deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

git-svn-id: https://develop.svn.wordpress.org/trunk@11380 602fd350-edb4-49c9-b593-d223f7449a82

wp-includes/classes.php

@@ -1252,7 +1252,7 @@ class Walker_PageDropdown extends Walker {
 		if ( $page->ID == $args['selected'] )
 			$output .= ' selected="selected"';
 		$output .= '>';
-		$title = wp_specialchars($page->post_title);
+		$title = esc_html($page->post_title);
 		$output .= "$pad$title";
 		$output .= "</option>\n";
 	}

wp-includes/comment-template.php

@@ -1078,7 +1078,7 @@ function get_cancel_comment_reply_link($text = '') {
 		$text = __('Click here to cancel reply.');
 
 	$style = isset($_GET['replytocom']) ? '' : ' style="display:none;"';
-	$link = wp_specialchars( remove_query_arg('replytocom') ) . '#respond';
+	$link = esc_html( remove_query_arg('replytocom') ) . '#respond';
 	return apply_filters('cancel_comment_reply_link', '<a rel="nofollow" id="cancel-comment-reply-link" href="' . $link . '"' . $style . '>' . $text . '</a>', $link, $text);
 }
 

wp-includes/default-filters.php

@@ -20,7 +20,7 @@ foreach ( $filters as $filter ) {
 	add_filter($filter, 'strip_tags');
 	add_filter($filter, 'trim');
 	add_filter($filter, 'wp_filter_kses');
-	add_filter($filter, 'wp_specialchars', 30);
+	add_filter($filter, 'esc_html', 30);
 }
 
 // Kses only for textarea saves
@@ -80,7 +80,7 @@ $filters = array('comment_author', 'term_name', 'link_name', 'link_description',
 foreach ( $filters as $filter ) {
 	add_filter($filter, 'wptexturize');
 	add_filter($filter, 'convert_chars');
-	add_filter($filter, 'wp_specialchars');
+	add_filter($filter, 'esc_html');
 }
 
 // Format text area for display.
@@ -131,19 +131,19 @@ add_filter('wp_sprintf', 'wp_sprintf_l', 10, 2);
 // RSS filters
 add_filter('the_title_rss', 'strip_tags');
 add_filter('the_title_rss', 'ent2ncr', 8);
-add_filter('the_title_rss', 'wp_specialchars');
+add_filter('the_title_rss', 'esc_html');
 add_filter('the_content_rss', 'ent2ncr', 8);
 add_filter('the_excerpt_rss', 'convert_chars');
 add_filter('the_excerpt_rss', 'ent2ncr', 8);
 add_filter('comment_author_rss', 'ent2ncr', 8);
 add_filter('comment_text_rss', 'ent2ncr', 8);
-add_filter('comment_text_rss', 'wp_specialchars');
+add_filter('comment_text_rss', 'esc_html');
 add_filter('bloginfo_rss', 'ent2ncr', 8);
 add_filter('the_author', 'ent2ncr', 8);
 
 // Misc filters
 add_filter('option_ping_sites', 'privacy_ping_filter');
-add_filter('option_blog_charset', 'wp_specialchars');
+add_filter('option_blog_charset', '_wp_specialchars'); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
 add_filter('option_home', '_config_wp_home');
 add_filter('option_siteurl', '_config_wp_siteurl');
 add_filter('tiny_mce_before_init', '_mce_set_direction');

wp-includes/default-widgets.php

@@ -820,7 +820,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
 
 		$desc = str_replace(array("\n", "\r"), ' ', esc_attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset')))));
 		$desc = wp_html_excerpt( $desc, 360 ) . ' […]';
-		$desc = wp_specialchars( $desc );
+		$desc = esc_html( $desc );
 
 		if ( $show_summary ) {
 			$summary = "<div class='rssSummary'>$desc</div>";
@@ -844,7 +844,7 @@ function wp_widget_rss_output( $rss, $args = array() ) {
 		if ( $show_author ) {
 			$author = $item->get_author();
 			$author = $author->get_name();
-			$author = ' <cite>' . wp_specialchars( strip_tags( $author ) ) . '</cite>';
+			$author = ' <cite>' . esc_html( strip_tags( $author ) ) . '</cite>';
 		}
 
