new function for escaping within attributes: attribute_escape()

git-svn-id: http://svn.automattic.com/wordpress/trunk@4656 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/admin-ajax.php

@@ -13,9 +13,9 @@ function get_out_now() { exit; }
 add_action( 'shutdown', 'get_out_now', -1 );
 
 function wp_ajax_meta_row( $pid, $mid, $key, $value ) {
-	$value = wp_specialchars($value, true);
+	$value = attribute_escape($value);
 	$key_js = addslashes(wp_specialchars($key, 'double'));
-	$key = wp_specialchars($key, true);
+	$key = attribute_escape($key);
 	$r .= "<tr id='meta-$mid'><td valign='top'>";
 	$r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater(&#039;meta&#039;,&#039;meta-$mid&#039;);\",event);' type='text' size='20' value='$key' />";
 	$r .= "</td><td><textarea name='meta[$mid][value]' tabindex='6' rows='2' cols='30'>$value</textarea></td><td align='center'>";
@@ -141,7 +141,7 @@ function wp_ajax_meta_row( $pid, $mid, $key, $value ) {
 		$cat_full_name = $_cat->cat_name . ' &#8212; ' . $cat_full_name;
 		$level++;
 	}
-	$cat_full_name = wp_specialchars( $cat_full_name, 1 );
+	$cat_full_name = attribute_escape( $cat_full_name);
 
 	$x = new WP_Ajax_Response( array(
 		'what' => 'cat',

wp-admin/admin-functions.php

@@ -323,7 +323,7 @@ function get_default_post_to_edit() {
 	else if ( !empty( $post_title ) ) {
 		$text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
 		$text       = funky_javascript_fix( $text);
-		$popupurl   = wp_specialchars( $_REQUEST['popupurl'] );
+		$popupurl   = attribute_escape($_REQUEST['popupurl']);
         $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
     }
 
@@ -380,16 +380,16 @@ function wp_dropdown_roles( $default = false ) {
 
 function get_user_to_edit( $user_id ) {
 	$user = new WP_User( $user_id );
-	$user->user_login = wp_specialchars( $user->user_login, 1 );
-	$user->user_email = wp_specialchars( $user->user_email, 1 );
-	$user->user_url = wp_specialchars( $user->user_url, 1 );
-	$user->first_name = wp_specialchars( $user->first_name, 1 );
-	$user->last_name = wp_specialchars( $user->last_name, 1 );
-	$user->display_name = wp_specialchars( $user->display_name, 1 );
-	$user->nickname = wp_specialchars( $user->nickname, 1 );
-	$user->aim = wp_specialchars( $user->aim, 1 );
-	$user->yim = wp_specialchars( $user->yim, 1 );
-	$user->jabber = wp_specialchars( $user->jabber, 1 );
+	$user->user_login = attribute_escape( $user->user_login);
+	$user->user_email = attribute_escape( $user->user_email);
+	$user->user_url = attribute_escape( $user->user_url);
+	$user->first_name = attribute_escape( $user->first_name);
+	$user->last_name = attribute_escape( $user->last_name);
+	$user->display_name = attribute_escape( $user->display_name);
+	$user->nickname = attribute_escape( $user->nickname);
+	$user->aim = attribute_escape( $user->aim);
+	$user->yim = attribute_escape( $user->yim);
+	$user->jabber = attribute_escape( $user->jabber);
 	$user->description = wp_specialchars( $user->description );
 
 	return $user;
@@ -527,26 +527,26 @@ function edit_user( $user_id = 0 ) {
 function get_link_to_edit( $link_id ) {
 	$link = get_link( $link_id );
 
-	$link->link_url = wp_specialchars( $link->link_url, 1 );
-	$link->link_name = wp_specialchars( $link->link_name, 1 );
-	$link->link_image = wp_specialchars( $link->link_image, 1 );
-	$link->link_description = wp_specialchars( $link->link_description, 1 );
+	$link->link_url = attribute_escape( $link->link_url);
+	$link->link_name = attribute_escape( $link->link_name);
+	$link->link_image = attribute_escape( $link->link_image);
+	$link->link_description = attribute_escape( $link->link_description);
 	$link->link_notes = wp_specialchars( $link->link_notes );
-	$link->link_rss = wp_specialchars( $link->link_rss, 1 );
-	$link->link_rel = wp_specialchars( $link->link_rel, 1 );
+	$link->link_rss = attribute_escape( $link->link_rss);
+	$link->link_rel = attribute_escape( $link->link_rel);
 	$link->post_category = $link->link_category;
 
