WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/04/2009 10:25:50 PM (12 years ago)
Author:
azaozz
Message:

Refactor filters to avoid potential XSS attacks, props sambauers and DD32, see #8767

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/compat.php

    r10236 r10297  
    9797}
    9898
    99 // from php.net
    100 if ( !function_exists('htmlspecialchars_decode') ) {
     99if ( !function_exists( 'htmlspecialchars_decode' ) ) {
     100    // Added in PHP 5.1.0
     101    // from php.net (modified by Sam Bauers to deal with some quirks in HTML_SPECIALCHARS constant)
    101102    function htmlspecialchars_decode( $str, $quote_style = ENT_COMPAT ) {
    102         return strtr( $str, array_flip( get_html_translation_table(HTML_SPECIALCHARS, $quote_style) ) );
    103     }
     103        $table = array_flip( get_html_translation_table( HTML_SPECIALCHARS, $quote_style ) );
     104        $table = array_merge( array( ''' => "'" ), $table, array( '&' => "&", '&' => "&" ) );
     105        return strtr( $str, $table );
     106    }
    104107}
    105108
Note: See TracChangeset for help on using the changeset viewer.