Make WordPress Core


Ignore:
Timestamp:
05/05/2009 07:43:53 PM (15 years ago)
Author:
markjaquith
Message:

_a(), _ea(), _xa(), attr() are now esc_attr(), esc_attr_e(), esc_attr_x(), esc_attr() -- still short, but less cryptic. see #9650

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/template.php

    r11203 r11204  
    126126    $edit_link = "categories.php?action=edit&cat_ID=$category->term_id";
    127127    if ( current_user_can( 'manage_categories' ) ) {
    128         $edit = "<a class='row-title' href='$edit_link' title='" . attr(sprintf(__('Edit &#8220;%s&#8221;'), $category->name)) . "'>" . attr( $name ) . '</a><br />';
     128        $edit = "<a class='row-title' href='$edit_link' title='" . esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $category->name)) . "'>" . esc_attr( $name ) . '</a><br />';
    129129        $actions = array();
    130130        $actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
     
    265265        <a accesskey="c" href="#inline-edit" title="<?php _e('Cancel'); ?>" class="cancel button-secondary alignleft"><?php _e('Cancel'); ?></a>
    266266        <?php $update_text = ( $is_tag ) ? __( 'Update Tag' ) : __( 'Update Category' ); ?>
    267         <a accesskey="s" href="#inline-edit" title="<?php echo attr( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
     267        <a accesskey="s" href="#inline-edit" title="<?php echo esc_attr( $update_text ); ?>" class="save button-primary alignright"><?php echo $update_text; ?></a>
    268268        <img class="waiting" style="display:none;" src="images/wpspin_light.gif" alt="" />
    269269        <span class="error" style="display:none;"></span>
     
    297297    $edit_link = "link-category.php?action=edit&amp;cat_ID=$category->term_id";
    298298    if ( current_user_can( 'manage_categories' ) ) {
    299         $edit = "<a class='row-title' href='$edit_link' title='" . attr(sprintf(__('Edit &#8220;%s&#8221;'), $category->name)) . "'>$name</a><br />";
     299        $edit = "<a class='row-title' href='$edit_link' title='" . esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $category->name)) . "'>$name</a><br />";
    300300        $actions = array();
    301301        $actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
     
    659659                    break;
    660660                case 'name':
    661                     $out .= '<td ' . $attributes . '><strong><a class="row-title" href="' . $edit_link . '" title="' . attr(sprintf(__('Edit &#8220;%s&#8221;'), $name)) . '">' . $name . '</a></strong><br />';
     661                    $out .= '<td ' . $attributes . '><strong><a class="row-title" href="' . $edit_link . '" title="' . esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $name)) . '">' . $name . '</a></strong><br />';
    662662                    $actions = array();
    663663                    $actions['edit'] = '<a href="' . $edit_link . '">' . __('Edit') . '</a>';
     
    12581258            $update_text = ( $is_page ) ? __( 'Update Page' ) : __( 'Update Post' );
    12591259            ?>
    1260             <a accesskey="s" href="#inline-edit" title="<?php _e('Update'); ?>" class="button-primary save alignright"><?php echo attr( $update_text ); ?></a>
     1260            <a accesskey="s" href="#inline-edit" title="<?php _e('Update'); ?>" class="button-primary save alignright"><?php echo esc_attr( $update_text ); ?></a>
    12611261            <img class="waiting" style="display:none;" src="images/wpspin_light.gif" alt="" />
    12621262        <?php } else {
    12631263            $update_text = ( $is_page ) ? __( 'Update Pages' ) : __( 'Update Posts' );
    12641264        ?>
    1265             <input accesskey="s" class="button-primary alignright" type="submit" name="bulk_edit" value="<?php echo attr( $update_text ); ?>" />
     1265            <input accesskey="s" class="button-primary alignright" type="submit" name="bulk_edit" value="<?php echo esc_attr( $update_text ); ?>" />
    12661266        <?php } ?>
    12671267        <input type="hidden" name="post_view" value="<?php echo $m; ?>" />
     
