WordPress.org

Make WordPress Core

Changeset 11380


Ignore:
Timestamp:
05/18/09 15:11:07 (6 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

Location:
trunk
Files:
68 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r11343 r11380  
    423423        } 
    424424        $cat_id = $cat_id['term_id']; 
    425         $cat_name = wp_specialchars(stripslashes($cat_name)); 
     425        $cat_name = esc_html(stripslashes($cat_name)); 
    426426        $x->add( array( 
    427427            'what' => 'link-category', 
     
    899899            $data = new WP_Error( 'locked', sprintf( 
    900900                $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ), 
    901                 wp_specialchars( $last_user_name ) 
     901                esc_html( $last_user_name ) 
    902902            ) ); 
    903903 
     
    10581058        $last_user = get_userdata( $last ); 
    10591059        $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); 
    1060         printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    wp_specialchars( $last_user_name ) ); 
     1060        printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    esc_html( $last_user_name ) ); 
    10611061        exit; 
    10621062    } 
     
    12181218 
    12191219        $html .= '<tr class="found-posts"><td class="found-radio"><input type="radio" id="found-'.$post->ID.'" name="found_post_id" value="' . esc_attr($post->ID) . '"></td>'; 
    1220         $html .= '<td><label for="found-'.$post->ID.'">'.wp_specialchars($post->post_title, true).'</label></td><td>'.wp_specialchars($time, true).'</td><td>'.wp_specialchars($stat, true).'</td></tr>'."\n\n"; 
     1220        $html .= '<td><label for="found-'.$post->ID.'">'.esc_html( $post->post_title ).'</label></td><td>'.esc_html( $time ).'</td><td>'.esc_html( $stat ).'</td></tr>'."\n\n"; 
    12211221    } 
    12221222    $html .= '</tbody></table>'; 
  • trunk/wp-admin/admin-header.php

    r11280 r11380  
    1111 
    1212get_admin_page_title(); 
    13 $title = wp_specialchars( strip_tags( $title ) ); 
     13$title = esc_html( strip_tags( $title ) ); 
    1414wp_user_settings(); 
    1515wp_menu_unfold(); 
  • trunk/wp-admin/async-upload.php

    r11013 r11380  
    4343$id = media_handle_upload('async-upload', $_REQUEST['post_id']); 
    4444if (is_wp_error($id)) { 
    45     echo '<div id="media-upload-error">'.wp_specialchars($id->get_error_message()).'</div>'; 
     45    echo '<div id="media-upload-error">'.esc_html($id->get_error_message()).'</div>'; 
    4646    exit; 
    4747} 
  • trunk/wp-admin/categories.php

    r11312 r11380  
    130130<div class="wrap nosubsub"> 
    131131<?php screen_icon(); ?> 
    132 <h2><?php echo wp_specialchars( $title ); 
     132<h2><?php echo esc_html( $title ); 
    133133if ( isset($_GET['s']) && $_GET['s'] ) 
    134     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?> 
     134    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?> 
    135135</h2> 
    136136 
  • trunk/wp-admin/edit-attachment-rows.php

    r11323 r11380  
    2525    <tbody id="the-list" class="list:post"> 
    2626<?php 
    27 add_filter('the_title','wp_specialchars'); 
     27add_filter('the_title','esc_html'); 
    2828$alt = ''; 
    2929$posts_columns = get_column_headers('upload'); 
     
    111111            $out = array(); 
    112112            foreach ( $tags as $c ) 
    113                 $out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>"; 
     113                $out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>"; 
    114114            echo join( ', ', $out ); 
    115115        } else { 
  • trunk/wp-admin/edit-category-form.php

    r11204 r11380  
    6767        <tr class="form-field"> 
    6868            <th scope="row" valign="top"><label for="category_description"><?php _e('Description') ?></label></th> 
    69             <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->description); ?></textarea><br /> 
     69            <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($category->description); ?></textarea><br /> 
    7070            <?php _e('The description is not prominent by default, however some themes may show it.'); ?></td> 
    7171        </tr> 
  • trunk/wp-admin/edit-comments.php

    r11312 r11380  
    9797<div class="wrap"> 
    9898<?php screen_icon(); ?> 
    99 <h2><?php echo wp_specialchars( $title ); 
     99<h2><?php echo esc_html( $title ); 
    100100if ( isset($_GET['s']) && $_GET['s'] ) 
    101     printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( wp_specialchars( stripslashes( $_GET['s'] ) ), 50 ) ) . '</span>' ); ?> 
     101    printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_GET['s'] ) ), 50 ) ) . '</span>' ); ?> 
    102102</h2> 
    103103 
  • trunk/wp-admin/edit-form-advanced.php

    r11323 r11380  
    167167} 
    168168 
    169 ?><?php echo wp_specialchars( $visibility_trans ); ?></span> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a> 
     169?><?php echo esc_html( $visibility_trans ); ?></span> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a> 
    170170 
    171171<div id="post-visibility-select" class="hide-if-js"> 
     
    391391        $already_pinged = explode("\n", trim($post->pinged)); 
    392392        foreach ($already_pinged as $pinged_url) { 
    393             $pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>"; 
     393            $pings .= "\n\t<li>" . esc_html($pinged_url) . "</li>"; 
    394394        } 
    395395        $pings .= '</ul>'; 
     
    550550<div class="wrap"> 
    551551<?php screen_icon(); ?> 
    552 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     552<h2><?php echo esc_html( $title ); ?></h2> 
    553553<?php if ( $notice ) : ?> 
    554554<div id="notice" class="error"><p><?php echo $notice ?></p></div> 
     
