $feed . '"'; $alt = ' alt="' . esc_attr($feed) . '"';
$name = $feed; $name = $feed;
$link .= $title; $link .= $title;
} }
@ -310,7 +310,7 @@ function wp_list_authors($args = '') {
$link .= '>'; $link .= '>';
if ( !empty($feed_image) ) if ( !empty($feed_image) )
$link .= "<img src=\"$feed_image\" style=\"border: none;\"$alt$title" . ' />'; $link .= "<img src=\"" . esc_url($feed_image) . "\" style=\"border: none;\"$alt$title" . ' />';
else else
$link .= $name; $link .= $name;

View File

@ -90,7 +90,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
$rel = $bookmark->link_rel; $rel = $bookmark->link_rel;
if ( '' != $rel ) if ( '' != $rel )
$rel = ' rel="' . $rel . '"'; $rel = ' rel="' . esc_attr($rel) . '"';
$target = $bookmark->link_target; $target = $bookmark->link_target;
if ( '' != $target ) if ( '' != $target )

View File

@ -68,7 +68,7 @@ function get_category_parents( $id, $link = false, $separator = '/', $nicename =
} }
if ( $link ) if ( $link )
$chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $parent->cat_name ) . '">'.$name.'</a>' . $separator; $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->cat_name ) ) . '">'.$name.'</a>' . $separator;
else else
$chain .= $name.$separator; $chain .= $name.$separator;
return $chain; return $chain;
@ -190,17 +190,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false )
case 'multiple': case 'multiple':
if ( $category->parent ) if ( $category->parent )
$thelist .= get_category_parents( $category->parent, true, $separator ); $thelist .= get_category_parents( $category->parent, true, $separator );
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a></li>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
break; break;
case 'single': case 'single':
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
if ( $category->parent ) if ( $category->parent )
$thelist .= get_category_parents( $category->parent, false, $separator ); $thelist .= get_category_parents( $category->parent, false, $separator );
$thelist .= $category->name.'</a></li>'; $thelist .= $category->name.'</a></li>';
break; break;
case '': case '':
default: default:
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
} }
} }
$thelist .= '</ul>'; $thelist .= '</ul>';
@ -213,17 +213,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false )
case 'multiple': case 'multiple':
if ( $category->parent ) if ( $category->parent )
$thelist .= get_category_parents( $category->parent, true, $separator ); $thelist .= get_category_parents( $category->parent, true, $separator );
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
break; break;
case 'single': case 'single':
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
if ( $category->parent ) if ( $category->parent )
$thelist .= get_category_parents( $category->parent, false, $separator ); $thelist .= get_category_parents( $category->parent, false, $separator );
$thelist .= "$category->cat_name</a>"; $thelist .= "$category->cat_name</a>";
break; break;
case '': case '':
default: default:
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a>'; $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
} }
++$i; ++$i;
} }
@ -352,6 +352,8 @@ function wp_dropdown_categories( $args = '' ) {
$tab_index_attribute = " tabindex=\"$tab_index\""; $tab_index_attribute = " tabindex=\"$tab_index\"";
$categories = get_categories( $r ); $categories = get_categories( $r );
$name = esc_attr($name);
$class = esc_attr($class);
$output = ''; $output = '';
if ( ! empty( $categories ) ) { if ( ! empty( $categories ) ) {

View File

@ -338,6 +338,8 @@ function get_comment_class( $class = '', $comment_id = null, $post_id = null ) {
$classes = array_merge($classes, $class); $classes = array_merge($classes, $class);
} }
$classes = array_map('esc_attr', $classes);
return apply_filters('comment_class', $classes, $class, $comment_id, $post_id); return apply_filters('comment_class', $classes, $class, $comment_id, $post_id);
} }
@ -940,7 +942,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c
$number = get_comments_number( $id ); $number = get_comments_number( $id );
if ( 0 == $number && !comments_open() && !pings_open() ) { if ( 0 == $number && !comments_open() && !pings_open() ) {
echo '<span' . ((!empty($css_class)) ? ' class="' . $css_class . '"' : '') . '>' . $none . '</span>'; echo '<span' . ((!empty($css_class)) ? ' class="' . esc_attr( $css_class ) . '"' : '') . '>' . $none . '</span>';
return; return;
} }
@ -972,7 +974,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c
echo apply_filters( 'comments_popup_link_attributes', '' ); echo apply_filters( 'comments_popup_link_attributes', '' );
echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">'; echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">';
comments_number( $zero, $one, $more, $number ); comments_number( $zero, $one, $more, $number );
echo '</a>'; echo '</a>';
} }

