Permalink
Browse files

new function for escaping within attributes: attribute_escape()

git-svn-id: http://svn.automattic.com/wordpress/branches/2.0@4656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
  • Loading branch information...
1 parent 8ca9789 commit be708ef9a7161e1a92ef9df54547c9298dfcbc66 markjaquith committed Dec 21, 2006
@@ -289,7 +289,7 @@ function get_default_post_to_edit() {
else if ( !empty($post_title) ) {
$text = wp_specialchars(stripslashes(urldecode($_REQUEST['text'])));
$text = funky_javascript_fix($text);
- $popupurl = wp_specialchars($_REQUEST['popupurl']);
+ $popupurl = attribute_escape(stripslashes($_REQUEST['popupurl']));
$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
}
@@ -337,16 +337,16 @@ function get_category_to_edit($id) {
function get_user_to_edit($user_id) {
$user = new WP_User($user_id);
- $user->user_login = wp_specialchars($user->user_login, 1);
- $user->user_email = wp_specialchars($user->user_email, 1);
- $user->user_url = wp_specialchars($user->user_url, 1);
- $user->first_name = wp_specialchars($user->first_name, 1);
- $user->last_name = wp_specialchars($user->last_name, 1);
- $user->display_name = wp_specialchars($user->display_name, 1);
- $user->nickname = wp_specialchars($user->nickname, 1);
- $user->aim = wp_specialchars($user->aim, 1);
- $user->yim = wp_specialchars($user->yim, 1);
- $user->jabber = wp_specialchars($user->jabber, 1);
+ $user->user_login = attribute_escape($user->user_login);
+ $user->user_email = attribute_escape($user->user_email);
+ $user->user_url = attribute_escape($user->user_url);
+ $user->first_name = attribute_escape($user->first_name);
+ $user->last_name = attribute_escape($user->last_name);
+ $user->display_name = attribute_escape($user->display_name);
+ $user->nickname = attribute_escape($user->nickname);
+ $user->aim = attribute_escape($user->aim);
+ $user->yim = attribute_escape($user->yim);
+ $user->jabber = attribute_escape($user->jabber);
$user->description = wp_specialchars($user->description);
return $user;
@@ -467,26 +467,26 @@ function edit_user($user_id = 0) {
function get_link_to_edit($link_id) {
$link = get_link($link_id);
- $link->link_url = wp_specialchars($link->link_url, 1);
- $link->link_name = wp_specialchars($link->link_name, 1);
- $link->link_image = wp_specialchars($link->link_image, 1);
- $link->link_description = wp_specialchars($link->link_description, 1);
+ $link->link_url = attribute_escape($link->link_url);
+ $link->link_name = attribute_escape($link->link_name);
+ $link->link_image = attribute_escape($link->link_image);
+ $link->link_description = attribute_escape($link->link_description);
$link->link_notes = wp_specialchars($link->link_notes);
- $link->link_rss = wp_specialchars($link->link_rss, 1);
- $link->link_rel = wp_specialchars($link->link_rel, 1);
+ $link->link_rss = attribute_escape($link->link_rss);
+ $link->link_rel = attribute_escape($link->link_rel);
$link->post_category = $link->link_category;
return $link;
}
function get_default_link_to_edit() {
if ( isset($_GET['linkurl']) )
- $link->link_url = wp_specialchars($_GET['linkurl'], 1);
+ $link->link_url = attribute_escape($_GET['linkurl']);
else
$link->link_url = '';
if ( isset($_GET['name']) )
- $link->link_name = wp_specialchars($_GET['name'], 1);
+ $link->link_name = attribute_escape($_GET['name']);
else
$link->link_name = '';
@@ -860,8 +860,8 @@ function list_meta($meta) {
}
}
- $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
- $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
+ $entry['meta_key'] = attribute_escape( $entry['meta_key']);
+ $entry['meta_value'] = attribute_escape( $entry['meta_value']);
echo "
<tr class='$style'>
<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>
@@ -912,7 +912,7 @@ function meta_form() {
<?php
foreach ($keys as $key) {
- $key = wp_specialchars($key, 1);
+ $key = attribute_escape($key);
echo "\n\t<option value='$key'>$key</option>";
}
?>
View
@@ -37,7 +37,7 @@
$content = wp_specialchars($_REQUEST['content']);
-$popupurl = wp_specialchars($_REQUEST['popupurl']);