    623623        if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { 
    624624            $last_user = get_userdata($last_id); 
    625             printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
     625            printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
    626626        } else { 
    627627            printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
  • trunk/wp-admin/edit-link-categories.php

    r11312 r11380  
    6262<div class="wrap nosubsub"> 
    6363<?php screen_icon(); ?> 
    64 <h2><?php echo wp_specialchars( $title ); 
     64<h2><?php echo esc_html( $title ); 
    6565if ( isset($_GET['s']) && $_GET['s'] ) 
    66     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?> 
     66    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?> 
    6767</h2> 
    6868 
  • trunk/wp-admin/edit-link-form.php

    r11312 r11380  
    343343<div class="wrap"> 
    344344<?php screen_icon(); ?> 
    345 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     345<h2><?php echo esc_html( $title ); ?></h2> 
    346346 
    347347<?php if ( isset( $_GET['added'] ) ) : ?> 
  • trunk/wp-admin/edit-page-form.php

    r11323 r11380  
    159159} 
    160160 
    161 echo wp_specialchars( $visibility_trans ); ?></span> 
     161echo esc_html( $visibility_trans ); ?></span> 
    162162<?php if ( $can_publish ) { ?> 
    163163<a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a> 
     
    398398<div class="wrap"> 
    399399<?php screen_icon(); ?> 
    400 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     400<h2><?php echo esc_html( $title ); ?></h2> 
    401401 
    402402<form name="post" action="page.php" method="post" id="post"> 
     
    461461        if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { 
    462462            $last_user = get_userdata($last_id); 
    463             printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
     463            printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
    464464        } else { 
    465465            printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); 
  • trunk/wp-admin/edit-pages.php

    r11318 r11380  
    105105<div class="wrap"> 
    106106<?php screen_icon(); ?> 
    107 <h2><?php echo wp_specialchars( $title ); 
     107<h2><?php echo esc_html( $title ); 
    108108if ( isset($_GET['s']) && $_GET['s'] ) 
    109     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?> 
     109    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?> 
    110110</h2> 
    111111 
  • trunk/wp-admin/edit-tag-form.php

    r11204 r11380  
    3737        <tr class="form-field"> 
    3838            <th scope="row" valign="top"><label for="description"><?php _e('Description') ?></label></th> 
    39             <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($tag->description); ?></textarea><br /> 
     39            <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br /> 
    4040            <?php _e('The description is not prominent by default, however some themes may show it.'); ?></td> 
    4141        </tr> 
  • trunk/wp-admin/edit-tags.php

    r11312 r11380  
    147147<div class="wrap nosubsub"> 
    148148<?php screen_icon(); ?> 
    149 <h2><?php echo wp_specialchars( $title ); 
     149<h2><?php echo esc_html( $title ); 
    150150if ( isset($_GET['s']) && $_GET['s'] ) 
    151     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?> 
     151    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?> 
    152152</h2> 
    153153 
  • trunk/wp-admin/edit.php

    r11312 r11380  
    9797<div class="wrap"> 
    9898<?php screen_icon(); ?> 
    99 <h2><?php echo wp_specialchars( $title ); 
     99<h2><?php echo esc_html( $title ); 
    100100if ( isset($_GET['s']) && $_GET['s'] ) 
    101     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?> 
     101    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?> 
    102102</h2> 
    103103 
  • trunk/wp-admin/export.php

    r11204 r11380  
    2525<div class="wrap"> 
    2626<?php screen_icon(); ?> 
    27 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     27<h2><?php echo esc_html( $title ); ?></h2> 
    2828 
    2929<p><?php _e('When you click the button below WordPress will create an XML file for you to save to your computer.'); ?></p> 
  • trunk/wp-admin/import.php

    r10150 r11380  
    1616<div class="wrap"> 
    1717<?php screen_icon(); ?> 
    18 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     18<h2><?php echo esc_html( $title ); ?></h2> 
    1919<p><?php _e('If you have posts or comments in another system, WordPress can import those into this blog. To get started, choose a system to import from below:'); ?></p> 
    2020 
  • trunk/wp-admin/import/opml.php

    r11204 r11380  
    5959foreach ($categories as $category) { 
    6060?> 
    61 <option value="<?php echo $category->term_id; ?>"><?php echo wp_specialchars(apply_filters('link_category', $category->name)); ?></option> 
     61<option value="<?php echo $category->term_id; ?>"><?php echo esc_html(apply_filters('link_category', $category->name)); ?></option> 
    6262<?php 
    6363} // end foreach 
  • trunk/wp-admin/includes/bookmark.php

    r11204 r11380  
    3030        wp_die( __( 'Cheatin&#8217; uh?' )); 
    3131 
    32     $_POST['link_url'] = wp_specialchars( $_POST['link_url'] ); 
     32    $_POST['link_url'] = esc_html( $_POST['link_url'] ); 
    3333    $_POST['link_url'] = clean_url($_POST['link_url']); 
    34     $_POST['link_name'] = wp_specialchars( $_POST['link_name'] ); 
    35     $_POST['link_image'] = wp_specialchars( $_POST['link_image'] ); 
     34    $_POST['link_name'] = esc_html( $_POST['link_name'] ); 
     35    $_POST['link_image'] = esc_html( $_POST['link_image'] ); 
    3636    $_POST['link_rss'] = clean_url($_POST['link_rss']); 
    3737    if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] ) 
  • trunk/wp-admin/includes/dashboard.php

    r11375 r11380  
    582582                    $type = ucwords( $comment->comment_type ); 
    583583                endswitch; 
    584                 $type = wp_specialchars( $type ); 
     584                $type = esc_html( $type ); 
    585585            ?> 
    586586            <div class="dashboard-comment-wrap"> 
     
    647647        $site_link = clean_url( strip_tags( $author->get_link() ) ); 
    648648 
    649         if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) ) 
     649        if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) ) 
    650650            $publisher = __( 'Somebody' ); 
    651651        if ( $site_link ) 
     
    668668                /* translators: incoming links feed, %4$s is the date */ 
    669669                $text .= ' ' . __( 'on %4$s' ); 
    670             $date = wp_specialchars( strip_tags( $item->get_date() ) ); 
     670            $date = esc_html( strip_tags( $item->get_date() ) ); 
    671671            $date = strtotime( $date ); 
    672672            $date = gmdate( get_option( 'date_format' ), $date ); 
     