 	return $link;
 }
 
 function get_default_link_to_edit() {
 	if ( isset( $_GET['linkurl'] ) )
-		$link->link_url = wp_specialchars( $_GET['linkurl'], 1 );
+		$link->link_url = attribute_escape( $_GET['linkurl']);
 	else
 		$link->link_url = '';
 
 	if ( isset( $_GET['name'] ) )
-		$link->link_name = wp_specialchars( $_GET['name'], 1 );
+		$link->link_name = attribute_escape( $_GET['name']);
 	else
 		$link->link_name = '';
 
@@ -831,7 +831,7 @@ function user_row( $user_object, $style = '' ) {
 	}
 	$r .= "</td>\n\t\t<td>";
 	if ( current_user_can( 'edit_user', $user_object->ID ) ) {
-		$edit_link = wp_specialchars( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) );
+		$edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
 		$r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
 	}
 	$r .= "</td>\n\t</tr>";
@@ -911,8 +911,8 @@ function list_meta( $meta ) {
 		}
 
 		$key_js = js_escape( $entry['meta_key'] );
-		$entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
-		$entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
+		$entry['meta_key'] = attribute_escape( $entry['meta_key']);
+		$entry['meta_value'] = attribute_escape( $entry['meta_value']);
 		$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
 		$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
 		$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
@@ -965,7 +965,7 @@ function meta_form() {
 <?php
 
 	foreach ( $keys as $key ) {
-		$key = wp_specialchars( $key, 1 );
+		$key = attribute_escape( $key);
 		echo "\n\t<option value='$key'>$key</option>";
 	}
 ?>
@@ -1992,7 +1992,7 @@ function wp_reset_vars( $vars ) {
 
 function wp_remember_old_slug() {
 	global $post;
-	$name = wp_specialchars($post->post_name); // just in case
+	$name = attribute_escape($post->post_name); // just in case
 	if ( strlen($name) )
 		echo '<input type="hidden" id="wp-old-slug" name="wp-old-slug" value="' . $name . '" />';
 }

wp-admin/bookmarklet.php

@@ -37,7 +37,7 @@
 
 
 $content  = wp_specialchars($_REQUEST['content']);
-$popupurl = wp_specialchars($_REQUEST['popupurl']);
+$popupurl = attribute_escape($_REQUEST['popupurl']);
 if ( !empty($content) ) {
 	$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
 } else {

wp-admin/edit-category-form.php

@@ -26,11 +26,11 @@
 	<table class="editform" width="100%" cellspacing="2" cellpadding="5">
 		<tr>
 			<th width="33%" scope="row" valign="top"><label for="cat_name"><?php _e('Category name:') ?></label></th>
-			<td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /></td>
+			<td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /></td>
 		</tr>
 		<tr>
 			<th scope="row" valign="top"><label for="category_nicename"><?php _e('Category slug:') ?></label></th>
-			<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
+			<td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
 		</tr>
 		<tr>
 			<th scope="row" valign="top"><label for="category_parent"><?php _e('Category parent:') ?></label></th>
@@ -40,7 +40,7 @@
 		</tr>
 		<tr>
 			<th scope="row" valign="top"><label for="category_description"><?php _e('Description: (optional)') ?></label></th>
-			<td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
+			<td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
 		</tr>
 	</table>
 <p class="submit"><input type="submit" name="submit" value="<?php echo $submit_text ?>" /></p>

wp-admin/edit-comments.php

@@ -7,7 +7,7 @@
 
 require_once('admin-header.php');
 if (empty($_GET['mode'])) $mode = 'view';
-else $mode = wp_specialchars($_GET['mode'], 1);
+else $mode = attribute_escape($_GET['mode']);
 ?>
 
