vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-03-30 18:24:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@11380 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Mark Jaquith
2009-05-18 15:11:07 +00:00
parent b3efcdaaaa
commit f0336cfa7d
68 changed files with 210 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
wp-admin/includes/bookmark.php
View File

@@ -29,10 +29,10 @@ function edit_link( $link_id = '' ) {
if (!current_user_can( 'manage_links' ))
wp_die( __( 'Cheatin’ uh?' ));
$_POST['link_url'] = wp_specialchars( $_POST['link_url'] );
$_POST['link_url'] = esc_html( $_POST['link_url'] );
$_POST['link_url'] = clean_url($_POST['link_url']);
$_POST['link_name'] = wp_specialchars( $_POST['link_name'] );
$_POST['link_image'] = wp_specialchars( $_POST['link_image'] );
$_POST['link_name'] = esc_html( $_POST['link_name'] );
$_POST['link_image'] = esc_html( $_POST['link_image'] );
$_POST['link_rss'] = clean_url($_POST['link_rss']);
if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] )
$_POST['link_visible'] = 'Y';

10
wp-admin/includes/dashboard.php
View File

@@ -581,7 +581,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) {
default :
$type = ucwords( $comment->comment_type );
endswitch;
$type = wp_specialchars( $type );
$type = esc_html( $type );
?>
<div class="dashboard-comment-wrap">
<?php /* translators: %1$s is type of comment, %2$s is link to the post */ ?>
@@ -646,7 +646,7 @@ function wp_dashboard_incoming_links_output() {
$author = $item->get_author();
$site_link = clean_url( strip_tags( $author->get_link() ) );
if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) )
if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) )
$publisher = __( 'Somebody' );
if ( $site_link )
$publisher = "<a href='$site_link'>$publisher</a>";
@@ -667,7 +667,7 @@ function wp_dashboard_incoming_links_output() {
if ( $show_author || $show_summary )
/* translators: incoming links feed, %4$s is the date */
$text .= ' ' . __( 'on %4$s' );
$date = wp_specialchars( strip_tags( $item->get_date() ) );
$date = esc_html( strip_tags( $item->get_date() ) );
$date = strtotime( $date );
$date = gmdate( get_option( 'date_format' ), $date );
}
@@ -813,9 +813,9 @@ function wp_dashboard_plugins_output() {
$title = $matches[1];
else // but let's make it forward compatible if things change
$title = $item->get_title();
$title = wp_specialchars( $title );
$title = esc_html( $title );
$description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
$description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
$ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) .
'&amp;TB_iframe=true&amp;width=600&amp;height=800';

2
wp-admin/includes/export.php
View File

@@ -99,7 +99,7 @@ function wxr_cdata($str) {
if ( seems_utf8($str) == false )
$str = utf8_encode($str);
// $str = ent2ncr(wp_specialchars($str));
// $str = ent2ncr(esc_html($str));
$str = "<![CDATA[$str" . ( ( substr($str, -1) == ']' ) ? ' ' : '') . "]]>";

6
wp-admin/includes/media.php
View File

@@ -1198,7 +1198,7 @@ function get_media_item( $attachment_id, $args = null ) {
if ( !empty($field[$field['input']]) )
$item .= $field[$field['input']];
elseif ( $field['input'] == 'textarea' ) {
$item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . wp_specialchars( $field['value'] ) . "</textarea>";
$item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . esc_html( $field['value'] ) . "</textarea>";
} else {
$item .= "<input type='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "'" . $aria_required . "/>";
}
@@ -1419,7 +1419,7 @@ if ( $id ) {
add_filter('attachment_fields_to_edit', 'media_post_single_attachment_fields_to_edit', 10, 2);
echo get_media_items( $id, $errors );
} else {
echo '<div id="media-upload-error">'.wp_specialchars($id->get_error_message()).'</div>';
echo '<div id="media-upload-error">'.esc_html($id->get_error_message()).'</div>';
exit;
}
}
@@ -1802,7 +1802,7 @@ foreach ($arc_result as $arc_row) {
$default = '';
echo "<option$default value='" . esc_attr( $arc_row->yyear . $arc_row->mmonth ) . "'>";
echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
echo esc_html( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
echo "</option>\n";
}
?>

10
wp-admin/includes/post.php
View File

@@ -319,9 +319,9 @@ function bulk_edit_posts( $post_data = null ) {
*/
function get_default_post_to_edit() {
if ( !empty( $_REQUEST['post_title'] ) )
$post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] ));
$post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
else if ( !empty( $_REQUEST['popuptitle'] ) ) {
$post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] ));
$post_title = esc_html( stripslashes( $_REQUEST['popuptitle'] ));
$post_title = funky_javascript_fix( $post_title );
} else {
$post_title = '';
@@ -329,16 +329,16 @@ function get_default_post_to_edit() {
$post_content = '';
if ( !empty( $_REQUEST['content'] ) )
$post_content = wp_specialchars( stripslashes( $_REQUEST['content'] ));
$post_content = esc_html( stripslashes( $_REQUEST['content'] ));
else if ( !empty( $post_title ) ) {
$text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
$text = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) );
$text = funky_javascript_fix( $text);
$popupurl = clean_url($_REQUEST['popupurl']);
$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
}
if ( !empty( $_REQUEST['excerpt'] ) )
$post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] ));
$post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
else
$post_excerpt = '';