    814814        else // but let's make it forward compatible if things change 
    815815            $title = $item->get_title(); 
    816         $title = wp_specialchars( $title ); 
    817  
    818         $description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); 
     816        $title = esc_html( $title ); 
     817 
     818        $description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); 
    819819 
    820820        $ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) . 
  • trunk/wp-admin/includes/export.php

    r10045 r11380  
    100100        $str = utf8_encode($str); 
    101101 
    102     // $str = ent2ncr(wp_specialchars($str)); 
     102    // $str = ent2ncr(esc_html($str)); 
    103103 
    104104    $str = "<![CDATA[$str" . ( ( substr($str, -1) == ']' ) ? ' ' : '') . "]]>"; 
  • trunk/wp-admin/includes/media.php

    r11372 r11380  
    11991199            $item .= $field[$field['input']]; 
    12001200        elseif ( $field['input'] == 'textarea' ) { 
    1201             $item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . wp_specialchars( $field['value'] ) . "</textarea>"; 
     1201            $item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . esc_html( $field['value'] ) . "</textarea>"; 
    12021202        } else { 
    12031203            $item .= "<input type='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "'" . $aria_required . "/>"; 
     
    14201420        echo get_media_items( $id, $errors ); 
    14211421    } else { 
    1422         echo '<div id="media-upload-error">'.wp_specialchars($id->get_error_message()).'</div>'; 
     1422        echo '<div id="media-upload-error">'.esc_html($id->get_error_message()).'</div>'; 
    14231423        exit; 
    14241424    } 
     
    18031803 
    18041804    echo "<option$default value='" . esc_attr( $arc_row->yyear . $arc_row->mmonth ) . "'>"; 
    1805     echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); 
     1805    echo esc_html( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); 
    18061806    echo "</option>\n"; 
    18071807} 
  • trunk/wp-admin/includes/post.php

    r11375 r11380  
    320320function get_default_post_to_edit() { 
    321321    if ( !empty( $_REQUEST['post_title'] ) ) 
    322         $post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] )); 
     322        $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); 
    323323    else if ( !empty( $_REQUEST['popuptitle'] ) ) { 
    324         $post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] )); 
     324        $post_title = esc_html( stripslashes( $_REQUEST['popuptitle'] )); 
    325325        $post_title = funky_javascript_fix( $post_title ); 
    326326    } else { 
     
    330330    $post_content = ''; 
    331331    if ( !empty( $_REQUEST['content'] ) ) 
    332         $post_content = wp_specialchars( stripslashes( $_REQUEST['content'] )); 
     332        $post_content = esc_html( stripslashes( $_REQUEST['content'] )); 
    333333    else if ( !empty( $post_title ) ) { 
    334         $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); 
     334        $text       = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) ); 
    335335        $text       = funky_javascript_fix( $text); 
    336336        $popupurl   = clean_url($_REQUEST['popupurl']); 
     
    339339 
    340340    if ( !empty( $_REQUEST['excerpt'] ) ) 
    341         $post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] )); 
     341        $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); 
    342342    else 
    343343        $post_excerpt = ''; 
  • trunk/wp-admin/includes/template.php

    r11366 r11380  
    470470 
    471471        $class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : ''; 
    472         $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . wp_specialchars( apply_filters('the_category', $category->name )) . '</label>'; 
     472        $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . esc_html( apply_filters('the_category', $category->name )) . '</label>'; 
    473473    } 
    474474 
     
    563563            <label class="selectit"> 
    564564            <input id="in-<?php echo $id; ?>" type="checkbox" value="<?php echo (int) $category->term_id; ?>" /> 
    565                 <?php echo wp_specialchars( apply_filters( 'the_category', $category->name ) ); ?> 
     565                <?php echo esc_html( apply_filters( 'the_category', $category->name ) ); ?> 
    566566            </label> 
    567567        </li> 
     
    615615    foreach ( $categories as $category ) { 
    616616        $cat_id = $category->term_id; 
    617         $name = wp_specialchars( apply_filters('the_category', $category->name)); 
     617        $name = esc_html( apply_filters('the_category', $category->name)); 
    618618        $checked = in_array( $cat_id, $checked_categories ); 
    619619        echo '<li id="link-category-', $cat_id, '"><label for="in-link-category-', $cat_id, '" class="selectit"><input value="', $cat_id, '" type="checkbox" name="link_category[]" id="in-link-category-', $cat_id, '"', ($checked ? ' checked="checked"' : "" ), '/> ', $name, "</label></li>"; 
     
    13051305    <div class="mn">' . mysql2date( 'i', $post->post_date, false ) . '</div> 
    13061306    <div class="ss">' . mysql2date( 's', $post->post_date, false ) . '</div> 
    1307     <div class="post_password">' . wp_specialchars($post->post_password, 1) . '</div>'; 
     1307    <div class="post_password">' . esc_html( $post->post_password ) . '</div>'; 
    13081308 
    13091309    if( $post->post_type == 'page' ) 
    13101310        echo ' 
    13111311    <div class="post_parent">' . $post->post_parent . '</div> 
    1312     <div class="page_template">' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '</div> 
     1312    <div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div> 
    13131313    <div class="menu_order">' . $post->menu_order . '</div>'; 
    13141314 
    13151315    if( $post->post_type == 'post' ) 
    13161316        echo ' 
    1317     <div class="tags_input">' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '</div> 
     1317    <div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div> 
    13181318    <div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div> 
    13191319    <div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>'; 
     
    13321332    global $wp_query, $post, $mode; 
    13331333 
    1334     add_filter('the_title','wp_specialchars'); 
     1334    add_filter('the_title','esc_html'); 
    13351335 
    13361336    // Create array of post IDs. 
     
