Skip to content

Commit

Permalink
Make sure to escape URLs, especially when using get_comment_link().
Browse files Browse the repository at this point in the history 
git-svn-id: http://svn.locallylost.com/themes/hybrid-core/trunk@830 dba0f204-706d-4bc1-bc29-8b92e0485636
  • Loading branch information
greenshady committed Sep 14, 2011
1 parent ff9855a commit e56f10f
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 13 deletions.
10 changes: 5 additions & 5 deletions functions/comments.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,8 +108,8 @@ function hybrid_avatar() {

/* Get/set some comment variables. */
$comment_type = get_comment_type( $comment->comment_ID );
$author = esc_html( get_comment_author( $comment->comment_ID ) );
$url = esc_url( get_comment_author_url( $comment->comment_ID ) );
$author = get_comment_author( $comment->comment_ID );
$url = get_comment_author_url( $comment->comment_ID );
$avatar = '';
$default_avatar = '';

Expand All @@ -135,7 +135,7 @@ function hybrid_avatar() {

/* If URL input, wrap avatar in hyperlink. */
if ( !empty( $url ) && !empty( $avatar ) )
$avatar = '<a href="' . $url . '" rel="external nofollow" title="' . $author . '">' . $avatar . '</a>';
$avatar = '<a href="' . esc_url( $url ) . '" rel="external nofollow" title="' . esc_attr( $author ) . '">' . $avatar . '</a>';

/* Display the avatar and allow it to be filtered. Note: Use the get_avatar filter hook where possible. */
echo apply_filters( "{$hybrid->prefix}_avatar", $avatar );
Expand Down Expand Up @@ -165,8 +165,8 @@ function hybrid_comment_form_args( $args ) {

/* Sets up the default comment form fields. */
$fields = array(
'author' => '<p class="form-author' . $input_class . '"><label for="author">' . __( 'Name', $domain ) . $req . '</label> <input type="text" class="text-input" name="author" id="author" value="' . esc_attr( $commenter['comment_author'] ) . '" size="40" /></p>',
'email' => '<p class="form-email' . $input_class . '"><label for="email">' . __( 'Email', $domain ) . $req . '</label> <input type="text" class="text-input" name="email" id="email" value="' . esc_attr( $commenter['comment_author_email'] ) . '" size="40" /></p>',
'author' => '<p class="form-author' . esc_attr( $input_class ) . '"><label for="author">' . __( 'Name', $domain ) . $req . '</label> <input type="text" class="text-input" name="author" id="author" value="' . esc_attr( $commenter['comment_author'] ) . '" size="40" /></p>',
'email' => '<p class="form-email' . esc_attr( $input_class ) . '"><label for="email">' . __( 'Email', $domain ) . $req . '</label> <input type="text" class="text-input" name="email" id="email" value="' . esc_attr( $commenter['comment_author_email'] ) . '" size="40" /></p>',
'url' => '<p class="form-url"><label for="url">' . __( 'Website', $domain ) . '</label><input type="text" class="text-input" name="url" id="url" value="' . esc_attr( $commenter['comment_author_url'] ) . '" size="40" /></p>'
);

Expand Down
16 changes: 8 additions & 8 deletions functions/shortcodes.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ function hybrid_theme_link_shortcode() {
*/
function hybrid_child_link_shortcode() {
$data = hybrid_get_theme_data( 'stylesheet' );
return '<a class="child-link" href="' . esc_url( $data['URI'] ) . '" title="' . esc_attr( $data['Name'] ) . '"><span>' . esc_attr( $data['Name'] ) . '</span></a>';
return '<a class="child-link" href="' . esc_url( $data['URI'] ) . '" title="' . esc_attr( $data['Name'] ) . '"><span>' . esc_html( $data['Name'] ) . '</span></a>';
}

/**
Expand Down Expand Up @@ -177,7 +177,7 @@ function hybrid_entry_edit_link_shortcode( $attr ) {

$attr = shortcode_atts( array( 'before' => '', 'after' => '' ), $attr );

return $attr['before'] . '<span class="edit"><a class="post-edit-link" href="' . get_edit_post_link( $post->ID ) . '" title="' . sprintf( esc_attr__( 'Edit %1$s', $domain ), $post_type->labels->singular_name ) . '">' . __( 'Edit', $domain ) . '</a></span>' . $attr['after'];
return $attr['before'] . '<span class="edit"><a class="post-edit-link" href="' . esc_url( get_edit_post_link( $post->ID ) ) . '" title="' . sprintf( esc_attr__( 'Edit %1$s', $domain ), $post_type->labels->singular_name ) . '">' . __( 'Edit', $domain ) . '</a></span>' . $attr['after'];
}