    12891289        return;
    12901290
    1291     $title = attr($post->post_title);
     1291    $title = esc_attr($post->post_title);
    12921292
    12931293    echo '
     
    14381438            $attributes = 'class="post-title column-title"' . $style;
    14391439        ?>
    1440         <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $post->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
     1440        <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $post->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $title ?></a><?php } else { echo $title; }; _post_states($post); ?></strong>
    14411441        <?php
    14421442            if ( 'excerpt' == $mode )
     
    14451445            $actions = array();
    14461446            if ( current_user_can('edit_post', $post->ID) ) {
    1447                 $actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '" title="' . attr(__('Edit this post')) . '">' . __('Edit') . '</a>';
    1448                 $actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . attr(__('Edit this post inline')) . '">' . __('Quick&nbsp;Edit') . '</a>';
    1449                 $actions['delete'] = "<a class='submitdelete' title='" . attr(__('Delete this post')) . "' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this post '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
     1447                $actions['edit'] = '<a href="' . get_edit_post_link($post->ID, true) . '" title="' . esc_attr(__('Edit this post')) . '">' . __('Edit') . '</a>';
     1448                $actions['inline hide-if-no-js'] = '<a href="#" class="editinline" title="' . esc_attr(__('Edit this post inline')) . '">' . __('Quick&nbsp;Edit') . '</a>';
     1449                $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this post')) . "' href='" . wp_nonce_url("post.php?action=delete&amp;post=$post->ID", 'delete-post_' . $post->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $post->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this post '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
    14501450            }
    14511451            if ( in_array($post->post_status, array('pending', 'draft')) ) {
    14521452                if ( current_user_can('edit_post', $post->ID) )
    1453                     $actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
     1453                    $actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
    14541454            } else {
    1455                 $actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
     1455                $actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
    14561456            }
    14571457            $actions = apply_filters('post_row_actions', $actions, $post);
     
    16541654        $edit_link = get_edit_post_link( $page->ID );
    16551655        ?>
    1656         <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
     1656        <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
    16571657        <?php
    16581658        $actions = array();
    16591659        if ( current_user_can('edit_page', $page->ID) ) {
    1660             $actions['edit'] = '<a href="' . $edit_link . '" title="' . attr(__('Edit this page')) . '">' . __('Edit') . '</a>';
     1660            $actions['edit'] = '<a href="' . $edit_link . '" title="' . esc_attr(__('Edit this page')) . '">' . __('Edit') . '</a>';
    16611661            $actions['inline'] = '<a href="#" class="editinline">' . __('Quick&nbsp;Edit') . '</a>';
    1662             $actions['delete'] = "<a class='submitdelete' title='" . attr(__('Delete this page')) . "' href='" . wp_nonce_url("page.php?action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $page->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this page '%s'\n 'Cancel' to stop, 'OK' to delete."), $page->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
     1662            $actions['delete'] = "<a class='submitdelete' title='" . esc_attr(__('Delete this page')) . "' href='" . wp_nonce_url("page.php?action=delete&amp;post=$page->ID", 'delete-page_' . $page->ID) . "' onclick=\"if ( confirm('" . js_escape(sprintf( ('draft' == $page->post_status) ? __("You are about to delete this draft '%s'\n 'Cancel' to stop, 'OK' to delete.") : __("You are about to delete this page '%s'\n 'Cancel' to stop, 'OK' to delete."), $page->post_title )) . "') ) { return true;}return false;\">" . __('Delete') . "</a>";
    16631663        }
    16641664        if ( in_array($post->post_status, array('pending', 'draft')) ) {
    16651665            if ( current_user_can('edit_page', $page->ID) )
    1666                 $actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
     1666                $actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
    16671667        } else {
    1668             $actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
     1668            $actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
    16691669        }
    16701670        $actions = apply_filters('page_row_actions', $actions, $page);
     