    14791479                $out = array(); 
    14801480                foreach ( $categories as $c ) 
    1481                     $out[] = "<a href='edit.php?category_name=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>"; 
     1481                    $out[] = "<a href='edit.php?category_name=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>"; 
    14821482                    echo join( ', ', $out ); 
    14831483            } else { 
     
    14951495                $out = array(); 
    14961496                foreach ( $tags as $c ) 
    1497                     $out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>"; 
     1497                    $out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>"; 
    14981498                echo join( ', ', $out ); 
    14991499            } else { 
     
    15921592    } 
    15931593 
    1594     $page->post_title = wp_specialchars( $page->post_title ); 
     1594    $page->post_title = esc_html( $page->post_title ); 
    15951595    $pad = str_repeat( '&#8212; ', $level ); 
    15961596    $id = (int) $page->ID; 
     
    16541654        $edit_link = get_edit_post_link( $page->ID ); 
    16551655        ?> 
    1656         <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong> 
     1656        <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong> 
    16571657        <?php 
    16581658        $actions = array(); 
     
    23382338            if ( $currentcat != $category->term_id && $parent == $category->parent) { 
    23392339                $pad = str_repeat( '&#8211; ', $level ); 
    2340                 $category->name = wp_specialchars( $category->name ); 
     2340                $category->name = esc_html( $category->name ); 
    23412341                echo "\n\t<option value='$category->term_id'"; 
    23422342                if ( $currentparent == $category->term_id ) 
     
    26282628                $current = ''; 
    26292629 
    2630             echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>"; 
     2630            echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . esc_html($item->post_title) . "</option>"; 
    26312631            parent_dropdown( $default, $item->ID, $level +1 ); 
    26322632        } 
  • trunk/wp-admin/includes/theme-install.php

    r11286 r11380  
    194194        if ( isset($trans[$feature_name]) ) 
    195195             $feature_name = $trans[$feature_name]; 
    196         $feature_name = wp_specialchars( $feature_name ); 
     196        $feature_name = esc_html( $feature_name ); 
    197197        echo '<div class="feature-name">' . $feature_name . '</div>'; 
    198198 
     
    202202            if ( isset($trans[$feature]) ) 
    203203                $feature_name = $trans[$feature]; 
    204             $feature_name = wp_specialchars( $feature_name ); 
     204            $feature_name = esc_html( $feature_name ); 
    205205            $feature = esc_attr($feature); 
    206206?> 
  • trunk/wp-admin/includes/user.php

    r11320 r11380  
    6666 
    6767    if ( isset( $_POST['user_login'] )) 
    68         $user->user_login = wp_specialchars( trim( $_POST['user_login'] )); 
     68        $user->user_login = esc_html( trim( $_POST['user_login'] )); 
    6969 
    7070    $pass1 = $pass2 = ''; 
     
    8787 
    8888    if ( isset( $_POST['email'] )) 
    89         $user->user_email = wp_specialchars( trim( $_POST['email'] )); 
     89        $user->user_email = esc_html( trim( $_POST['email'] )); 
    9090    if ( isset( $_POST['url'] ) ) { 
    9191        if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { 
     
    9797    } 
    9898    if ( isset( $_POST['first_name'] )) 
    99         $user->first_name = wp_specialchars( trim( $_POST['first_name'] )); 
     99        $user->first_name = esc_html( trim( $_POST['first_name'] )); 
    100100    if ( isset( $_POST['last_name'] )) 
    101         $user->last_name = wp_specialchars( trim( $_POST['last_name'] )); 
     101        $user->last_name = esc_html( trim( $_POST['last_name'] )); 
    102102    if ( isset( $_POST['nickname'] )) 
    103         $user->nickname = wp_specialchars( trim( $_POST['nickname'] )); 
     103        $user->nickname = esc_html( trim( $_POST['nickname'] )); 
    104104    if ( isset( $_POST['display_name'] )) 
    105         $user->display_name = wp_specialchars( trim( $_POST['display_name'] )); 
     105        $user->display_name = esc_html( trim( $_POST['display_name'] )); 
    106106    if ( isset( $_POST['description'] )) 
    107107        $user->description = trim( $_POST['description'] ); 
    108108    if ( isset( $_POST['jabber'] )) 
    109         $user->jabber = wp_specialchars( trim( $_POST['jabber'] )); 
     109        $user->jabber = esc_html( trim( $_POST['jabber'] )); 
    110110    if ( isset( $_POST['aim'] )) 
    111         $user->aim = wp_specialchars( trim( $_POST['aim'] )); 
     111        $user->aim = esc_html( trim( $_POST['aim'] )); 
    112112    if ( isset( $_POST['yim'] )) 
    113         $user->yim = wp_specialchars( trim( $_POST['yim'] )); 
     113        $user->yim = esc_html( trim( $_POST['yim'] )); 
    114114    if ( !$update ) 
    115115        $user->rich_editing = 'true';  // Default to true for new users. 
     
    381381    $user->yim          = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : ''; 
    382382    $user->jabber       = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : ''; 
    383     $user->description  = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : ''; 
     383    $user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; 
    384384 
    385385    return $user; 
  • trunk/wp-admin/includes/widgets.php

    r11309 r11380  
    163163    unset($wp_registered_widgets[$widget_id]['_callback']); 
    164164 
    165     $widget_title = wp_specialchars( strip_tags( $sidebar_args['widget_name'] ) ); 
     165    $widget_title = esc_html( strip_tags( $sidebar_args['widget_name'] ) ); 
    166166    $has_form = 'noform'; 
    167167 
  • trunk/wp-admin/index.php

    r10378 r11380  
    3131<div class="wrap"> 
    3232<?php screen_icon(); ?> 
    33 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     33<h2><?php echo esc_html( $title ); ?></h2> 
    3434 
    3535<div id="dashboard-widgets-wrap"> 
  • trunk/wp-admin/js/revisions-js.php

    r9010 r11380  
    1414 
    1515$j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) ); 
    16 $n = wp_specialchars( $GLOBALS['current_user']->data->display_name ); 
     16$n = esc_html( $GLOBALS['current_user']->data->display_name ); 
    1717$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) ); 
    1818 
  • trunk/wp-admin/link-manager.php

    r11312 r11380  
    7272<div class="wrap nosubsub"> 
    7373<?php screen_icon(); ?> 
    74 <h2><?php echo wp_specialchars( $title ); 
     74<h2><?php echo esc_html( $title ); 
    7575if ( isset($_GET['s']) && $_GET['s'] ) 
    76     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?> 
     76    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?> 
    7777</h2> 
    7878 
  • trunk/wp-admin/media-upload.php

    r11372 r11380  
    5656    <div class="wrap"> 
    5757    <?php screen_icon(); ?> 
    58     <h2><?php echo wp_specialchars( $title ); ?></h2> 
     58    <h2><?php echo esc_html( $title ); ?></h2> 
    5959 
    6060    <form enctype="multipart/form-data" method="post" action="media-upload.php?inline=&amp;upload-page-form=" class="media-upload-form type-form validate" id="file-form"> 
  • trunk/wp-admin/options-discussion.php