View File

@ -1023,7 +1023,7 @@ function get_calendar($initial = true) {
/* translators: Calendar caption: 1: month name, 2: 4-digit year */ /* translators: Calendar caption: 1: month name, 2: 4-digit year */
$calendar_caption = _x('%1$s %2$s', 'calendar caption'); $calendar_caption = _x('%1$s %2$s', 'calendar caption');
echo '<table id="wp-calendar" summary="' . __('Calendar') . '"> echo '<table id="wp-calendar" summary="' . esc_attr__('Calendar') . '">
<caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption> <caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption>
<thead> <thead>
<tr>'; <tr>';
@ -1036,6 +1036,7 @@ function get_calendar($initial = true) {
foreach ( $myweek as $wd ) { foreach ( $myweek as $wd ) {
$day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd); $day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd);
$wd = esc_attr($wd);
echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>"; echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>";
} }
@ -1058,8 +1059,8 @@ function get_calendar($initial = true) {
if ( $next ) { if ( $next ) {
echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' . echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' .
get_month_link($next->year, $next->month) . '" title="' . sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month), get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) ,
date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>'; date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
} else { } else {
echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>'; echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>';
} }
@ -1116,7 +1117,7 @@ function get_calendar($initial = true) {
// See how much we should pad in the beginning // See how much we should pad in the beginning
$pad = calendar_week_mod(date('w', $unixmonth)-$week_begins); $pad = calendar_week_mod(date('w', $unixmonth)-$week_begins);
if ( 0 != $pad ) if ( 0 != $pad )
echo "\n\t\t".'<td colspan="'.$pad.'" class="pad">&nbsp;</td>'; echo "\n\t\t".'<td colspan="'. esc_attr($pad) .'" class="pad">&nbsp;</td>';
$daysinmonth = intval(date('t', $unixmonth)); $daysinmonth = intval(date('t', $unixmonth));
for ( $day = 1; $day <= $daysinmonth; ++$day ) { for ( $day = 1; $day <= $daysinmonth; ++$day ) {
@ -1130,7 +1131,7 @@ function get_calendar($initial = true) {
echo '<td>'; echo '<td>';
if ( in_array($day, $daywithpost) ) // any posts today? if ( in_array($day, $daywithpost) ) // any posts today?
echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"$ak_titles_for_day[$day]\">$day</a>"; echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"" . esc_attr($ak_titles_for_day[$day]) . "\">$day</a>";
else else
echo $day; echo $day;
echo '</td>'; echo '</td>';
@ -1141,7 +1142,7 @@ function get_calendar($initial = true) {
$pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins); $pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins);
if ( $pad != 0 && $pad != 7 ) if ( $pad != 0 && $pad != 7 )
echo "\n\t\t".'<td class="pad" colspan="'.$pad.'">&nbsp;</td>'; echo "\n\t\t".'<td class="pad" colspan="'. esc_attr($pad) .'">&nbsp;</td>';
echo "\n\t</tr>\n\t</tbody>\n\t</table>"; echo "\n\t</tr>\n\t</tbody>\n\t</table>";

View File

@ -616,9 +616,9 @@ function img_caption_shortcode($attr, $content = null) {
if ( 1 > (int) $width || empty($caption) ) if ( 1 > (int) $width || empty($caption) )
return $content; return $content;
if ( $id ) $id = 'id="' . $id . '" '; if ( $id ) $id = 'id="' . esc_attr($id) . '" ';
return '<div ' . $id . 'class="wp-caption ' . $align . '" style="width: ' . (10 + (int) $width) . 'px">' return '<div ' . $id . 'class="wp-caption ' . esc_attr($align) . '" style="width: ' . (10 + (int) $width) . 'px">'
. do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>'; . do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>';
} }

View File

@ -342,6 +342,8 @@ function get_post_class( $class = '', $post_id = null ) {
$classes = array_merge($classes, $class); $classes = array_merge($classes, $class);
} }
$classes = array_map('esc_attr', $classes);
return apply_filters('post_class', $classes, $class, $post_id); return apply_filters('post_class', $classes, $class, $post_id);
} }
@ -478,6 +480,8 @@ function get_body_class( $class = '' ) {
$classes = array_merge($classes, $class); $classes = array_merge($classes, $class);
} }
$classes = array_map('esc_attr', $classes);
return apply_filters('body_class', $classes, $class); return apply_filters('body_class', $classes, $class);
} }
@ -706,6 +710,7 @@ function wp_dropdown_pages($args = '') {
$pages = get_pages($r); $pages = get_pages($r);
$output = ''; $output = '';
$name = esc_attr($name);
if ( ! empty($pages) ) { if ( ! empty($pages) ) {
$output = "<select name=\"$name\" id=\"$name\">\n"; $output = "<select name=\"$name\" id=\"$name\">\n";
@ -842,7 +847,7 @@ function wp_page_menu( $args = array() ) {
if ( $menu ) if ( $menu )
$menu = '<ul>' . $menu . '</ul>'; $menu = '<ul>' . $menu . '</ul>';
$menu = '<div class="' . $args['menu_class'] . '">' . $menu . "</div>\n"; $menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n";
$menu = apply_filters( 'wp_page_menu', $menu, $args ); $menu = apply_filters( 'wp_page_menu', $menu, $args );
if ( $args['echo'] ) if ( $args['echo'] )
echo $menu; echo $menu;