Prophylactic escapes

git-svn-id: http://svn.automattic.com/wordpress/trunk@11838 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
ryan 2009-08-18 16:05:07 +00:00
parent 491b68752b
commit 8513b29792
7 changed files with 35 additions and 25 deletions

View File

@ -132,7 +132,7 @@ function the_author_meta($field = '', $user_id = false) {
*/
function the_author_link() {
if ( get_the_author_meta('url') ) {
echo '<a href="' . get_the_author_meta('url') . '" title="' . sprintf(__("Visit %s&#8217;s website"), get_the_author()) . '" rel="external">' . get_the_author() . '</a>';
echo '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="external">' . get_the_author() . '</a>';
} else {
the_author();
}
@ -181,7 +181,7 @@ function the_author_posts_link($deprecated = '') {
printf(
'<a href="%1$s" title="%2$s">%3$s</a>',
get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ),
esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
get_the_author()
);
}
@ -292,7 +292,7 @@ function wp_list_authors($args = '') {
if ( ! $hide_empty )
$link = $name;
} else {
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), esc_attr($author->display_name)) . '">' . $name . '</a>';
$link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . esc_attr( sprintf(__("Posts by %s"), $author->display_name) ) . '">' . $name . '</a>';
if ( (! empty($feed_image)) || (! empty($feed)) ) {
$link .= ' ';
@ -301,8 +301,8 @@ function wp_list_authors($args = '') {
$link .= '<a href="' . get_author_feed_link($author->ID) . '"';
if ( !empty($feed) ) {
$title = ' title="' . $feed . '"';
$alt = ' alt="' . $feed . '"';
$title = ' title="' . esc_attr($feed) . '"';
$alt = ' alt="' . esc_attr($feed) . '"';
$name = $feed;
$link .= $title;
}
@ -310,7 +310,7 @@ function wp_list_authors($args = '') {
$link .= '>';
if ( !empty($feed_image) )
$link .= "<img src=\"$feed_image\" style=\"border: none;\"$alt$title" . ' />';
$link .= "<img src=\"" . esc_url($feed_image) . "\" style=\"border: none;\"$alt$title" . ' />';
else
$link .= $name;

View File

@ -90,7 +90,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
$rel = $bookmark->link_rel;
if ( '' != $rel )
$rel = ' rel="' . $rel . '"';
$rel = ' rel="' . esc_attr($rel) . '"';
$target = $bookmark->link_target;
if ( '' != $target )

View File

@ -68,7 +68,7 @@ function get_category_parents( $id, $link = false, $separator = '/', $nicename =
}
if ( $link )
$chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $parent->cat_name ) . '">'.$name.'</a>' . $separator;
$chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->cat_name ) ) . '">'.$name.'</a>' . $separator;
else
$chain .= $name.$separator;
return $chain;
@ -190,17 +190,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false )
case 'multiple':
if ( $category->parent )
$thelist .= get_category_parents( $category->parent, true, $separator );
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a></li>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
break;
case 'single':
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
if ( $category->parent )
$thelist .= get_category_parents( $category->parent, false, $separator );
$thelist .= $category->name.'</a></li>';
break;
case '':
default:
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
}
}
$thelist .= '</ul>';
@ -213,17 +213,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false )
case 'multiple':
if ( $category->parent )
$thelist .= get_category_parents( $category->parent, true, $separator );
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
break;
case 'single':
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
if ( $category->parent )
$thelist .= get_category_parents( $category->parent, false, $separator );
$thelist .= "$category->cat_name</a>";
break;
case '':
default:
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a>';
$thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
}
++$i;
}
@ -352,6 +352,8 @@ function wp_dropdown_categories( $args = '' ) {
$tab_index_attribute = " tabindex=\"$tab_index\"";
$categories = get_categories( $r );
$name = esc_attr($name);
$class = esc_attr($class);
$output = '';
if ( ! empty( $categories ) ) {

View File

@ -338,6 +338,8 @@ function get_comment_class( $class = '', $comment_id = null, $post_id = null ) {
$classes = array_merge($classes, $class);
}
$classes = array_map('esc_attr', $classes);
return apply_filters('comment_class', $classes, $class, $comment_id, $post_id);
}
@ -940,7 +942,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c
$number = get_comments_number( $id );
if ( 0 == $number && !comments_open() && !pings_open() ) {
echo '<span' . ((!empty($css_class)) ? ' class="' . $css_class . '"' : '') . '>' . $none . '</span>';
echo '<span' . ((!empty($css_class)) ? ' class="' . esc_attr( $css_class ) . '"' : '') . '>' . $none . '</span>';
return;
}
@ -972,7 +974,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c
echo apply_filters( 'comments_popup_link_attributes', '' );
echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">';
echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">';
comments_number( $zero, $one, $more, $number );
echo '</a>';
}

