Changes from trunk/wp-includes/formatting.php at r10150 to branches/2.7/wp-includes/formatting.php at r10460

File:

• branches/2.7/wp-includes/formatting.php (modified) (6 diffs)

branches/2.7/wp-includes/formatting.php

@@ -187 +187 @@
  * Converts a number of special characters into their HTML entities.
  *
- * Differs from htmlspecialchars as existing HTML entities will not be encoded.
- * Specifically changes: & to &#038;, < to &lt; and > to &gt;.
- *
- * $quotes can be set to 'single' to encode ' to &#039;, 'double' to encode " to
- * &quot;, or '1' to do both. Default is 0 where no quotes are encoded.
+ * Specifically deals with: &, <, >, ", and '.
+ *
+ * $quote_style can be set to ENT_COMPAT to encode " to
+ * &quot;, or ENT_QUOTES to do both. Default is ENT_NOQUOTES where no quotes are encoded.
  *
  * @since 1.2.2
  *
- * @param string $text The text which is to be encoded.
- * @param mixed $quotes Optional. Converts single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default 0.
+ * @param string $string The text which is to be encoded.
+ * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
+ * @param string $charset Optional. The character encoding of the string. Default is false.
+ * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false.
  * @return string The encoded text with HTML entities.
  */
-function wp_specialchars( $text, $quotes = 0 ) {
-    // Like htmlspecialchars except don't double-encode HTML entities
-    $text = str_replace('&&', '&#038;&', $text);
-    $text = str_replace('&&', '&#038;&', $text);
-    $text = preg_replace('/&(?:$|([^#])(?![a-z1-4]{1,8};))/', '&#038;$1', $text);
-    $text = str_replace('<', '&lt;', $text);
-    $text = str_replace('>', '&gt;', $text);
-    if ( 'double' === $quotes ) {
-        $text = str_replace('"', '&quot;', $text);
-    } elseif ( 'single' === $quotes ) {
-        $text = str_replace("'", '&#039;', $text);
-    } elseif ( $quotes ) {
-        $text = str_replace('"', '&quot;', $text);
-        $text = str_replace("'", '&#039;', $text);
-    }
-    return $text;
+function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false )
+{
+    $string = (string) $string;
+
+    if ( 0 === strlen( $string ) ) {
+        return '';
+    }
+
+    // Don't bother if there are no specialchars - saves some processing
+    if ( !preg_match( '/[&<>"\']/', $string ) ) {
+        return $string;
+    }
+
+    // Account for the previous behaviour of the function when the $quote_style is not an accepted value
+    if ( empty( $quote_style ) ) {
+        $quote_style = ENT_NOQUOTES;
+    } elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) {
+        $quote_style = ENT_QUOTES;
+    }
+
+    // Store the site charset as a static to avoid multiple calls to wp_load_alloptions()
+    if ( !$charset ) {
+        static $_charset;
+        if ( !isset( $_charset ) ) {
+            $alloptions = wp_load_alloptions();
+            $_charset = isset( $alloptions['blog_charset'] ) ? $alloptions['blog_charset'] : '';
+        }
+        $charset = $_charset;
+    }
+    if ( in_array( $charset, array( 'utf8', 'utf-8', 'UTF8' ) ) ) {
+        $charset = 'UTF-8';
+    }
+
+    $_quote_style = $quote_style;
+
+    if ( $quote_style === 'double' ) {
+        $quote_style = ENT_COMPAT;
+        $_quote_style = ENT_COMPAT;
+    } elseif ( $quote_style === 'single' ) {
+        $quote_style = ENT_NOQUOTES;
+    }
+
+    // Handle double encoding ourselves
+    if ( !$double_encode ) {
+        $string = wp_specialchars_decode( $string, $_quote_style );
+        $string = preg_replace( '/&(#?x?[0-9]+|[a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string );
+    }
+
+    $string = @htmlspecialchars( $string, $quote_style, $charset );
+
+    // Handle double encoding ourselves
+    if ( !$double_encode ) {
+        $string = str_replace( array( '|wp_entity|', '|/wp_entity|' ), array( '&', ';' ), $string );
+    }
+
+    // Backwards compatibility
+    if ( 'single' === $_quote_style ) {
+        $string = str_replace( "'", '&#039;', $string );
+    }
+
+    return $string;
+}
+
+/**
+ * Converts a number of HTML entities into their special characters.
+ *
+ * Specifically deals with: &, <, >, ", and '.
+ *
+ * $quote_style can be set to ENT_COMPAT to decode " entities,
+ * or ENT_QUOTES to do both " and '. Default is ENT_NOQUOTES where no quotes are decoded.
+ *
+ * @since 2.8
+ *
+ * @param string $string The text which is to be decoded.
+ * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
+ * @return string The decoded text without HTML entities.
+ */
+function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES )
+{
+    $string = (string) $string;
+
+    if ( 0 === strlen( $string ) ) {
+        return '';
+    }
+
+    // Don't bother if there are no entities - saves a lot of processing
+    if ( strpos( $string, '&' ) === false ) {
+        return $string;
+    }
+
+    // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value
+    if ( empty( $quote_style ) ) {
+        $quote_style = ENT_NOQUOTES;
+    } elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) {
+        $quote_style = ENT_QUOTES;
+    }
+
+    // More complete than get_html_translation_table( HTML_SPECIALCHARS )
+    $single = array( '&#039;'  => '\'', '&#x27;' => '\'' );
+    $single_preg = array( '/&#0*39;/'  => '&#039;', '/&#x0*27;/i' => '&#x27;' );
+    $double = array( '&quot;' => '"', '&#034;'  => '"', '&#x22;' => '"' );
+    $double_preg = array( '/&#0*34;/'  => '&#034;', '/&#x0*22;/i' => '&#x22;' );
+    $others = array( '&lt;'   => '<', '&#060;'  => '<', '&gt;'   => '>', '&#062;'  => '>', '&amp;'  => '&', '&#038;'  => '&', '&#x26;' => '&' );
+    $others_preg = array( '/&#0*60;/'  => '&#060;', '/&#0*62;/'  => '&#062;', '/&#0*38;/'  => '&#038;', '/&#x0*26;/i' => '&#x26;' );
+
+    if ( $quote_style === ENT_QUOTES ) {
+        $translation = array_merge( $single, $double, $others );
+        $translation_preg = array_merge( $single_preg, $double_preg, $others_preg );
+    } elseif ( $quote_style === ENT_COMPAT || $quote_style === 'double' ) {
+        $translation = array_merge( $double, $others );
+        $translation_preg = array_merge( $double_preg, $others_preg );
+    } elseif ( $quote_style === 'single' ) {
+        $translation = array_merge( $single, $others );
+        $translation_preg = array_merge( $single_preg, $others_preg );
+    } elseif ( $quote_style === ENT_NOQUOTES ) {
+        $translation = $others;
+        $translation_preg = $others_preg;
+    }
+
+    // Remove zero padding on numeric entities
+    $string = preg_replace( array_keys( $translation_preg ), array_values( $translation_preg ), $string );
+
+    // Replace characters according to translation table
+    return strtr( $string, $translation );
+}
+
+/**
+ * Checks for invalid UTF8 in a string.
+ *
+ * @since 2.8
+ *
+ * @param string $string The text which is to be checked.
+ * @param boolean $strip Optional. Whether to attempt to strip out invalid UTF8. Default is false.
+ * @return string The checked text.
+ */
+function wp_check_invalid_utf8( $string, $strip = false )
+{
+    $string = (string) $string;
+
+    if ( 0 === strlen( $string ) ) {
+        return '';
+    }
+
+    // Store the site charset as a static to avoid multiple calls to get_option()
+    static $is_utf8;
+    if ( !isset( $is_utf8 ) ) {
+        $is_utf8 = in_array( get_option( 'blog_charset' ), array( 'utf8', 'utf-8', 'UTF8', 'UTF-8' ) );
+    }
+    if ( !$is_utf8 ) {
+        return $string;
+    }
+
+    // Check for support for utf8 in the installed PCRE library once and store the result in a static
+    static $utf8_pcre;
+    if ( !isset( $utf8_pcre ) ) {
+        $utf8_pcre = @preg_match( '/^./u', 'a' );
+    }
+    // We can't demand utf8 in the PCRE installation, so just return the string in those cases
+    if ( !$utf8_pcre ) {
+        return $string;
+    }
+
+    // preg_match fails when it encounters invalid UTF8 in $string
+    if ( 1 === @preg_match( '/^./us', $string ) ) {
+        return $string;
+    }
+
+    // Attempt to strip the bad chars if requested (not recommended)
+    if ( $strip && function_exists( 'iconv' ) ) {
+        return iconv( 'utf-8', 'utf-8', $string );
+    }
+
+    return '';
 }
 