    21252125                <div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
    21262126                <textarea class="comment" rows="3" cols="10"><?php echo $comment->comment_content; ?></textarea>
    2127                 <div class="author-email"><?php if ( $user_can ) echo attr( $comment->comment_author_email ); ?></div>
    2128                 <div class="author"><?php if ( $user_can ) echo attr( $comment->comment_author ); ?></div>
    2129                 <div class="author-url"><?php echo attr( $comment->comment_author_url ); ?></div>
     2127                <div class="author-email"><?php if ( $user_can ) echo esc_attr( $comment->comment_author_email ); ?></div>
     2128                <div class="author"><?php if ( $user_can ) echo esc_attr( $comment->comment_author ); ?></div>
     2129                <div class="author-url"><?php echo esc_attr( $comment->comment_author_url ); ?></div>
    21302130                <div class="comment_status"><?php echo $comment->comment_approved; ?></div>
    21312131                </div>
     
    23062306    <input type="hidden" name="position" id="position" value="<?php echo $position; ?>" />
    23072307    <input type="hidden" name="checkbox" id="checkbox" value="<?php echo $checkbox ? 1 : 0; ?>" />
    2308     <input type="hidden" name="mode" id="mode" value="<?php echo attr($mode); ?>" />
     2308    <input type="hidden" name="mode" id="mode" value="<?php echo esc_attr($mode); ?>" />
    23092309    <?php wp_nonce_field( 'replyto-comment', '_ajax_nonce', false ); ?>
    23102310    <?php wp_comment_form_unfiltered_html_nonce(); ?>
     
    24282428    }
    24292429
    2430     $entry['meta_key'] = attr($entry['meta_key']);
     2430    $entry['meta_key'] = esc_attr($entry['meta_key']);
    24312431    $entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea />
    24322432    $entry['meta_id'] = (int) $entry['meta_id'];
     
    24382438
    24392439    $r .= "\n\t\t<div class='submit'><input name='deletemeta[{$entry['meta_id']}]' type='submit' ";
    2440     $r .= "class='delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta' tabindex='6' value='". _a( 'Delete' ) ."' />";
    2441     $r .= "\n\t\t<input name='updatemeta' type='submit' tabindex='6' value='". _a( 'Update' ) ."' class='add:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$update_nonce updatemeta' /></div>";
     2440    $r .= "class='delete:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$delete_nonce deletemeta' tabindex='6' value='". esc_attr__( 'Delete' ) ."' />";
     2441    $r .= "\n\t\t<input name='updatemeta' type='submit' tabindex='6' value='". esc_attr__( 'Update' ) ."' class='add:the-list:meta-{$entry['meta_id']}::_ajax_nonce=$update_nonce updatemeta' /></div>";
    24422442    $r .= wp_nonce_field( 'change-meta', '_ajax_nonce', false, false );
    24432443    $r .= "</td>";
     
    24832483
    24842484    foreach ( $keys as $key ) {
    2485         $key = attr( $key );
    2486         echo "\n<option value='" . attr($key) . "'>$key</option>";
     2485        $key = esc_attr( $key );
     2486        echo "\n<option value='" . esc_attr($key) . "'>$key</option>";
    24872487    }
    24882488?>
     
    25002500
    25012501<tr><td colspan="2" class="submit">
    2502 <input type="submit" id="addmetasub" name="addmeta" class="add:the-list:newmeta" tabindex="9" value="<?php _ea( 'Add Custom Field' ) ?>" />
     2502<input type="submit" id="addmetasub" name="addmeta" class="add:the-list:newmeta" tabindex="9" value="<?php esc_attr_e( 'Add Custom Field' ) ?>" />
    25032503<?php wp_nonce_field( 'add-meta', '_ajax_nonce', false ); ?>
    25042504</td></tr>
     
    27202720        $name = translate_user_role($details['name'] );
    27212721        if ( $selected == $role ) // Make default first in list
    2722             $p = "\n\t<option selected='selected' value='" . attr($role) . "'>$name</option>";
     2722            $p = "\n\t<option selected='selected' value='" . esc_attr($role) . "'>$name</option>";
    27232723        else
    2724             $r .= "\n\t<option value='" . attr($role) . "'>$name</option>";
     2724            $r .= "\n\t<option value='" . esc_attr($role) . "'>$name</option>";
    27252725    }
    27262726    echo $p . $r;
     