    r11312 r11380  
    1818<div class="wrap"> 
    1919<?php screen_icon(); ?> 
    20 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     20<h2><?php echo esc_html( $title ); ?></h2> 
    2121 
    2222<form method="post" action="options.php"> 
  • trunk/wp-admin/options-general.php

    r11323 r11380  
    5353<div class="wrap"> 
    5454<?php screen_icon(); ?> 
    55 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     55<h2><?php echo esc_html( $title ); ?></h2> 
    5656 
    5757<form method="post" action="options.php"> 
  • trunk/wp-admin/options-media.php

    r11312 r11380  
    1919<div class="wrap"> 
    2020<?php screen_icon(); ?> 
    21 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     21<h2><?php echo esc_html( $title ); ?></h2> 
    2222 
    2323<form action="options.php" method="post"> 
  • trunk/wp-admin/options-misc.php

    r11204 r11380  
    1919<div class="wrap"> 
    2020<?php screen_icon(); ?> 
    21 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     21<h2><?php echo esc_html( $title ); ?></h2> 
    2222 
    2323<form method="post" action="options.php"> 
  • trunk/wp-admin/options-permalink.php

    r11350 r11380  
    143143<div class="wrap"> 
    144144<?php screen_icon(); ?> 
    145 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     145<h2><?php echo esc_html( $title ); ?></h2> 
    146146 
    147147<form name="form" action="options-permalink.php" method="post"> 
     
    227227<form action="options-permalink.php" method="post"> 
    228228<?php wp_nonce_field('update-permalink') ?> 
    229     <p><textarea rows="10" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo wp_specialchars($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p> 
     229    <p><textarea rows="10" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p> 
    230230</form> 
    231231<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.')  ?></p>   
     
    236236<form action="options-permalink.php" method="post"> 
    237237<?php wp_nonce_field('update-permalink') ?> 
    238     <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo wp_specialchars($wp_rewrite->mod_rewrite_rules()); ?></textarea></p> 
     238    <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p> 
    239239</form> 
    240240    <?php endif; ?> 
  • trunk/wp-admin/options-privacy.php

    r11312 r11380  
    1818<div class="wrap"> 
    1919<?php screen_icon(); ?> 
    20 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     20<h2><?php echo esc_html( $title ); ?></h2> 
    2121 
    2222<form method="post" action="options.php"> 
  • trunk/wp-admin/options-reading.php

    r11312 r11380  
    1818<div class="wrap"> 
    1919<?php screen_icon(); ?> 
    20 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     20<h2><?php echo esc_html( $title ); ?></h2> 
    2121 
    2222<form name="form1" method="post" action="options.php"> 
  • trunk/wp-admin/options-writing.php

    r11312 r11380  
    1818<div class="wrap"> 
    1919<?php screen_icon(); ?> 
    20 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     20<h2><?php echo esc_html( $title ); ?></h2> 
    2121 
    2222<form method="post" action="options.php"> 
  • trunk/wp-admin/options.php

    r11204 r11380  
    122122<td>"; 
    123123 
    124     if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>"; 
     124    if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>"; 
    125125    else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />"; 
    126126 
  • trunk/wp-admin/page.php

    r11190 r11380  
    101101            $last_user = get_userdata( $last ); 
    102102            $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); 
    103             $message = sprintf( __( 'Warning: %s is currently editing this page' ), wp_specialchars( $last_user_name ) ); 
     103            $message = sprintf( __( 'Warning: %s is currently editing this page' ), esc_html( $last_user_name ) ); 
    104104            $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" ); 
    105105            add_action('admin_notices', create_function( '', "echo '$message';" ) ); 
  • trunk/wp-admin/plugin-editor.php

    r11226 r11380  
    136136<div class="wrap"> 
    137137<?php screen_icon(); ?> 
    138 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     138<h2><?php echo esc_html( $title ); ?></h2> 
    139139<div class="bordertitle"> 
    140140    <form id="themeselector" action="plugin-editor.php" method="post"> 
  • trunk/wp-admin/plugin-install.php

    r11366 r11380  
    5757<div class="wrap"> 
    5858<?php screen_icon(); ?> 
    59 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     59<h2><?php echo esc_html( $title ); ?></h2> 
    6060 
    6161    <ul class="subsubsub"> 
  • trunk/wp-admin/plugins.php

    r11371 r11380  
    190190if ( !empty($invalid) ) 
    191191    foreach ( $invalid as $plugin_file => $error ) 
    192         echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), wp_specialchars($plugin_file), $error->get_error_message()) . '</p></div>'; 
     192        echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '</p></div>'; 
    193193?> 
    194194 
     
    223223<div class="wrap"> 
    224224<?php screen_icon(); ?> 
    225 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     225<h2><?php echo esc_html( $title ); ?></h2> 
    226226 
    227227<?php 
  • trunk/wp-admin/post.php

    r11190 r11380  
    136136            $last_user = get_userdata( $last ); 
    137137            $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); 
    138             $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) ); 
     138            $message = sprintf( __( 'Warning: %s is currently editing this post' ), esc_html( $last_user_name ) ); 
    139139            $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" ); 
    140140            add_action('admin_notices', create_function( '', "echo '$message';" ) ); 
  • trunk/wp-admin/press-this.php

    r11312 r11380  
    9292 
    9393// Set Variables 
    94 $title = isset($_GET['t']) ? wp_specialchars(aposfix(stripslashes($_GET['t']))) : ''; 
     94$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; 
    9595$selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; 
    9696if ( ! empty($selection) ) { 
  • trunk/wp-admin/revision.php

    r8732 r11380  
    178178 
    179179    <tr id="revision-field-<?php echo $field; ?>"> 
    180         <th scope="row"><?php echo wp_specialchars( $field_title ); ?></th> 
     180        <th scope="row"><?php echo esc_html( $field_title ); ?></th> 
    181181        <td><div class="pre"><?php echo $content; ?></div></td> 
    182182    </tr> 
  • trunk/wp-admin/theme-editor.php