26
wp-admin/includes/template.php
View File

@@ -469,7 +469,7 @@ class Walker_Category_Checklist extends Walker {
extract($args);
$class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : '';
$output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . wp_specialchars( apply_filters('the_category', $category->name )) . '</label>';
$output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . esc_html( apply_filters('the_category', $category->name )) . '</label>';
}
function end_el(&$output, $category, $depth, $args) {
@@ -562,7 +562,7 @@ function wp_popular_terms_checklist( $taxonomy, $default = 0, $number = 10, $ech
<li id="<?php echo $id; ?>" class="popular-category">
<label class="selectit">
<input id="in-<?php echo $id; ?>" type="checkbox" value="<?php echo (int) $category->term_id; ?>" />
<?php echo wp_specialchars( apply_filters( 'the_category', $category->name ) ); ?>
<?php echo esc_html( apply_filters( 'the_category', $category->name ) ); ?>
</label>
</li>
@@ -614,7 +614,7 @@ function wp_link_category_checklist( $link_id = 0 ) {
foreach ( $categories as $category ) {
$cat_id = $category->term_id;
$name = wp_specialchars( apply_filters('the_category', $category->name));
$name = esc_html( apply_filters('the_category', $category->name));
$checked = in_array( $cat_id, $checked_categories );
echo '<li id="link-category-', $cat_id, '"><label for="in-link-category-', $cat_id, '" class="selectit"><input value="', $cat_id, '" type="checkbox" name="link_category[]" id="in-link-category-', $cat_id, '"', ($checked ? ' checked="checked"' : "" ), '/> ', $name, "</label></li>";
}
@@ -1304,17 +1304,17 @@ function get_inline_data($post) {
<div class="hh">' . mysql2date( 'H', $post->post_date, false ) . '</div>
<div class="mn">' . mysql2date( 'i', $post->post_date, false ) . '</div>
<div class="ss">' . mysql2date( 's', $post->post_date, false ) . '</div>
<div class="post_password">' . wp_specialchars($post->post_password, 1) . '</div>';
<div class="post_password">' . esc_html( $post->post_password ) . '</div>';
if( $post->post_type == 'page' )
echo '
<div class="post_parent">' . $post->post_parent . '</div>
<div class="page_template">' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '</div>
<div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div>
<div class="menu_order">' . $post->menu_order . '</div>';
if( $post->post_type == 'post' )
echo '
<div class="tags_input">' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '</div>
<div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div>
<div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div>
<div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>';
@@ -1331,7 +1331,7 @@ function get_inline_data($post) {
function post_rows( $posts = array() ) {
global $wp_query, $post, $mode;
add_filter('the_title','wp_specialchars');
add_filter('the_title','esc_html');
// Create array of post IDs.
$post_ids = array();
@@ -1478,7 +1478,7 @@ function _post_row($a_post, $pending_comments, $mode) {
if ( !empty( $categories ) ) {
$out = array();
foreach ( $categories as $c )
$out[] = "<a href='edit.php?category_name=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
$out[] = "<a href='edit.php?category_name=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
echo join( ', ', $out );
} else {
_e('Uncategorized');
@@ -1494,7 +1494,7 @@ function _post_row($a_post, $pending_comments, $mode) {
if ( !empty( $tags ) ) {
$out = array();
foreach ( $tags as $c )
$out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
$out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
echo join( ', ', $out );
} else {
_e('No Tags');
@@ -1591,7 +1591,7 @@ function display_page_row( $page, $level = 0 ) {
}
}
$page->post_title = wp_specialchars( $page->post_title );
$page->post_title = esc_html( $page->post_title );
$pad = str_repeat( '&#8212; ', $level );
$id = (int) $page->ID;
$rowclass = 'alternate' == $rowclass ? '' : 'alternate';
@@ -1653,7 +1653,7 @@ foreach ($posts_columns as $column_name=>$column_display_name) {
$attributes = 'class="post-title page-title column-title"' . $style;
$edit_link = get_edit_post_link( $page->ID );
?>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
<td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong>
<?php
$actions = array();
if ( current_user_can('edit_page', $page->ID) ) {
@@ -2337,7 +2337,7 @@ function wp_dropdown_cats( $currentcat = 0, $currentparent = 0, $parent = 0, $le
foreach ( $categories as $category ) {
if ( $currentcat != $category->term_id && $parent == $category->parent) {
$pad = str_repeat( '&#8211; ', $level );
$category->name = wp_specialchars( $category->name );
$category->name = esc_html( $category->name );
echo "\n\t<option value='$category->term_id'";
if ( $currentparent == $category->term_id )
echo " selected='selected'";
@@ -2627,7 +2627,7 @@ function parent_dropdown( $default = 0, $parent = 0, $level = 0 ) {
else
$current = '';
echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>";
echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . esc_html($item->post_title) . "</option>";
parent_dropdown( $default, $item->ID, $level +1 );
}
} else {