 <script type="text/javascript">
@@ -42,7 +42,7 @@ function getNumChecked(form)
 <form name="searchform" action="" method="get" id="editcomments"> 
   <fieldset> 
   <legend><?php _e('Show Comments That Contain...') ?></legend> 
-  <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" /> 
+  <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" /> 
   <input type="submit" name="submit" value="<?php _e('Search') ?>"  />  
   <input type="hidden" name="mode" value="<?php echo $mode; ?>" />
   <?php _e('(Searches within comment text, e-mail, URL, and IP address.)') ?>

wp-admin/edit-form-advanced.php

@@ -168,11 +168,11 @@ function focusit() {
 ?>
 <input name="referredby" type="hidden" id="referredby" value="<?php 
 if ( !empty($_REQUEST['popupurl']) )
-	echo wp_specialchars($_REQUEST['popupurl']);
+	echo attribute_escape(stripslashes($_REQUEST['popupurl']));
 else if ( url_to_postid(wp_get_referer()) == $post_ID )
 	echo 'redo';
 else
-	echo wp_specialchars(wp_get_referer());
+	echo attribute_escape(stripslashes(wp_get_referer()));
 ?>" /></p>
 
 <?php do_action('edit_form_advanced'); ?>

wp-admin/edit-link-form.php

@@ -247,7 +247,7 @@ function xfn_check($class, $value = '', $type = 'check') {
 <?php if ( $link_id ) : ?>
 <input type="hidden" name="action" value="save" />
 <input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
-<input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
+<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
 <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
 <?php else: ?>
 <input type="hidden" name="action" value="add" />

wp-admin/edit-page-form.php

@@ -13,12 +13,10 @@
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 }
 
-$sendto = wp_get_referer();
+$sendto = attribute_escape(stripslashes(wp_get_referer()));
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
 	$sendto = 'redo';
-$sendto = wp_specialchars( $sendto );
-
 ?>
 
 <form name="post" action="page.php" method="post" id="post">

wp-admin/edit-pages.php

@@ -13,7 +13,7 @@
 <form name="searchform" action="" method="get">
 	<fieldset>
 	<legend><?php _e('Search Pages&hellip;') ?></legend>
-	<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
+	<input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
 	<input type="submit" name="submit" value="<?php _e('Search') ?>"  />
 	</fieldset>
 </form>

wp-admin/edit.php

@@ -76,7 +76,7 @@
 <form name="searchform" id="searchform" action="" method="get">
   <fieldset> 
   <legend><?php _e('Search Posts&hellip;') ?></legend> 
-  <input type="text" name="s" value="<?php if (isset($s)) echo wp_specialchars($s, 1); ?>" size="17" /> 
+  <input type="text" name="s" value="<?php if (isset($s)) echo attribute_escape($s); ?>" size="17" /> 
   <input type="submit" name="submit" value="<?php _e('Search') ?>" class="button" /> 
   </fieldset>
 </form>

wp-admin/link-manager.php

@@ -116,7 +116,7 @@ function checkAll(form)
 <?php wp_nonce_field('bulk-bookmarks') ?>
 <input type="hidden" name="link_id" value="" />
 <input type="hidden" name="action" value="" />
-<input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
+<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
 <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
 <table class="widefat">
 	<thead>
@@ -130,9 +130,9 @@ function checkAll(form)
 	<tbody id="the-list">
 <?php
 	foreach ($links as $link) {
-		$link->link_name = wp_specialchars($link->link_name);
+		$link->link_name = attribute_escape($link->link_name);
 		$link->link_description = wp_specialchars($link->link_description);
-		$link->link_url = wp_specialchars($link->link_url);
+		$link->link_url = attribute_escape($link->link_url);
 		$link->link_category = wp_get_link_cats($link->link_id);
 		$short_url = str_replace('http://', '', $link->link_url);
 		$short_url = str_replace('www.', '', $short_url);

wp-admin/options-misc.php

@@ -18,7 +18,7 @@
 <table class="editform optiontable">
 <tr valign="top">
 <th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
-<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_option('upload_path')), 1); ?>" size="40" />
+<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_option('upload_path'))); ?>" size="40" />
 <br />
 <?php _e('Default is <code>wp-content/uploads</code>'); ?>
 </td>

wp-admin/options-permalink.php

@@ -149,7 +149,7 @@ function blurry() {
 </label>
 <br />
 </p>
-<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
+<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo attribute_escape($permalink_structure); ?>" size="50" /></p>
 