    r11204 r11380  
    116116<div class="wrap"> 
    117117<?php screen_icon(); ?> 
    118 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     118<h2><?php echo esc_html( $title ); ?></h2> 
    119119<div class="bordertitle"> 
    120120    <form id="themeselector" action="theme-editor.php" method="post"> 
  • trunk/wp-admin/theme-install.php

    r11005 r11380  
    5757<div class="wrap"> 
    5858<?php screen_icon(); ?> 
    59 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     59<h2><?php echo esc_html( $title ); ?></h2> 
    6060 
    6161    <ul class="subsubsub"> 
  • trunk/wp-admin/themes.php

    r11285 r11380  
    120120<div class="wrap"> 
    121121<?php screen_icon(); ?> 
    122 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     122<h2><?php echo esc_html( $title ); ?></h2> 
    123123 
    124124<h3><?php _e('Current Theme'); ?></h3> 
  • trunk/wp-admin/tools.php

    r11204 r11380  
    1818?> 
    1919<div class="wrap"> 
    20 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     20<h2><?php echo esc_html( $title ); ?></h2> 
    2121 
    2222<div class="tool-box"> 
  • trunk/wp-admin/upload.php

    r11312 r11380  
    165165<div class="wrap"> 
    166166<?php screen_icon(); ?> 
    167 <h2><?php echo wp_specialchars( $title ); 
     167<h2><?php echo esc_html( $title ); 
    168168if ( isset($_GET['s']) && $_GET['s'] ) 
    169     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?> 
     169    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?> 
    170170</h2> 
    171171 
     
    323323        foreach ( $orphans as $post ) { 
    324324            $class = 'alternate' == $class ? '' : 'alternate'; 
    325             $att_title = wp_specialchars( _draft_or_post_title($post->ID) ); 
     325            $att_title = esc_html( _draft_or_post_title($post->ID) ); 
    326326?> 
    327327    <tr id='post-<?php echo $post->ID; ?>' class='<?php echo $class; ?>' valign="top"> 
  • trunk/wp-admin/user-edit.php

    r11359 r11380  
    116116<div class="wrap" id="profile-page"> 
    117117<?php screen_icon(); ?> 
    118 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     118<h2><?php echo esc_html( $title ); ?></h2> 
    119119 
    120120<form id="your-profile" action="" method="post"> 
  • trunk/wp-admin/users.php

    r11312 r11380  
    240240<div class="wrap"> 
    241241<?php screen_icon(); ?> 
    242 <h2><?php echo wp_specialchars( $title ); 
     242<h2><?php echo esc_html( $title ); 
    243243if ( isset($_GET['usersearch']) && $_GET['usersearch'] ) 
    244     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( $_GET['usersearch'] ) ); ?> 
     244    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( $_GET['usersearch'] ) ); ?> 
    245245</h2> 
    246246 
  • trunk/wp-admin/widgets.php

    r11204 r11380  
    126126    <div class="wrap"> 
    127127    <?php screen_icon(); ?> 
    128     <h2><?php echo wp_specialchars( $title ); ?></h2> 
     128    <h2><?php echo esc_html( $title ); ?></h2> 
    129129        <div class="error"> 
    130130            <p><?php _e( 'No Sidebars Defined' ); ?></p> 
     
    259259        <div class="wrap"> 
    260260        <?php screen_icon(); ?> 
    261         <h2><?php echo wp_specialchars( $title ); ?></h2> 
     261        <h2><?php echo esc_html( $title ); ?></h2> 
    262262        <div class="editwidget"<?php echo $width; ?>> 
    263         <h3><?php printf( __( 'Widget %s' ), wp_specialchars( strip_tags($control['name']) ) ); ?></h3> 
     263        <h3><?php printf( __( 'Widget %s' ), esc_html( strip_tags($control['name']) ) ); ?></h3> 
    264264 
    265265        <form action="widgets.php" method="post"> 
     
    335335<div class="wrap"> 
    336336<?php screen_icon(); ?> 
    337 <h2><?php echo wp_specialchars( $title ); ?></h2> 
     337<h2><?php echo esc_html( $title ); ?></h2> 
    338338 
    339339<?php if ( isset($_GET['message']) && isset($messages[$_GET['message']]) ) { ?> 
     
    379379    <div class="sidebar-name"> 
    380380    <div class="sidebar-name-arrow"><br /></div> 
    381     <h3><?php echo wp_specialchars( $registered_sidebar['name'] ); ?> 
     381    <h3><?php echo esc_html( $registered_sidebar['name'] ); ?> 
    382382    <span><img src="images/wpspin_dark.gif" class="ajax-feedback" title="" alt="" /></span></h3></div> 
    383383    <?php wp_list_widget_controls( $sidebar ); // Show the control forms for each of the widgets in this sidebar ?> 
  • trunk/wp-includes/classes.php

    r11318 r11380  
    12531253            $output .= ' selected="selected"'; 
    12541254        $output .= '>'; 
    1255         $title = wp_specialchars($page->post_title); 
     1255        $title = esc_html($page->post_title); 
    12561256        $output .= "$pad$title"; 
    12571257        $output .= "</option>\n"; 
  • trunk/wp-includes/comment-template.php

    r11323 r11380  
    10791079 
    10801080    $style = isset($_GET['replytocom']) ? '' : ' style="display:none;"'; 
    1081     $link = wp_specialchars( remove_query_arg('replytocom') ) . '#respond'; 
     1081    $link = esc_html( remove_query_arg('replytocom') ) . '#respond'; 
    10821082    return apply_filters('cancel_comment_reply_link', '<a rel="nofollow" id="cancel-comment-reply-link" href="' . $link . '"' . $style . '>' . $text . '</a>', $link, $text); 
    10831083} 
  • trunk/wp-includes/default-filters.php

    r11208 r11380  
    2121    add_filter($filter, 'trim'); 
    2222    add_filter($filter, 'wp_filter_kses'); 
    23     add_filter($filter, 'wp_specialchars', 30); 
     23    add_filter($filter, 'esc_html', 30); 
    2424} 
    2525 
     
    8181    add_filter($filter, 'wptexturize'); 
    8282    add_filter($filter, 'convert_chars'); 
    83     add_filter($filter, 'wp_specialchars'); 
     83    add_filter($filter, 'esc_html'); 
    8484} 
    8585 
     