+$popupurl = attribute_escape(stripslashes($_REQUEST['popupurl']));
if ( !empty($content) ) {
$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
} else {
View
@@ -69,12 +69,12 @@
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
<tr>
<th width="33%" scope="row"><?php _e('Category name:') ?></th>
- <td width="67%"><input name="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
+ <td width="67%"><input name="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
<input type="hidden" name="cat_ID" value="<?php echo $category->cat_ID ?>" /></td>
</tr>
<tr>
<th scope="row"><?php _e('Category slug:') ?></th>
- <td><input name="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
+ <td><input name="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
</tr>
<tr>
<th scope="row"><?php _e('Category parent:') ?></th>
@@ -86,7 +86,7 @@
</tr>
<tr>
<th scope="row"><?php _e('Description:') ?></th>
- <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
+ <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
</tr>
</table>
<p class="submit"><input type="submit" name="submit" value="<?php _e('Edit category') ?> &raquo;" /></p>
@@ -7,7 +7,7 @@
require_once('admin-header.php');
if (empty($_GET['mode'])) $mode = 'view';
-else $mode = wp_specialchars($_GET['mode'], 1);
+else $mode = attribute_escape($_GET['mode']);
?>
<script type="text/javascript">
@@ -30,7 +30,7 @@ function checkAll(form)
<form name="searchform" action="" method="get">
<fieldset>
<legend><?php _e('Show Comments That Contain...') ?></legend>
- <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
+ <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
<input type="submit" name="submit" value="<?php _e('Search') ?>" />
<input type="hidden" name="mode" value="<?php echo $mode; ?>" />
<?php _e('(Searches within comment text, e-mail, URI, and IP address.)') ?>
@@ -211,11 +211,11 @@ function focusit() {
?>
<input name="referredby" type="hidden" id="referredby" value="<?php
if ( !empty($_REQUEST['popupurl']) )
- echo wp_specialchars($_REQUEST['popupurl']);
-else if ( url_to_postid(wp_get_referer()) == $post_ID )
+ echo attribute_escape(stripslashes($_REQUEST['popupurl']));
+else if ( url_to_postid(stripslashes(wp_get_referer())) == $post_ID )
echo 'redo';
else
- echo wp_specialchars(wp_get_referer());
+ echo attribute_escape(stripslashes(wp_get_referer()));
?>" /></p>
<?php do_action('edit_form_advanced'); ?>
@@ -230,7 +230,7 @@ function xfn_check($class, $value = '', $type = 'check') {
<?php if ( $editing ) : ?>
<input type="hidden" name="action" value="editlink" />
<input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
- <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
+ <input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
<?php else: ?>
<input type="hidden" name="action" value="Add" />
@@ -14,11 +14,10 @@
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
}
-$sendto = wp_get_referer();
+$sendto = attribute_escape(wp_get_referer());
if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
$sendto = 'redo';
-$sendto = wp_specialchars( $sendto );
?>
View
@@ -13,7 +13,7 @@
<form name="searchform" action="" method="get">
<fieldset>
<legend><?php _e('Search Pages&hellip;') ?></legend>
- <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
+ <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
<input type="submit" name="submit" value="<?php _e('Search') ?>" />
</fieldset>
</form>
View
@@ -79,7 +79,7 @@
<form name="searchform" action="" method="get" style="float: left; width: 16em; margin-right: 3em;">
<fieldset>
<legend><?php _e('Search Posts&hellip;') ?></legend>
- <input type="text" name="s" value="<?php if (isset($s)) echo wp_specialchars($s, 1); ?>" size="17" />
+ <input type="text" name="s" value="<?php if (isset($s)) echo attribute_escape($s); ?>" size="17" />
<input type="submit" name="submit" value="<?php _e('Search') ?>" />
</fieldset>
</form>
@@ -240,7 +240,7 @@
$xpadding = (128 - $image['uwidth']) / 2;
$ypadding = (96 - $image['uheight']) / 2;
$style .= "#target{$ID} img { padding: {$ypadding}px {$xpadding}px; }\n";
