Ticket #32233: 32233.patch

wp-admin/includes/template.php

@@ -569 +569 @@
 <table id="list-table" style="display: none;">
         <thead>
         <tr>
-                <th class="left">' . _x( 'Name', 'meta name' ) . '</th>
-                <th>' . __( 'Value' ) . '</th>
+                <th class="left">' . esc_html_x( 'Name', 'meta name' ) . '</th>
+                <th>' . esc_html__( 'Value' ) . '</th>
         </tr>
         </thead>
         <tbody id="the-list" data-wp-lists="list:meta">
@@ -584 +584 @@
 <table id="list-table">
         <thead>
         <tr>
-                <th class="left"><?php _ex( 'Name', 'meta name' ) ?></th>
-                <th><?php _e( 'Value' ) ?></th>
+                <th class="left"><?php echo esc_html_x( 'Name', 'meta name' ) ?></th>
+                <th><?php esc_html_e( 'Value' ) ?></th>
         </tr>
         </thead>
         <tbody id='the-list' data-wp-lists='list:meta'>
@@ -830 +830 @@
         ksort( $templates );
         foreach ( array_keys( $templates ) as $template ) {
                 $selected = selected( $default, $templates[ $template ], false );
-                echo "\n\t<option value='" . $templates[ $template ] . "' $selected>$template</option>";
+                echo "\n\t<option value='" . esc_attr( $templates[ $template ] ) . "' $selected>" . esc_html( $template ) . "</option>";
         }
 }
 
@@ -921 +921 @@
 <label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>)
 <input type="file" id="upload" name="import" size="25" />
 <input type="hidden" name="action" value="save" />
-<input type="hidden" name="max_file_size" value="<?php echo $bytes; ?>" />
+<input type="hidden" name="max_file_size" value="<?php esc_attr_e( $bytes ); ?>" />
 </p>
 <?php submit_button( __('Upload file and import'), 'button' ); ?>
 </form>
@@ -1069 +1069 @@
                                         echo '<div id="' . $box['id'] . '" class="postbox ' . postbox_classes($box['id'], $page) . $hidden_class . '" ' . '>' . "\n";
                                         if ( 'dashboard_browser_nag' != $box['id'] )
                                                 echo '<div class="handlediv" title="' . esc_attr__('Click to toggle') . '"><br /></div>';
-                                        echo "<h3 class='hndle'><span>{$box['title']}</span></h3>\n";
+                                        echo '<h3 class="hndle"><span>' . esc_html( $box['title'] ) . '</span></h3>' . "\n";
                                         echo '<div class="inside">' . "\n";
                                         call_user_func($box['callback'], $object, $box);
                                         echo "</div>\n";
@@ -1297 +1297 @@
 
         foreach ( (array) $wp_settings_sections[$page] as $section ) {
                 if ( $section['title'] )
-                        echo "<h3>{$section['title']}</h3>\n";
+                        echo '<h3>' . esc_html( $section['title'] ) . '</h3>' . "\n";
 
                 if ( $section['callback'] )
                         call_user_func( $section['callback'], $section );
@@ -1340 +1340 @@
                 echo "<tr{$class}>";
 
                 if ( ! empty( $field['args']['label_for'] ) ) {
-                        echo '<th scope="row"><label for="' . esc_attr( $field['args']['label_for'] ) . '">' . $field['title'] . '</label></th>';
+                        echo '<th scope="row"><label for="' . esc_attr( $field['args']['label_for'] ) . '">' . esc_html( $field['title'] ) . '</label></th>';
                 } else {
-                        echo '<th scope="row">' . $field['title'] . '</th>';
+                        echo '<th scope="row">' . esc_html( $field['title'] ) . '</th>';
                 }
 