 		if ( $link == '' ) {

wp-includes/feed.php

@@ -165,7 +165,7 @@ function the_content_rss($more_link_text='(more...)', $stripteaser=0, $more_file
 	if ( $cut && !$encode_html )
 		$encode_html = 2;
 	if ( 1== $encode_html ) {
-		$content = wp_specialchars($content);
+		$content = esc_html($content);
 		$cut = 0;
 	} elseif ( 0 == $encode_html ) {
 		$content = make_url_footnote($content);

wp-includes/formatting.php

@@ -213,7 +213,7 @@ function seems_utf8($Str) { # by bmorel at ssi dot fr
  * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false.
  * @return string The encoded text with HTML entities.
  */
-function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
+function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
 	$string = (string) $string;
 
 	if ( 0 === strlen( $string ) ) {
@@ -286,7 +286,7 @@ function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false
  * @since 2.8
  *
  * @param string $string The text which is to be decoded.
- * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
+ * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
  * @return string The decoded text without HTML entities.
  */
 function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) {
@@ -301,7 +301,7 @@ function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) {
 		return $string;
 	}
 
-	// Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value
+	// Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value
 	if ( empty( $quote_style ) ) {
 		$quote_style = ENT_NOQUOTES;
 	} elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) {
@@ -2074,7 +2074,7 @@ function htmlentities2($myHTML) {
  */
 function esc_js( $text ) {
 	$safe_text = wp_check_invalid_utf8( $text );
-	$safe_text = wp_specialchars( $safe_text, ENT_COMPAT );
+	$safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
 	$safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
 	$safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
 	return apply_filters( 'js_escape', $safe_text, $text );
@@ -2097,6 +2097,35 @@ function js_escape( $text ) {
 	return esc_js( $text );
 }
 
+/**
+ * Escaping for HTML blocks.
+ *
+ * @since 2.8.0
+ *
+ * @param string $text
+ * @return string
+ */
+function esc_html( $text ) {
+	$safe_text = wp_check_invalid_utf8( $text );
+	$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
+	return apply_filters( 'esc_html', $safe_text, $text );
+	return $text;
+}
+
+/**
+ * Escaping for HTML blocks
+ * @deprecated 2.8.0
+ * @see esc_html()
+ */
+function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
+	if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args
+		$args = func_get_args();
+		return call_user_func_array( '_wp_specialchars', $args );
+	} else {
+		return esc_html( $string );
+	}
+}
+
 /**
  * Escaping for HTML attributes.
  *
@@ -2107,7 +2136,7 @@ function js_escape( $text ) {
  */
 function esc_attr( $text ) {
 	$safe_text = wp_check_invalid_utf8( $text );
-	$safe_text = wp_specialchars( $safe_text, ENT_QUOTES );
+	$safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
 	return apply_filters( 'attribute_escape', $safe_text, $text );
 }
 
@@ -2224,7 +2253,7 @@ function sanitize_option($option, $value) {
 			$value = addslashes($value);
 			$value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
 			$value = stripslashes($value);
-			$value = wp_specialchars( $value );
+			$value = esc_html( $value );
 			break;
 
 		case 'blog_charset':
@@ -2298,15 +2327,15 @@ function wp_pre_kses_less_than( $text ) {
 /**
  * Callback function used by preg_replace.
  *
- * @uses wp_specialchars to format the $matches text.
+ * @uses esc_html to format the $matches text.
  * @since 2.3.0
  *
  * @param array $matches Populated by matches to preg_replace.
- * @return string The text returned after wp_specialchars if needed.
+ * @return string The text returned after esc_html if needed.
  */
 function wp_pre_kses_less_than_callback( $matches ) {
 	if ( false === strpos($matches[0], '>') )
-		return wp_specialchars($matches[0]);
+		return esc_html($matches[0]);
 	return $matches[0];
 }
 

wp-includes/functions.php

@@ -379,7 +379,7 @@ function get_option( $setting, $default = false ) {
 function wp_protect_special_option( $option ) {
 	$protected = array( 'alloptions', 'notoptions' );
 	if ( in_array( $option, $protected ) )
-		die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) );
+		die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) );
 }
 
