From 8a4019bb28db79844c708128b066ef27c3d9541c Mon Sep 17 00:00:00 2001
From: Andrew Ozz <azaozz@git.wordpress.org>
Date: Tue, 15 Sep 2009 10:11:59 +0000
Subject: [PATCH] Strip \r when escaping strings for JS, props nbachiyski,
 fixes #7041

git-svn-id: https://develop.svn.wordpress.org/trunk@11935 602fd350-edb4-49c9-b593-d223f7449a82
---
 wp-includes/formatting.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php
index 77f3ffa629..a88beb68e7 100644
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@@ -2199,8 +2199,10 @@ function htmlentities2($myHTML) {
 }
 
 /**
- * Escape single quotes, specialchar double quotes, and fix line endings.
+ * Escape single quotes, htmlspecialchar " < > &, and fix line endings.
  *
+ * Escapes text strings for echoing in JS, both inline (for example in onclick="...")
+ * and inside <script> tag. Note that the strings have to be in single quotes.
  * The filter 'js_escape' is also applied here.
  *
  * @since 2.8.0
@@ -2212,7 +2214,8 @@ function esc_js( $text ) {
 	$safe_text = wp_check_invalid_utf8( $text );
 	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
 	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
-	$safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
+	$safe_text = str_replace( "\r", '', $safe_text );
+	$safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) );
 	return apply_filters( 'js_escape', $safe_text, $text );
 }