WordPress.org

Make WordPress Core

Ticket #32233: 32233.patch

File 32233.patch, 6.6 KB (added by McGuive7, 7 years ago)

Patch to fix missing escaping functions from /wp-admin/includes/template.php

  • wp-admin/includes/template.php

     
    569569<table id="list-table" style="display: none;">
    570570        <thead>
    571571        <tr>
    572                 <th class="left">' . _x( 'Name', 'meta name' ) . '</th>
    573                 <th>' . __( 'Value' ) . '</th>
     572                <th class="left">' . esc_html_x( 'Name', 'meta name' ) . '</th>
     573                <th>' . esc_html__( 'Value' ) . '</th>
    574574        </tr>
    575575        </thead>
    576576        <tbody id="the-list" data-wp-lists="list:meta">
     
    584584<table id="list-table">
    585585        <thead>
    586586        <tr>
    587                 <th class="left"><?php _ex( 'Name', 'meta name' ) ?></th>
    588                 <th><?php _e( 'Value' ) ?></th>
     587                <th class="left"><?php echo esc_html_x( 'Name', 'meta name' ) ?></th>
     588                <th><?php esc_html_e( 'Value' ) ?></th>
    589589        </tr>
    590590        </thead>
    591591        <tbody id='the-list' data-wp-lists='list:meta'>
     
    830830        ksort( $templates );
    831831        foreach ( array_keys( $templates ) as $template ) {
    832832                $selected = selected( $default, $templates[ $template ], false );
    833                 echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
     833                echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
    834834        }
    835835}
    836836
     
    921921<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>)
    922922<input type="file" id="upload" name="import" size="25" />
    923923<input type="hidden" name="action" value="save" />
    924 <input type="hidden" name="max_file_size" value="<?php echo $bytes; ?>" />
     924<input type="hidden" name="max_file_size" value="<?php esc_attr_e( $bytes ); ?>" />
    925925</p>
    926926<?php submit_button( __('Upload file and import'), 'button' ); ?>
    927927</form>
     
    10691069                                        echo '<div id="' . $box['id'] . '" class="postbox ' . postbox_classes($box['id'], $page) . $hidden_class . '" ' . '>' . "\n";
    10701070                                        if ( 'dashboard_browser_nag' != $box['id'] )
    10711071                                                echo '<div class="handlediv" title="' . esc_attr__('Click to toggle') . '"><br /></div>';
    1072                                         echo "<h3 class='hndle'><span>{$box['title']}</span></h3>\n";
     1072                                        echo '<h3 class="hndle"><span>' . esc_html( $box['title'] ) . '</span></h3>' . "\n";
    10731073                                        echo '<div class="inside">' . "\n";
    10741074                                        call_user_func($box['callback'], $object, $box);
    10751075                                        echo "</div>\n";
     
    12971297
    12981298        foreach ( (array) $wp_settings_sections[$page] as $section ) {
    12991299                if ( $section['title'] )
    1300                         echo "<h3>{$section['title']}</h3>\n";
     1300                        echo '<h3>' . esc_html( $section['title'] ) . '</h3>' . "\n";
    13011301
    13021302                if ( $section['callback'] )
    13031303                        call_user_func( $section['callback'], $section );
     
    13401340                echo "<tr{$class}>";
    13411341
    13421342                if ( ! empty( $field['args']['label_for'] ) ) {
    1343                         echo '<th scope="row"><label for="' . esc_attr( $field['args']['label_for'] ) . '">' . $field['title'] . '</label></th>';
     1343                        echo '<th scope="row"><label for="' . esc_attr( $field['args']['label_for'] ) . '">' . esc_html( $field['title'] ) . '</label></th>';
    13441344                } else {
    1345                         echo '<th scope="row">' . $field['title'] . '</th>';
     1345                        echo '<th scope="row">' . esc_html( $field['title'] ) . '</th>';
    13461346                }
    13471347
    13481348                echo '<td>';
     