View File

@ -1023,7 +1023,7 @@ function get_calendar($initial = true) {
/* translators: Calendar caption: 1: month name, 2: 4-digit year */
$calendar_caption = _x('%1$s %2$s', 'calendar caption');
echo '<table id="wp-calendar" summary="' . __('Calendar') . '">
echo '<table id="wp-calendar" summary="' . esc_attr__('Calendar') . '">
<caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption>
<thead>
<tr>';
@ -1036,6 +1036,7 @@ function get_calendar($initial = true) {
foreach ( $myweek as $wd ) {
$day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd);
$wd = esc_attr($wd);
echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>";
}
@ -1058,8 +1059,8 @@ function get_calendar($initial = true) {
if ( $next ) {
echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' .
get_month_link($next->year, $next->month) . '" title="' . sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month),
date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) ,
date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
} else {
echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>';
}
@ -1116,7 +1117,7 @@ function get_calendar($initial = true) {
// See how much we should pad in the beginning
$pad = calendar_week_mod(date('w', $unixmonth)-$week_begins);
if ( 0 != $pad )
echo "\n\t\t".'<td colspan="'.$pad.'" class="pad">&nbsp;</td>';
echo "\n\t\t".'<td colspan="'. esc_attr($pad) .'" class="pad">&nbsp;</td>';
$daysinmonth = intval(date('t', $unixmonth));
for ( $day = 1; $day <= $daysinmonth; ++$day ) {
@ -1130,7 +1131,7 @@ function get_calendar($initial = true) {
echo '<td>';
if ( in_array($day, $daywithpost) ) // any posts today?
echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"$ak_titles_for_day[$day]\">$day</a>";
echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"" . esc_attr($ak_titles_for_day[$day]) . "\">$day</a>";
else
echo $day;
echo '</td>';
@ -1141,7 +1142,7 @@ function get_calendar($initial = true) {
$pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins);
if ( $pad != 0 && $pad != 7 )
echo "\n\t\t".'<td class="pad" colspan="'.$pad.'">&nbsp;</td>';
echo "\n\t\t".'<td class="pad" colspan="'. esc_attr($pad) .'">&nbsp;</td>';
echo "\n\t</tr>\n\t</tbody>\n\t</table>";

View File

@ -616,9 +616,9 @@ function img_caption_shortcode($attr, $content = null) {
if ( 1 > (int) $width || empty($caption) )
return $content;
if ( $id ) $id = 'id="' . $id . '" ';
if ( $id ) $id = 'id="' . esc_attr($id) . '" ';
return '<div ' . $id . 'class="wp-caption ' . $align . '" style="width: ' . (10 + (int) $width) . 'px">'
return '<div ' . $id . 'class="wp-caption ' . esc_attr($align) . '" style="width: ' . (10 + (int) $width) . 'px">'
. do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>';
}

View File

@ -342,6 +342,8 @@ function get_post_class( $class = '', $post_id = null ) {
$classes = array_merge($classes, $class);
}
$classes = array_map('esc_attr', $classes);
return apply_filters('post_class', $classes, $class, $post_id);
}
@ -478,6 +480,8 @@ function get_body_class( $class = '' ) {
$classes = array_merge($classes, $class);
}
$classes = array_map('esc_attr', $classes);
return apply_filters('body_class', $classes, $class);
}
@ -706,6 +710,7 @@ function wp_dropdown_pages($args = '') {
$pages = get_pages($r);
$output = '';
$name = esc_attr($name);
if ( ! empty($pages) ) {
$output = "<select name=\"$name\" id=\"$name\">\n";
@ -842,7 +847,7 @@ function wp_page_menu( $args = array() ) {
if ( $menu )
$menu = '<ul>' . $menu . '</ul>';
$menu = '<div class="' . $args['menu_class'] . '">' . $menu . "</div>\n";
$menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n";
$menu = apply_filters( 'wp_page_menu', $menu, $args );
if ( $args['echo'] )
echo $menu;