    132132add_filter('the_title_rss', 'strip_tags'); 
    133133add_filter('the_title_rss', 'ent2ncr', 8); 
    134 add_filter('the_title_rss', 'wp_specialchars'); 
     134add_filter('the_title_rss', 'esc_html'); 
    135135add_filter('the_content_rss', 'ent2ncr', 8); 
    136136add_filter('the_excerpt_rss', 'convert_chars'); 
     
    138138add_filter('comment_author_rss', 'ent2ncr', 8); 
    139139add_filter('comment_text_rss', 'ent2ncr', 8); 
    140 add_filter('comment_text_rss', 'wp_specialchars'); 
     140add_filter('comment_text_rss', 'esc_html'); 
    141141add_filter('bloginfo_rss', 'ent2ncr', 8); 
    142142add_filter('the_author', 'ent2ncr', 8); 
     
    144144// Misc filters 
    145145add_filter('option_ping_sites', 'privacy_ping_filter'); 
    146 add_filter('option_blog_charset', 'wp_specialchars'); 
     146add_filter('option_blog_charset', '_wp_specialchars'); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop 
    147147add_filter('option_home', '_config_wp_home'); 
    148148add_filter('option_siteurl', '_config_wp_siteurl'); 
  • trunk/wp-includes/default-widgets.php

    r11318 r11380  
    821821        $desc = str_replace(array("\n", "\r"), ' ', esc_attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))))); 
    822822        $desc = wp_html_excerpt( $desc, 360 ) . ' [&hellip;]'; 
    823         $desc = wp_specialchars( $desc ); 
     823        $desc = esc_html( $desc ); 
    824824 
    825825        if ( $show_summary ) { 
     
    845845            $author = $item->get_author(); 
    846846            $author = $author->get_name(); 
    847             $author = ' <cite>' . wp_specialchars( strip_tags( $author ) ) . '</cite>'; 
     847            $author = ' <cite>' . esc_html( strip_tags( $author ) ) . '</cite>'; 
    848848        } 
    849849 
  • trunk/wp-includes/feed.php

    r11358 r11380  
    166166        $encode_html = 2; 
    167167    if ( 1== $encode_html ) { 
    168         $content = wp_specialchars($content); 
     168        $content = esc_html($content); 
    169169        $cut = 0; 
    170170    } elseif ( 0 == $encode_html ) { 
  • trunk/wp-includes/formatting.php

    r11345 r11380  
    214214 * @return string The encoded text with HTML entities. 
    215215 */ 
    216 function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { 
     216function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { 
    217217    $string = (string) $string; 
    218218 
     
    287287 * 
    288288 * @param string $string The text which is to be decoded. 
    289  * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. 
     289 * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. 
    290290 * @return string The decoded text without HTML entities. 
    291291 */ 
     
    302302    } 
    303303 
    304     // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value 
     304    // Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value 
    305305    if ( empty( $quote_style ) ) { 
    306306        $quote_style = ENT_NOQUOTES; 
     
    20752075function esc_js( $text ) { 
    20762076    $safe_text = wp_check_invalid_utf8( $text ); 
    2077     $safe_text = wp_specialchars( $safe_text, ENT_COMPAT ); 
     2077    $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT ); 
    20782078    $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) ); 
    20792079    $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) ); 
     
    20992099 
    21002100/** 
    2101  * Escaping for HTML attributes. 
     2101 * Escaping for HTML blocks. 
    21022102 * 
    21032103 * @since 2.8.0 
     
    21062106 * @return string 
    21072107 */ 
     2108function esc_html( $text ) { 
     2109    $safe_text = wp_check_invalid_utf8( $text ); 
     2110    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); 
     2111    return apply_filters( 'esc_html', $safe_text, $text ); 
     2112    return $text; 
     2113} 
     2114 
     2115/** 
     2116 * Escaping for HTML blocks 
     2117 * @deprecated 2.8.0 
     2118 * @see esc_html() 
     2119 */ 
     2120function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { 
     2121    if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args 
     2122        $args = func_get_args(); 
     2123        return call_user_func_array( '_wp_specialchars', $args ); 
     2124    } else { 
     2125        return esc_html( $string ); 
     2126    } 
     2127} 
     2128 
     2129/** 
     2130 * Escaping for HTML attributes. 
     2131 * 
     2132 * @since 2.8.0 
     2133 * 
     2134 * @param string $text 
     2135 * @return string 
     2136 */ 
    21082137function esc_attr( $text ) { 
    21092138    $safe_text = wp_check_invalid_utf8( $text ); 
    2110     $safe_text = wp_specialchars( $safe_text, ENT_QUOTES ); 
     2139    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); 
    21112140    return apply_filters( 'attribute_escape', $safe_text, $text ); 
    21122141} 
     
    22252254            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes 
    22262255            $value = stripslashes($value); 
    2227             $value = wp_specialchars( $value ); 
     2256            $value = esc_html( $value ); 
    22282257            break; 
    22292258 
     
    22992328 * Callback function used by preg_replace. 
    23002329 * 
    2301  * @uses wp_specialchars to format the $matches text. 
     2330 * @uses esc_html to format the $matches text. 
    23022331 * @since 2.3.0 
    23032332 * 
    23042333 * @param array $matches Populated by matches to preg_replace. 
    2305  * @return string The text returned after wp_specialchars if needed. 
     2334 * @return string The text returned after esc_html if needed. 
    23062335 */ 
    23072336function wp_pre_kses_less_than_callback( $matches ) { 
    23082337    if ( false === strpos($matches[0], '>') ) 
    2309         return wp_specialchars($matches[0]); 
     2338        return esc_html($matches[0]); 
    23102339    return $matches[0]; 
    23112340} 
  • trunk/wp-includes/functions.php

    r11370 r11380  
    380380    $protected = array( 'alloptions', 'notoptions' ); 
    381381    if ( in_array( $option, $protected ) ) 
    382         die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) ); 
     382        die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) ); 
    383383} 
    384384 
     
    15941594    $hook = 'do_feed_' . $feed; 
    15951595    if ( !has_action($hook) ) { 
    1596         $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed)); 
     1596        $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed)); 
    15971597        wp_die($message); 
    15981598    } 
     