    14841484                $css_id = 'setting-error-' . $details['code'];
    14851485                $css_class = $details['type'] . ' settings-error notice is-dismissible';
    14861486                $output .= "<div id='$css_id' class='$css_class'> \n";
    1487                 $output .= "<p><strong>{$details['message']}</strong></p>";
     1487                $output .= '<p><strong>' . esc_html( $details['message'] ) . '</strong></p>';
    14881488                $output .= "</div> \n";
    14891489        }
    14901490        echo $output;
     
    15891589        @header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
    15901590        _wp_admin_html_begin();
    15911591?>
    1592 <title><?php bloginfo('name') ?> &rsaquo; <?php echo $title ?> &#8212; <?php _e('WordPress'); ?></title>
     1592<title><?php bloginfo('name'); ?> &rsaquo; <?php esc_html_e( $title ); ?> &#8212; <?php _e('WordPress'); ?></title>
    15931593<?php
    15941594wp_enqueue_style( 'colors' );
    15951595?>
     
    15981598function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
    15991599var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
    16001600        pagenow = '<?php echo $current_screen->id; ?>',
    1601         typenow = '<?php echo $current_screen->post_type; ?>',
    1602         adminpage = '<?php echo $admin_body_class; ?>',
     1601        typenow = <?php echo wp_json_encode( $current_screen->post_type ); ?>,
     1602        adminpage = <?php echo wp_json_encode( $admin_body_class ); ?>,
    16031603        thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
    16041604        decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
    16051605        isRtl = <?php echo (int) is_rtl(); ?>;
     
    16371637/** This filter is documented in wp-admin/admin-header.php */
    16381638$admin_body_classes = apply_filters( 'admin_body_class', '' );
    16391639?>
    1640 <body<?php if ( isset($GLOBALS['body_id']) ) echo ' id="' . $GLOBALS['body_id'] . '"'; ?> class="wp-admin wp-core-ui no-js iframe <?php echo $admin_body_classes . ' ' . $admin_body_class; ?>">
     1640<body<?php if ( isset($GLOBALS['body_id']) ) echo ' id="' . esc_attr( $GLOBALS['body_id'] ) . '"'; ?> class="wp-admin wp-core-ui no-js iframe <?php echo esc_attr( $admin_body_classes ) . ' ' . esc_attr( $admin_body_class ); ?>">
    16411641<script type="text/javascript">
    16421642(function(){
    16431643var c = document.body.className;
     
    17191719                foreach ( $post_states as $state ) {
    17201720                        ++$i;
    17211721                        ( $i == $state_count ) ? $sep = '' : $sep = ', ';
    1722                         echo "<span class='post-state'>$state$sep</span>";
     1722                        echo '<span class="post-state">' . esc_html( $state . $sep ) . '</span>';
    17231723                }
    17241724        }
    17251725
     
    17581758                foreach ( $media_states as $state ) {
    17591759                        ++$i;
    17601760                        ( $i == $state_count ) ? $sep = '' : $sep = ', ';
    1761                         echo "<span class='post-state'>$state$sep</span>";
     1761                        echo '<span class="post-state">' . esc_html( $state . $sep ) . '</span>';
    17621762                }
    17631763        }
    17641764}
     
    22332233        echo '<span class="screen-reader-text">' . $title . '</span>';
    22342234        echo str_repeat( '<div class="star star-full"></div>', $full_stars );
    22352235        echo str_repeat( '<div class="star star-half"></div>', $half_stars );
    2236         echo str_repeat( '<div class="star star-empty"></div>', $empty_stars);
     2236        echo str_repeat( '<div class="star star-empty"></div>', $empty_stars );
    22372237        echo '</div>';
    22382238}
    22392239
     
    22442244 * @since 4.2.0
    22452245 */
    22462246function _wp_posts_page_notice() {
    2247         echo '<div class="notice notice-warning inline"><p>' . __( 'You are currently editing the page that shows your latest posts.' ) . '</p></div>';
     2247        echo '<div class="notice notice-warning inline"><p>' . esc_html__( 'You are currently editing the page that shows your latest posts.' ) . '</p></div>';
    22482248}