/**
Expand Down Expand Up @@ -232,7 +232,7 @@ function hybrid_entry_comments_link_shortcode( $attr ) {
*/
function hybrid_entry_author_shortcode( $attr ) {
$attr = shortcode_atts( array( 'before' => '', 'after' => '' ), $attr );
$author = '<span class="author vcard"><a class="url fn n" href="' . get_author_posts_url( get_the_author_meta( 'ID' ) ) . '" title="' . esc_attr( get_the_author_meta( 'display_name' ) ) . '">' . get_the_author_meta( 'display_name' ) . '</a></span>';
$author = '<span class="author vcard"><a class="url fn n" href="' . esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ) . '" title="' . esc_attr( get_the_author_meta( 'display_name' ) ) . '">' . get_the_author_meta( 'display_name' ) . '</a></span>';
return $attr['before'] . $author . $attr['after'];
}

Expand Down Expand Up @@ -300,7 +300,7 @@ function hybrid_entry_shortlink_shortcode( $attr ) {
$attr
);

$shortlink = wp_get_shortlink( $post->ID );
$shortlink = esc_url( wp_get_shortlink( $post->ID ) );

return "{$attr['before']}<a class='shortlink' href='{$shortlink}' title='" . esc_attr( $attr['title'] ) . "' rel='shortlink'>{$attr['text']}</a>{$attr['after']}";
}
Expand Down Expand Up @@ -340,7 +340,7 @@ function hybrid_comment_author_shortcode( $attr ) {

/* Display link and cite if URL is set. Also, properly cites trackbacks/pingbacks. */
if ( $url )
$output = '<cite class="fn" title="' . $url . '"><a href="' . $url . '" title="' . $author . '" class="url" rel="external nofollow">' . $author . '</a></cite>';
$output = '<cite class="fn" title="' . $url . '"><a href="' . $url . '" title="' . esc_attr( $author ) . '" class="url" rel="external nofollow">' . $author . '</a></cite>';
else
$output = '<cite class="fn">' . $author . '</cite>';

Expand All @@ -359,7 +359,7 @@ function hybrid_comment_permalink_shortcode( $attr ) {

$attr = shortcode_atts( array( 'before' => '', 'after' => '' ), $attr );
$domain = hybrid_get_textdomain();
$link = '<a class="permalink" href="' . get_comment_link( $comment->comment_ID ) . '" title="' . sprintf( esc_attr__( 'Permalink to comment %1$s', $domain ), $comment->comment_ID ) . '">' . __( 'Permalink', $domain ) . '</a>';
$link = '<a class="permalink" href="' . esc_url( get_comment_link( $comment->comment_ID ) ) . '" title="' . sprintf( esc_attr__( 'Permalink to comment %1$s', $domain ), $comment->comment_ID ) . '">' . __( 'Permalink', $domain ) . '</a>';
return $attr['before'] . $link . $attr['after'];
}

Expand All @@ -379,7 +379,7 @@ function hybrid_comment_edit_link_shortcode( $attr ) {
$attr = shortcode_atts( array( 'before' => '', 'after' => '' ), $attr );
$domain = hybrid_get_textdomain();

$link = '<a class="comment-edit-link" href="' . $edit_link . '" title="' . sprintf( esc_attr__( 'Edit %1$s', $domain ), $comment->comment_type ) . '"><span class="edit">' . __( 'Edit', $domain ) . '</span></a>';
$link = '<a class="comment-edit-link" href="' . esc_url( $edit_link ) . '" title="' . sprintf( esc_attr__( 'Edit %1$s', $domain ), $comment->comment_type ) . '"><span class="edit">' . __( 'Edit', $domain ) . '</span></a>';
$link = apply_filters( 'edit_comment_link', $link, $comment->comment_ID );

return $attr['before'] . $link . $attr['after'];
Expand All @@ -399,7 +399,7 @@ function hybrid_comment_reply_link_shortcode( $attr ) {
$defaults = array(
'reply_text' => __( 'Reply', $domain ),
'login_text' => __( 'Log in to reply.', $domain ),
'depth' => $GLOBALS['comment_depth'],
'depth' => intval( $GLOBALS['comment_depth'] ),
'max_depth' => get_option( 'thread_comments_depth' ),
'before' => '',
'after' => ''
Expand Down

0 comments on commit e56f10f

Please sign in to comment.