diff --git wp-admin/edit-tag-form.php wp-admin/edit-tag-form.php
index dbf669f..1598a62 100644
|
|
do_action($taxonomy . '_pre_edit_form', $tag, $taxonomy); ?> |
61 | 61 | <?php endif; // is_taxonomy_hierarchical() ?> |
62 | 62 | <tr class="form-field"> |
63 | 63 | <th scope="row" valign="top"><label for="description"><?php _ex('Description', 'Taxonomy Description'); ?></label></th> |
64 | | <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_textarea( $tag->description ); ?></textarea><br /> |
| 64 | <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo $tag->description; // already escaped ?></textarea><br /> |
65 | 65 | <span class="description"><?php _e('The description is not prominent by default, however some themes may show it.'); ?></span></td> |
66 | 66 | </tr> |
67 | 67 | <?php |
diff --git wp-admin/includes/media.php wp-admin/includes/media.php
index 33e7867..9038888 100644
|
|
function get_media_item( $attachment_id, $args = null ) { |
1343 | 1343 | if ( !empty( $field[ $field['input'] ] ) ) |
1344 | 1344 | $item .= $field[ $field['input'] ]; |
1345 | 1345 | elseif ( $field['input'] == 'textarea' ) { |
1346 | | $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_textarea( $field['value'] ) . '</textarea>'; |
| 1346 | if ( user_can_richedit() ) { // already escaped when user_can_richedit() = false |
| 1347 | $field['value'] = esc_textarea( $field['value'] ); |
| 1348 | } |
| 1349 | $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . $field['value'] . '</textarea>'; |
1347 | 1350 | } else { |
1348 | 1351 | $item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "' $aria_required />"; |
1349 | 1352 | } |
diff --git wp-admin/includes/meta-boxes.php wp-admin/includes/meta-boxes.php
index 42678db..96466b5 100644
|
|
function post_tags_meta_box($post, $box) { |
288 | 288 | <div class="jaxtag"> |
289 | 289 | <div class="nojs-tags hide-if-js"> |
290 | 290 | <p><?php echo $taxonomy->labels->add_or_remove_items; ?></p> |
291 | | <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_textarea( get_terms_to_edit( $post->ID, $tax_name ) ); ?></textarea></div> |
| 291 | <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo get_terms_to_edit( $post->ID, $tax_name ); // escaped by esc_attr() ?></textarea></div> |
292 | 292 | <?php if ( current_user_can($taxonomy->cap->assign_terms) ) : ?> |
293 | 293 | <div class="ajaxtag hide-if-no-js"> |
294 | 294 | <label class="screen-reader-text" for="new-tag-<?php echo $tax_name; ?>"><?php echo $box['title']; ?></label> |
… |
… |
function link_advanced_meta_box($link) { |
892 | 892 | </tr> |
893 | 893 | <tr class="form-field"> |
894 | 894 | <th valign="top" scope="row"><label for="link_notes"><?php _e('Notes') ?></label></th> |
895 | | <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo esc_textarea( ( isset( $link->link_notes ) ? $link->link_notes : '') ); ?></textarea></td> |
| 895 | <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo ( isset( $link->link_notes ) ? $link->link_notes : ''); // escaped ?></textarea></td> |
896 | 896 | </tr> |
897 | 897 | <tr class="form-field"> |
898 | 898 | <th valign="top" scope="row"><label for="link_rating"><?php _e('Rating') ?></label></th> |
diff --git wp-admin/press-this.php wp-admin/press-this.php
index 1d826a8..282c4f9 100644
|
|
$title = isset( $_GET['t'] ) ? trim( strip_tags( html_entity_decode( stripslashe |