 /**
@@ -1593,7 +1593,7 @@ function do_feed() {
 
 	$hook = 'do_feed_' . $feed;
 	if ( !has_action($hook) ) {
-		$message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed));
+		$message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed));
 		wp_die($message);
 	}
 
@@ -1718,7 +1718,7 @@ function is_blog_installed() {
  */
 function wp_nonce_url( $actionurl, $action = -1 ) {
 	$actionurl = str_replace( '&', '&', $actionurl );
-	return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
+	return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
 }
 
 /**
@@ -2308,7 +2308,7 @@ function wp_explain_nonce( $action ) {
 					else
 						$object = call_user_func( $lookup, $object );
 				}
-				return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) );
+				return sprintf( $trans[$verb][$noun][0], esc_html($object) );
 			} else {
 				return $trans[$verb][$noun][0];
 			}
@@ -2334,7 +2334,7 @@ function wp_explain_nonce( $action ) {
  */
 function wp_nonce_ays( $action ) {
 	$title = __( 'WordPress Failure Notice' );
-	$html = wp_specialchars( wp_explain_nonce( $action ) );
+	$html = esc_html( wp_explain_nonce( $action ) );
 	if ( wp_get_referer() )
 		$html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
 	elseif ( 'log-out' == $action )

wp-includes/general-template.php

@@ -1469,7 +1469,7 @@ function feed_links_extra( $args ) {
 		$post = &get_post( $id = 0 );
 
 		if ( comments_open() || pings_open() || $post->comment_count > 0 ) {
-			$title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) ));
+			$title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], esc_html( get_the_title() ) ));
 			$href = get_post_comments_feed_link( $post->ID );
 		}
 	} elseif ( is_category() ) {

wp-includes/l10n.php

@@ -119,6 +119,22 @@ function esc_attr__( $text, $domain = 'default' ) {
 	return esc_attr( translate( $text, $domain ) );
 }
 
+/**
+ * Retrieves the translation of $text and escapes it for safe use in HTML output.
+ * If there is no translation, or the domain isn't loaded the original text is returned.
+ *
+ * @see translate() An alias of translate()
+ * @see esc_html()
+ * @since 2.8.0
+ *
+ * @param string $text Text to translate
+ * @param string $domain Optional. Domain to retrieve the translated text
+ * @return string Translated text
+ */
+function esc_html__( $text, $domain = 'default' ) {
+	return esc_html( translate( $text, $domain ) );
+}
+
 /**
  * Displays the returned translated text from translate().
  *
@@ -146,6 +162,20 @@ function esc_attr_e( $text, $domain = 'default' ) {
 	echo esc_attr( translate( $text, $domain ) );
 }
 
+/**
+ * Displays translated text that has been escaped for safe use in HTML output.
+ *
+ * @see translate() Echoes returned translate() string
+ * @see esc_html()
+ * @since 2.8.0
+ *
+ * @param string $text Text to translate
+ * @param string $domain Optional. Domain to retrieve the translated text
+ */
+function esc_html_e( $text, $domain = 'default' ) {
+	echo esc_html( translate( $text, $domain ) );
+}
+
 /**
  * Retrieve translated string with vertical bar context
  *

wp-includes/user.php

@@ -540,7 +540,7 @@ function wp_dropdown_users( $args = '' ) {
 			$user->ID = (int) $user->ID;
 			$_selected = $user->ID == $selected ? " selected='selected'" : '';
 			$display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')';
-			$output .= "\t<option value='$user->ID'$_selected>" . wp_specialchars($display) . "</option>\n";
+			$output .= "\t<option value='$user->ID'$_selected>" . esc_html($display) . "</option>\n";
 		}
 
 		$output .= "</select>";

wp-includes/widgets.php

@@ -601,7 +601,7 @@ function wp_widget_description( $id ) {
 	global $wp_registered_widgets;
 
 	if ( isset($wp_registered_widgets[$id]['description']) )
-		return wp_specialchars( $wp_registered_widgets[$id]['description'] );
+		return esc_html( $wp_registered_widgets[$id]['description'] );
 }
 
 /**