 <h3><?php _e('Optional'); ?></h3>
 <?php if ($is_apache) : ?>
@@ -158,7 +158,7 @@ function blurry() {
 	<p><?php _e('If you like, you may enter a custom prefix for your category <abbr title="Universal Resource Locator">URL</abbr>s here. For example, <code>/index.php/taxonomy/tags</code> would make your category links like <code>http://example.org/index.php/taxonomy/tags/uncategorized/</code>. If you leave this blank the default will be used.') ?></p>
 <?php endif; ?>
 	<p> 
-  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" /> 
+  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo attribute_escape($category_base); ?>" size="30" /> 
      </p> 
     <p class="submit"> 
       <input type="submit" name="submit" value="<?php _e('Update Permalink Structure &raquo;') ?>" /> 

wp-admin/options.php

@@ -158,7 +158,7 @@ function sanitize_option($option, $value) { // Remember to call stripslashes!
 ?>
   </table>
 <?php $options_to_update = implode(',', $options_to_update); ?>
-<p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
+<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
   </form>
 </div>
 

wp-admin/page.php

@@ -57,7 +57,7 @@
 	?>
 	<div id='preview' class='wrap'>
 	<h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
-		<iframe src="<?php echo wp_specialchars(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+		<iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
 	</div>
 	<?php
 	break;

wp-admin/post.php

@@ -63,7 +63,7 @@
 	?>
 	<div id='preview' class='wrap'>
 	<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
-		<iframe src="<?php echo wp_specialchars(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+		<iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
 	</div>
 	<?php
 	break;

wp-admin/templates.php

@@ -98,7 +98,7 @@
 <?php
 echo '<ol>';
 foreach ($recents as $recent) :
-	echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>";
+	echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . get_file_description(basename($recent)) . "</a></li>";
 endforeach;
 echo '</ol>';
 endif;

wp-admin/theme-editor.php

@@ -88,7 +88,7 @@
 		$theme_name = $a_theme['Name'];
 		if ($theme_name == $theme) $selected = " selected='selected'";
 		else $selected = '';
-		$theme_name = wp_specialchars($theme_name, true);
+		$theme_name = attribute_escape($theme_name);
 		echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
 	}
 ?>

wp-admin/upgrade.php

@@ -28,7 +28,7 @@
 <?php
 switch($step) {
 	case 0:
-		$goback = wp_specialchars(wp_get_referer());
+		$goback = attribute_escape(stripslashes(wp_get_referer()));
 ?> 
 <p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p> 
 <h2 class="step"><a href="upgrade.php?step=1&amp;backto=<?php echo $goback; ?>"><?php _e('Upgrade WordPress &raquo;'); ?></a></h2>
@@ -40,7 +40,7 @@
 		if ( empty( $_GET['backto'] ) )
 			$backto = __get_option('home');
 		else
-			$backto = wp_specialchars( $_GET['backto'] , 1 );
+			$backto = attribute_escape(stripslashes($_GET['backto']));
 ?> 
 <h2><?php _e('Step 1'); ?></h2> 
 	<p><?php printf(__("There's actually only one step. So if you see this, you're done. <a href='%s'>Have fun</a>!"),  $backto); ?></p>

wp-admin/upload-functions.php

@@ -7,7 +7,7 @@ function wp_upload_display( $dims = false, $href = '' ) {
 		list($width,$height) = wp_shrink_dimensions($attachment_data['width'], $attachment_data['height'], 171, 128);
 	ob_start();
 		the_title();
-		$post_title = wp_specialchars( ob_get_contents(), 1 );
+		$post_title = attribute_escape( ob_get_contents());
 	ob_end_clean();
 	$post_content = apply_filters( 'content_edit_pre', $post->post_content );
 
@@ -71,9 +71,9 @@ function wp_upload_view() {
 				echo '[ ';
 				echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
 				echo '&nbsp;|&nbsp;';
-					echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'edit' ), 1 ) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
+					echo '<a href="' . attribute_escape( add_query_arg( 'action', 'edit' )) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
 				echo '&nbsp;|&nbsp;';
-				echo '<a href="' . wp_specialchars( remove_query_arg( array('action', 'ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+				echo '<a href="' . attribute_escape( remove_query_arg( array('action', 'ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
 				echo '&nbsp;]'; ?></span>
 		</div>
 
@@ -111,9 +111,9 @@ function wp_upload_form() {
 				echo '[&nbsp;';
 				echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
 				echo '&nbsp;|&nbsp;';
-					echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'view' ), 1 ) . '">' . __('links') . '</a>';
+					echo '<a href="' . attribute_escape( add_query_arg( 'action', 'view' )) . '">' . __('links') . '</a>';
 				echo '&nbsp;|&nbsp;';
-				echo '<a href="' . wp_specialchars( remove_query_arg( array('action','ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+				echo '<a href="' . attribute_escape( remove_query_arg( array('action','ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
 				echo '&nbsp;]'; ?></span>
 		</div>