- $title = wp_specialchars($image['post_title'], ENT_QUOTES);
+ $title = attribute_escape($image['post_title']);
$script .= "aa[{$ID}] = '<a id=\"p{$ID}\" rel=\"attachment\" class=\"imagelink\" href=\"$href\" onclick=\"doPopup({$ID});return false;\" title=\"{$title}\">';
ab[{$ID}] = '<a class=\"imagelink\" href=\"{$image['guid']}\" onclick=\"doPopup({$ID});return false;\" title=\"{$title}\">';
imga[{$ID}] = '<img id=\"image{$ID}\" src=\"$src\" alt=\"{$title}\" $height_width />';
@@ -260,7 +260,7 @@
</div>
";
} else {
- $title = wp_specialchars($attachment['post_title'], ENT_QUOTES);
+ $title = attribute_escape($attachment['post_title']);
$filename = basename($attachment['guid']);
$icon = get_attachment_icon($ID);
$toggle_icon = "<a id=\"I{$ID}\" onclick=\"toggleOtherIcon({$ID});return false;\" href=\"javascript:void()\">$__using_title</a>";
@@ -124,7 +124,7 @@
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
<tr>
<th width="33%" scope="row"><?php _e('Name:') ?></th>
- <td width="67%"><input name="cat_name" type="text" value="<?php echo wp_specialchars($row->cat_name)?>" size="30" /></td>
+ <td width="67%"><input name="cat_name" type="text" value="<?php echo attribute_escape($row->cat_name)?>" size="30" /></td>
</tr>
<tr>
<th scope="row"><?php _e('Show:') ?></th>
@@ -327,7 +327,7 @@ function checkAll(form)
<?php wp_nonce_field('bulk-bookmarks') ?>
<input type="hidden" name="link_id" value="" />
<input type="hidden" name="action" value="" />
- <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
+ <input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
<table id="the-list-x" width="100%" cellpadding="3" cellspacing="3">
<tr>
@@ -357,10 +357,10 @@ function checkAll(form)
$links = $wpdb->get_results($sql);
if ($links) {
foreach ($links as $link) {
- $link->link_name = wp_specialchars($link->link_name);
+ $link->link_name = attribute_escape($link->link_name);
$link->link_category = wp_specialchars($link->link_category);
$link->link_description = wp_specialchars($link->link_description);
- $link->link_url = wp_specialchars($link->link_url);
+ $link->link_url = attribute_escape($link->link_url);
$short_url = str_replace('http://', '', $link->link_url);
$short_url = str_replace('www.', '', $short_url);
if ('/' == substr($short_url, -1))
@@ -17,7 +17,7 @@
<table class="editform optiontable">
<tr valign="top">
<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
-<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
+<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_settings('upload_path'))); ?>" size="40" />
<br />
<?php _e('Default is <code>wp-content/uploads</code>'); ?>
</td>
@@ -148,7 +148,7 @@ function blurry() {
</label>
<br />
</p>
-<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
+<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo attribute_escape($permalink_structure); ?>" size="50" /></p>
<h3><?php _e('Optional'); ?></h3>
<?php if ($is_apache) : ?>
@@ -157,7 +157,7 @@ function blurry() {
<p><?php _e('If you like, you may enter a custom prefix for your category URIs here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p>
<?php endif; ?>
<p>
- <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
+ <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code" value="<?php echo attribute_escape($category_base); ?>" size="30" />
</p>
<p class="submit">
<input type="submit" name="submit" value="<?php _e('Update Permalink Structure &raquo;') ?>" />
View
@@ -182,7 +182,7 @@ function sanitize_option($option, $value) {
?>
</table>
<?php $options_to_update = implode(',', $options_to_update); ?>
-<p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
</form>
</div>
View
@@ -81,7 +81,7 @@
?>
<div id='preview' class='wrap'>
<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?> <small class="quickjump"><a href="#write-post"><?php _e('edit &uarr;'); ?></a></small></h2>
- <iframe src="<?php echo wp_specialchars(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+ <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
</div>
<?php
break;
View
@@ -111,7 +111,7 @@
<?php
echo '<ol>';
foreach ($recents as $recent) :
- echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>";
+ echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . get_file_description(basename($recent)) . "</a></li>";
endforeach;
echo '</ol>';
endif;
@@ -101,7 +101,7 @@
$theme_name = $a_theme['Name'];
if ($theme_name == $theme) $selected = " selected='selected'";
else $selected = '';
- $theme_name = wp_specialchars($theme_name, true);
+ $theme_name = attribute_escape($theme_name);
echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
}
?>
View
@@ -67,7 +67,7 @@
switch($step) {
case 0:
- $goback = wp_specialchars(wp_get_referer());
+ $goback = attribute_escape(stripslashes(wp_get_referer()));
?>
<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
<h2 class="step"><a href="upgrade.php?step=1&amp;backto=<?php echo $goback; ?>"><?php _e('Upgrade WordPress &raquo;'); ?></a></h2>
@@ -86,7 +86,7 @@
if ( empty( $_GET['backto'] ) )
$backto = __get_option('home');
else
- $backto = wp_specialchars( $_GET['backto'] , 1 );
+ $backto = attribute_escape(stripslashes($_GET['backto']));
?>
<h2><?php _e('Step 1'); ?></h2>
<p><?php printf(__("There's actually only one step. So if you see this, you're done. <a href='%s'>Have fun</a>!"), $backto); ?></p>
@@ -60,7 +60,7 @@
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
<label for="author"><?php _e("Name"); ?></label>
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
- <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
+ <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
</p>
<p>
@@ -60,7 +60,7 @@
<input type="text" name="author" id="author" class="textarea" value="<?php echo $comment_author; ?>" size="28" tabindex="1" />
<label for="author">Name</label>
<input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
- <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
+ <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
</p>
<p>
@@ -1,5 +1,5 @@
<form method="get" id="searchform" action="<?php bloginfo('home'); ?>/">
-<div><input type="text" value="<?php echo wp_specialchars($s, 1); ?>" name="s" id="s" />
+<div><input type="text" value="<?php echo attribute_escape($s); ?>" name="s" id="s" />
<input type="submit" id="searchsubmit" value="Search" />
</div>
</form>
@@ -315,7 +315,7 @@ function comments_popup_link($zero='No Comments', $one='1 Comment', $more='% Com
if (!empty($CSSclass)) {
echo ' class="'.$CSSclass.'"';
}
- $title = wp_specialchars(apply_filters('the_title', get_the_title()), true);
+ $title = attribute_escape(apply_filters('the_title', get_the_title()));
echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">';
comments_number($zero, $one, $more, $number);
echo '</a>';
@@ -897,21 +897,21 @@ function sanitize_comment_cookies() {
if ( isset($_COOKIE['comment_author_'.COOKIEHASH]) ) {
$comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
$comment_author = stripslashes($comment_author);
- $comment_author = wp_specialchars($comment_author, true);
+ $comment_author = attribute_escape($comment_author);
$_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
}
if ( isset($_COOKIE['comment_author_email_'.COOKIEHASH]) ) {
$comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
$comment_author_email = stripslashes($comment_author_email);
- $comment_author_email = wp_specialchars($comment_author_email, true);
+ $comment_author_email = attribute_escape($comment_author_email);
$_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
}
if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
$comment_author_url = stripslashes($comment_author_url);
- $comment_author_url = wp_specialchars($comment_author_url, true);
+ $comment_author_url = attribute_escape($comment_author_url);
$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
}
}
@@ -1050,4 +1050,10 @@ function js_escape($text) {
$text = str_replace('&#039;', "'", $text);
return preg_replace("/\r?\n/", "\\n", addslashes($text));
}
+
+// Escaping for HTML attributes like
+function attribute_escape($text) {
+ return wp_specialchars($text, true);
+}
+
?>
Oops, something went wrong.

0 comments on commit be708ef

Please sign in to comment.