83 | 83 | $selection = ''; |
84 | 84 | if ( !empty($_GET['s']) ) { |
85 | 85 | $selection = str_replace(''', "'", stripslashes($_GET['s'])); |
86 | | $selection = trim( htmlspecialchars( html_entity_decode($selection, ENT_QUOTES) ) ); |
| 86 | $selection = trim( html_entity_decode($selection, ENT_QUOTES) ); |
87 | 87 | } |
88 | 88 | |
89 | 89 | if ( ! empty($selection) ) { |
… |
… |
var photostorage = false; |
598 | 598 | <div class="editor-container"> |
599 | 599 | <textarea name="content" id="content" style="width:100%;" class="theEditor" rows="15"><?php |
600 | 600 | if ( $selection ) |
601 | | echo wp_richedit_pre($selection); |
| 601 | echo esc_textarea($selection); |
602 | 602 | if ( $url ) { |
603 | 603 | echo '<p>'; |
604 | 604 | if ( $selection ) |
diff --git wp-includes/bookmark.php wp-includes/bookmark.php
index ddb5e13..03ef92c 100644
|
|
function sanitize_bookmark_field($field, $value, $bookmark_id, $context) { |
334 | 334 | return $value; |
335 | 335 | |
336 | 336 | if ( 'edit' == $context ) { |
337 | | $format_to_edit = array('link_notes'); |
338 | 337 | $value = apply_filters("edit_$field", $value, $bookmark_id); |
339 | | |
340 | | if ( in_array($field, $format_to_edit) ) { |
341 | | $value = format_to_edit($value); |
| 338 | if ( $field == 'link_notes' ) { |
| 339 | $value = esc_html( $value ); |
342 | 340 | } else { |
343 | | $value = esc_attr($value); |
| 341 | $value = esc_attr( $value ); |
344 | 342 | } |
345 | 343 | } else if ( 'db' == $context ) { |
346 | 344 | $value = apply_filters("pre_$field", $value); |
diff --git wp-includes/formatting.php wp-includes/formatting.php
index c34c4f1..718ad71 100644
|
|
function force_balance_tags( $text ) { |
1126 | 1126 | function format_to_edit($content, $richedit = false) { |
1127 | 1127 | $content = apply_filters('format_to_edit', $content); |
1128 | 1128 | if (! $richedit ) |
1129 | | $content = htmlspecialchars($content); |
| 1129 | $content = esc_textarea($content); |
1130 | 1130 | return $content; |
1131 | 1131 | } |
1132 | 1132 | |
diff --git wp-includes/taxonomy.php wp-includes/taxonomy.php
index b708838..05848b7 100644
|
|
function sanitize_term_field($field, $value, $term_id, $taxonomy, $context) { |
1520 | 1520 | if ( 'edit' == $context ) { |
1521 | 1521 | $value = apply_filters("edit_term_{$field}", $value, $term_id, $taxonomy); |
1522 | 1522 | $value = apply_filters("edit_{$taxonomy}_{$field}", $value, $term_id); |
1523 | | if ( 'description' == $field ) |
1524 | | $value = format_to_edit($value); |
1525 | | else |
1526 | | $value = esc_attr($value); |
| 1523 | |
| 1524 | if ( $field == 'description' ) { |
| 1525 | $value = esc_html( $value ); |
| 1526 | } else { |
| 1527 | $value = esc_attr( $value ); |
| 1528 | } |
1527 | 1529 | } else if ( 'db' == $context ) { |
1528 | 1530 | $value = apply_filters("pre_term_{$field}", $value, $taxonomy); |
1529 | 1531 | $value = apply_filters("pre_{$taxonomy}_{$field}", $value); |
diff --git wp-includes/user.php wp-includes/user.php
index c9e4cb4..fb97b06 100644
|
|
function sanitize_user_field($field, $value, $user_id, $context) { |
1211 | 1211 | } |
1212 | 1212 | |
1213 | 1213 | if ( 'description' == $field ) |
1214 | | $value = esc_textarea( $value ); |
| 1214 | $value = esc_html( $value ); |
1215 | 1215 | else |
1216 | 1216 | $value = esc_attr($value); |
1217 | 1217 | } else if ( 'db' == $context ) { |