    17191719function wp_nonce_url( $actionurl, $action = -1 ) { 
    17201720    $actionurl = str_replace( '&amp;', '&', $actionurl ); 
    1721     return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); 
     1721    return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); 
    17221722} 
    17231723 
     
    23092309                        $object = call_user_func( $lookup, $object ); 
    23102310                } 
    2311                 return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) ); 
     2311                return sprintf( $trans[$verb][$noun][0], esc_html($object) ); 
    23122312            } else { 
    23132313                return $trans[$verb][$noun][0]; 
     
    23352335function wp_nonce_ays( $action ) { 
    23362336    $title = __( 'WordPress Failure Notice' ); 
    2337     $html = wp_specialchars( wp_explain_nonce( $action ) ); 
     2337    $html = esc_html( wp_explain_nonce( $action ) ); 
    23382338    if ( wp_get_referer() ) 
    23392339        $html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>"; 
  • trunk/wp-includes/general-template.php

    r11370 r11380  
    14701470 
    14711471        if ( comments_open() || pings_open() || $post->comment_count > 0 ) { 
    1472             $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) )); 
     1472            $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], esc_html( get_the_title() ) )); 
    14731473            $href = get_post_comments_feed_link( $post->ID ); 
    14741474        } 
  • trunk/wp-includes/l10n.php

    r11281 r11380  
    121121 
    122122/** 
     123 * Retrieves the translation of $text and escapes it for safe use in HTML output. 
     124 * If there is no translation, or the domain isn't loaded the original text is returned. 
     125 * 
     126 * @see translate() An alias of translate() 
     127 * @see esc_html() 
     128 * @since 2.8.0 
     129 * 
     130 * @param string $text Text to translate 
     131 * @param string $domain Optional. Domain to retrieve the translated text 
     132 * @return string Translated text 
     133 */ 
     134function esc_html__( $text, $domain = 'default' ) { 
     135    return esc_html( translate( $text, $domain ) ); 
     136} 
     137 
     138/** 
    123139 * Displays the returned translated text from translate(). 
    124140 * 
     
    145161function esc_attr_e( $text, $domain = 'default' ) { 
    146162    echo esc_attr( translate( $text, $domain ) ); 
     163} 
     164 
     165/** 
     166 * Displays translated text that has been escaped for safe use in HTML output. 
     167 * 
     168 * @see translate() Echoes returned translate() string 
     169 * @see esc_html() 
     170 * @since 2.8.0 
     171 * 
     172 * @param string $text Text to translate 
     173 * @param string $domain Optional. Domain to retrieve the translated text 
     174 */ 
     175function esc_html_e( $text, $domain = 'default' ) { 
     176    echo esc_html( translate( $text, $domain ) ); 
    147177} 
    148178 
  • trunk/wp-includes/user.php

    r10992 r11380  
    541541            $_selected = $user->ID == $selected ? " selected='selected'" : ''; 
    542542            $display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')'; 
    543             $output .= "\t<option value='$user->ID'$_selected>" . wp_specialchars($display) . "</option>\n"; 
     543            $output .= "\t<option value='$user->ID'$_selected>" . esc_html($display) . "</option>\n"; 
    544544        } 
    545545 
  • trunk/wp-includes/widgets.php

    r11374 r11380  
    602602 
    603603    if ( isset($wp_registered_widgets[$id]['description']) ) 
    604         return wp_specialchars( $wp_registered_widgets[$id]['description'] ); 
     604        return esc_html( $wp_registered_widgets[$id]['description'] ); 
    605605} 
    606606 
  • trunk/wp-mail.php

    r11190 r11380  
    2424    ( ! $count = $pop3->pass(get_option('mailserver_pass')) ) ) { 
    2525        $pop3->quit(); 
    26         wp_die( ( 0 === $count ) ? __('There doesn&#8217;t seem to be any new mail.') : wp_specialchars($pop3->ERROR) ); 
     26        wp_die( ( 0 === $count ) ? __('There doesn&#8217;t seem to be any new mail.') : esc_html($pop3->ERROR) ); 
    2727} 
    2828 
     
    196196    do_action('publish_phone', $post_ID); 
    197197 
    198     echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), wp_specialchars($post_author)) . '</p>'; 
    199     echo "\n<p>" . sprintf(__('<strong>Posted title:</strong> %s'), wp_specialchars($post_title)) . '</p>'; 
     198    echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), esc_html($post_author)) . '</p>'; 
     199    echo "\n<p>" . sprintf(__('<strong>Posted title:</strong> %s'), esc_html($post_title)) . '</p>'; 
    200200 
    201201    if(!$pop3->delete($i)) { 
    202         echo '<p>' . sprintf(__('Oops: %s'), wp_specialchars($pop3->ERROR)) . '</p>'; 
     202        echo '<p>' . sprintf(__('Oops: %s'), esc_html($pop3->ERROR)) . '</p>'; 
    203203        $pop3->reset(); 
    204204        exit; 
  • trunk/xmlrpc.php

    r11323 r11380  
    884884                $struct['count']            = $tag->count; 
    885885                $struct['slug']             = $tag->slug; 
    886                 $struct['html_url']         = wp_specialchars( get_tag_link( $tag->term_id ) ); 
    887                 $struct['rss_url']          = wp_specialchars( get_tag_feed_link( $tag->term_id ) ); 
     886                $struct['html_url']         = esc_html( get_tag_link( $tag->term_id ) ); 
     887                $struct['rss_url']          = esc_html( get_tag_feed_link( $tag->term_id ) ); 
    888888 
    889889                $tags[] = $struct; 
     
    27912791                $struct['categoryDescription'] = $cat->description; 
    27922792                $struct['categoryName'] = $cat->name; 
    2793                 $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id)); 
    2794                 $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2')); 
     2793                $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id)); 
     2794                $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2')); 
    27952795 
    27962796                $categories_struct[] = $struct; 
     
    33283328        $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom); 
    33293329 
    3330         $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; 
     3330        $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; 
    33313331        $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); 
    33323332 
Note: See TracChangeset for help on using the changeset viewer.