4
wp-admin/includes/theme-install.php
View File

@@ -193,7 +193,7 @@ function install_themes_dashboard() {
foreach ( (array) $feature_list as $feature_name => $features ) {
if ( isset($trans[$feature_name]) )
$feature_name = $trans[$feature_name];
$feature_name = wp_specialchars( $feature_name );
$feature_name = esc_html( $feature_name );
echo '<div class="feature-name">' . $feature_name . '</div>';
echo '<ol style="float: left; width: 725px;" class="feature-group">';
@@ -201,7 +201,7 @@ function install_themes_dashboard() {
$feature_name = $feature;
if ( isset($trans[$feature]) )
$feature_name = $trans[$feature];
$feature_name = wp_specialchars( $feature_name );
$feature_name = esc_html( $feature_name );
$feature = esc_attr($feature);
?>

20
wp-admin/includes/user.php
View File

@@ -65,7 +65,7 @@ function edit_user( $user_id = 0 ) {
}
if ( isset( $_POST['user_login'] ))
$user->user_login = wp_specialchars( trim( $_POST['user_login'] ));
$user->user_login = esc_html( trim( $_POST['user_login'] ));
$pass1 = $pass2 = '';
if ( isset( $_POST['pass1'] ))
@@ -86,7 +86,7 @@ function edit_user( $user_id = 0 ) {
}
if ( isset( $_POST['email'] ))
$user->user_email = wp_specialchars( trim( $_POST['email'] ));
$user->user_email = esc_html( trim( $_POST['email'] ));
if ( isset( $_POST['url'] ) ) {
if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
$user->user_url = '';
@@ -96,21 +96,21 @@ function edit_user( $user_id = 0 ) {
}
}
if ( isset( $_POST['first_name'] ))
$user->first_name = wp_specialchars( trim( $_POST['first_name'] ));
$user->first_name = esc_html( trim( $_POST['first_name'] ));
if ( isset( $_POST['last_name'] ))
$user->last_name = wp_specialchars( trim( $_POST['last_name'] ));
$user->last_name = esc_html( trim( $_POST['last_name'] ));
if ( isset( $_POST['nickname'] ))
$user->nickname = wp_specialchars( trim( $_POST['nickname'] ));
$user->nickname = esc_html( trim( $_POST['nickname'] ));
if ( isset( $_POST['display_name'] ))
$user->display_name = wp_specialchars( trim( $_POST['display_name'] ));
$user->display_name = esc_html( trim( $_POST['display_name'] ));
if ( isset( $_POST['description'] ))
$user->description = trim( $_POST['description'] );
if ( isset( $_POST['jabber'] ))
$user->jabber = wp_specialchars( trim( $_POST['jabber'] ));
$user->jabber = esc_html( trim( $_POST['jabber'] ));
if ( isset( $_POST['aim'] ))
$user->aim = wp_specialchars( trim( $_POST['aim'] ));
$user->aim = esc_html( trim( $_POST['aim'] ));
if ( isset( $_POST['yim'] ))
$user->yim = wp_specialchars( trim( $_POST['yim'] ));
$user->yim = esc_html( trim( $_POST['yim'] ));
if ( !$update )
$user->rich_editing = 'true'; // Default to true for new users.
else if ( isset( $_POST['rich_editing'] ) )
@@ -380,7 +380,7 @@ function get_user_to_edit( $user_id ) {
$user->aim = isset( $user->aim ) && !empty( $user->aim ) ? esc_attr($user->aim) : '';
$user->yim = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : '';
$user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : '';
$user->description = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : '';
$user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : '';
return $user;
}

2
wp-admin/includes/widgets.php
View File

@@ -162,7 +162,7 @@ function wp_widget_control( $sidebar_args ) {
$wp_registered_widgets[$widget_id]['callback'] = $wp_registered_widgets[$widget_id]['_callback'];
unset($wp_registered_widgets[$widget_id]['_callback']);
$widget_title = wp_specialchars( strip_tags( $sidebar_args['widget_name'] ) );
$widget_title = esc_html( strip_tags( $sidebar_args['widget_name'] ) );
$has_form = 'noform';
echo $sidebar_args['before_widget']; ?>