@@ -1148 +1306 @@
     } else {
         $subject = str_replace('_', ' ', $matches[2]);
-        /** @todo use preg_replace_callback() */
-        $subject = preg_replace('#\=([0-9a-f]{2})#ei', "chr(hexdec(strtolower('$1')))", $subject);
+        $subject = preg_replace_callback('#\=([0-9a-f]{2})#i', create_function('$match', 'return chr(hexdec(strtolower($match[1])));'), $subject);
         return $subject;
     }
@@ -1158 +1315 @@
  *
  * Requires and returns a date in the Y-m-d H:i:s format. Simply subtracts the
- * value of gmt_offset.
+ * value of the 'gmt_offset' option.
  *
  * @since 1.2.0
  *
+ * @uses get_option() to retrieve the the value of 'gmt_offset'.
  * @param string $string The date to be converted.
  * @return string GMT version of the date provided.
@@ -1743 +1901 @@
  */
 function js_escape($text) {
-    $safe_text = wp_specialchars($text, 'double');
-    $safe_text = preg_replace('/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes($safe_text));
-    $safe_text = preg_replace("/\r?\n/", "\\n", addslashes($safe_text));
-    return apply_filters('js_escape', $safe_text, $text);
+    $safe_text = wp_check_invalid_utf8( $text );
+    $safe_text = wp_specialchars( $safe_text, ENT_COMPAT );
+    $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
+    $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
+    return apply_filters( 'js_escape', $safe_text, $text );
 }
 
@@ -1757 +1916 @@
  * @return string
  */
-function attribute_escape($text) {
-    $safe_text = wp_specialchars($text, true);
-    return apply_filters('attribute_escape', $safe_text, $text);
+function attribute_escape( $text ) {
+    $safe_text = wp_check_invalid_utf8( $text );
+    $safe_text = wp_specialchars( $safe_text, ENT_QUOTES );
+    return apply_filters( 'attribute_escape', $safe_text, $text );
 }
 
@@ -1771 +1931 @@
  */
 function tag_escape($tag_name) {
-    $safe_tag = strtolower( preg_replace('[^a-zA-Z_:]', '', $tag_name) );
+    $safe_tag = strtolower( preg_replace('/[^a-zA-Z_:]/', '', $tag_name) );
     return apply_filters('tag_escape', $safe_tag, $tag_name);
 }