                 echo '<td>';
@@ -1484 +1484 @@
                 $css_id = 'setting-error-' . $details['code'];
                 $css_class = $details['type'] . ' settings-error notice is-dismissible';
                 $output .= "<div id='$css_id' class='$css_class'> \n";
-                $output .= "<p><strong>{$details['message']}</strong></p>";
+                $output .= '<p><strong>' . esc_html( $details['message'] ) . '</strong></p>';
                 $output .= "</div> \n";
         }
         echo $output;
@@ -1589 +1589 @@
         @header( 'Content-Type: ' . get_option( 'html_type' ) . '; charset=' . get_option( 'blog_charset' ) );
         _wp_admin_html_begin();
 ?>
-<title><?php bloginfo('name') ?> &rsaquo; <?php echo $title ?> &#8212; <?php _e('WordPress'); ?></title>
+<title><?php bloginfo('name'); ?> &rsaquo; <?php esc_html_e( $title ); ?> &#8212; <?php _e('WordPress'); ?></title>
 <?php
 wp_enqueue_style( 'colors' );
 ?>
@@ -1598 +1598 @@
 function tb_close(){var win=window.dialogArguments||opener||parent||top;win.tb_remove();}
 var ajaxurl = '<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>',
         pagenow = '<?php echo $current_screen->id; ?>',
-        typenow = '<?php echo $current_screen->post_type; ?>',
-        adminpage = '<?php echo $admin_body_class; ?>',
+        typenow = <?php echo wp_json_encode( $current_screen->post_type ); ?>,
+        adminpage = <?php echo wp_json_encode( $admin_body_class ); ?>,
         thousandsSeparator = '<?php echo addslashes( $wp_locale->number_format['thousands_sep'] ); ?>',
         decimalPoint = '<?php echo addslashes( $wp_locale->number_format['decimal_point'] ); ?>',
         isRtl = <?php echo (int) is_rtl(); ?>;
@@ -1637 +1637 @@
 /** This filter is documented in wp-admin/admin-header.php */
 $admin_body_classes = apply_filters( 'admin_body_class', '' );
 ?>
-<body<?php if ( isset($GLOBALS['body_id']) ) echo ' id="' . $GLOBALS['body_id'] . '"'; ?> class="wp-admin wp-core-ui no-js iframe <?php echo $admin_body_classes . ' ' . $admin_body_class; ?>">
+<body<?php if ( isset($GLOBALS['body_id']) ) echo ' id="' . esc_attr( $GLOBALS['body_id'] ) . '"'; ?> class="wp-admin wp-core-ui no-js iframe <?php echo esc_attr( $admin_body_classes ) . ' ' . esc_attr( $admin_body_class ); ?>">
 <script type="text/javascript">
 (function(){
 var c = document.body.className;
@@ -1719 +1719 @@
                 foreach ( $post_states as $state ) {
                         ++$i;
                         ( $i == $state_count ) ? $sep = '' : $sep = ', ';
-                        echo "<span class='post-state'>$state$sep</span>";
+                        echo '<span class="post-state">' . esc_html( $state . $sep ) . '</span>';
                 }
         }
 
@@ -1758 +1758 @@
                 foreach ( $media_states as $state ) {
                         ++$i;
                         ( $i == $state_count ) ? $sep = '' : $sep = ', ';
-                        echo "<span class='post-state'>$state$sep</span>";
+                        echo '<span class="post-state">' . esc_html( $state . $sep ) . '</span>';
                 }
         }
 }
@@ -2233 +2233 @@
         echo '<span class="screen-reader-text">' . $title . '</span>';
         echo str_repeat( '<div class="star star-full"></div>', $full_stars );
         echo str_repeat( '<div class="star star-half"></div>', $half_stars );
-        echo str_repeat( '<div class="star star-empty"></div>', $empty_stars);
+        echo str_repeat( '<div class="star star-empty"></div>', $empty_stars );
         echo '</div>';
 }
 
@@ -2244 +2244 @@
  * @since 4.2.0
  */
 function _wp_posts_page_notice() {
-        echo '<div class="notice notice-warning inline"><p>' . __( 'You are currently editing the page that shows your latest posts.' ) . '</p></div>';
+        echo '<div class="notice notice-warning inline"><p>' . esc_html__( 'You are currently editing the page that shows your latest posts.' ) . '</p></div>';
 }