    27932793    else :
    27942794?>
    2795 <form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attr($action) ?>">
     2795<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo esc_attr($action) ?>">
    27962796<p>
    27972797<?php wp_nonce_field('import-upload'); ?>
     
    28022802</p>
    28032803<p class="submit">
    2804 <input type="submit" class="button" value="<?php _ea( 'Upload file and import' ); ?>" />
     2804<input type="submit" class="button" value="<?php esc_attr_e( 'Upload file and import' ); ?>" />
    28052805</p>
    28062806</form>
     
    28162816function wp_remember_old_slug() {
    28172817    global $post;
    2818     $name = attr($post->post_name); // just in case
     2818    $name = esc_attr($post->post_name); // just in case
    28192819    if ( strlen($name) )
    28202820        echo '<input type="hidden" id="wp-old-slug" name="wp-old-slug" value="' . $name . '" />';
     
    31553155            <div class="find-box-search">
    31563156                <?php if ( $found_action ) { ?>
    3157                     <input type="hidden" name="found_action" value="<?php echo attr($found_action); ?>" />
     3157                    <input type="hidden" name="found_action" value="<?php echo esc_attr($found_action); ?>" />
    31583158                <?php } ?>
    31593159
     
    31623162                <label class="invisible" for="find-posts-input"><?php _e( 'Search' ); ?></label>
    31633163                <input type="text" id="find-posts-input" name="ps" value="" />
    3164                 <input type="button" onclick="findPosts.send();" value="<?php _ea( 'Search' ); ?>" class="button" /><br />
     3164                <input type="button" onclick="findPosts.send();" value="<?php esc_attr_e( 'Search' ); ?>" class="button" /><br />
    31653165
    31663166                <input type="radio" name="find-posts-what" id="find-posts-posts" checked="checked" value="posts" />
     
    31723172        </div>
    31733173        <div class="find-box-buttons">
    3174             <input type="button" class="button alignleft" onclick="findPosts.close();" value="<?php _ea('Close'); ?>" />
    3175             <input id="find-posts-submit" type="submit" class="button-primary alignright" value="<?php _ea('Select'); ?>" />
     3174            <input type="button" class="button alignleft" onclick="findPosts.close();" value="<?php esc_attr_e('Close'); ?>" />
     3175            <input id="find-posts-submit" type="submit" class="button-primary alignright" value="<?php esc_attr_e('Select'); ?>" />
    31763176        </div>
    31773177    </div>
     
    31823182 * Display the post password.
    31833183 *
    3184  * The password is passed through {@link attr()} to ensure that it
     3184 * The password is passed through {@link esc_attr()} to ensure that it
    31853185 * is safe for placing in an html attribute.
    31863186 *
     
    31903190function the_post_password() {
    31913191    global $post;
    3192     if ( isset( $post->post_password ) ) echo attr( $post->post_password );
     3192    if ( isset( $post->post_password ) ) echo esc_attr( $post->post_password );
    31933193}
    31943194
     
    33133313 */
    33143314function _admin_search_query() {
    3315     echo isset($_GET['s']) ? attr( stripslashes( $_GET['s'] ) ) : '';
     3315    echo isset($_GET['s']) ? esc_attr( stripslashes( $_GET['s'] ) ) : '';
    33163316}
    33173317
     
    36443644    if ( !empty($per_page_label) )
    36453645        $return .= "<label for='$option'>$per_page_label</label> <input type='text' class='screen-per-page' name='wp_screen_options[value]' id='$option' maxlength='3' value='$per_page' />\n";
    3646     $return .= "<input type='submit' class='button' value='" . _a('Apply') . "' />";
    3647     $return .= "<input type='hidden' name='wp_screen_options[option]' value='" . attr($option) . "' />";
     3646    $return .= "<input type='submit' class='button' value='" . esc_attr__('Apply') . "' />";
     3647    $return .= "<input type='hidden' name='wp_screen_options[option]' value='" . esc_attr($option) . "' />";
    36483648    $return .= "</div>\n";
    36493649    return $return;
Note: See TracChangeset for help on using the changeset viewer.