Make WordPress Core

Changeset 11380


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (15 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

Location:
trunk
Files:
68 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r11343 r11380  
    423423        }
    424424        $cat_id = $cat_id['term_id'];
    425         $cat_name = wp_specialchars(stripslashes($cat_name));
     425        $cat_name = esc_html(stripslashes($cat_name));
    426426        $x->add( array(
    427427            'what' => 'link-category',
     
    899899            $data = new WP_Error( 'locked', sprintf(
    900900                $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ),
    901                 wp_specialchars( $last_user_name )
     901                esc_html( $last_user_name )
    902902            ) );
    903903
     
    10581058        $last_user = get_userdata( $last );
    10591059        $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
    1060         printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    wp_specialchars( $last_user_name ) );
     1060        printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    esc_html( $last_user_name ) );
    10611061        exit;
    10621062    }
     
    12181218
    12191219        $html .= '<tr class="found-posts"><td class="found-radio"><input type="radio" id="found-'.$post->ID.'" name="found_post_id" value="' . esc_attr($post->ID) . '"></td>';
    1220         $html .= '<td><label for="found-'.$post->ID.'">'.wp_specialchars($post->post_title, true).'</label></td><td>'.wp_specialchars($time, true).'</td><td>'.wp_specialchars($stat, true).'</td></tr>'."\n\n";
     1220        $html .= '<td><label for="found-'.$post->ID.'">'.esc_html( $post->post_title ).'</label></td><td>'.esc_html( $time ).'</td><td>'.esc_html( $stat ).'</td></tr>'."\n\n";
    12211221    }
    12221222    $html .= '</tbody></table>';
  • trunk/wp-admin/admin-header.php

    r11280 r11380  
    1111
    1212get_admin_page_title();
    13 $title = wp_specialchars( strip_tags( $title ) );
     13$title = esc_html( strip_tags( $title ) );
    1414wp_user_settings();
    1515wp_menu_unfold();
  • trunk/wp-admin/async-upload.php

    r11013 r11380  
    4343$id = media_handle_upload('async-upload', $_REQUEST['post_id']);
    4444if (is_wp_error($id)) {
    45     echo '<div id="media-upload-error">'.wp_specialchars($id->get_error_message()).'</div>';
     45    echo '<div id="media-upload-error">'.esc_html($id->get_error_message()).'</div>';
    4646    exit;
    4747}
  • trunk/wp-admin/categories.php

    r11312 r11380  
    130130<div class="wrap nosubsub">
    131131<?php screen_icon(); ?>
    132 <h2><?php echo wp_specialchars( $title );
     132<h2><?php echo esc_html( $title );
    133133if ( isset($_GET['s']) && $_GET['s'] )
    134     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?>
     134    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?>
    135135</h2>
    136136
  • trunk/wp-admin/edit-attachment-rows.php

    r11323 r11380  
    2525    <tbody id="the-list" class="list:post">
    2626<?php
    27 add_filter('the_title','wp_specialchars');
     27add_filter('the_title','esc_html');
    2828$alt = '';
    2929$posts_columns = get_column_headers('upload');
     
    111111            $out = array();
    112112            foreach ( $tags as $c )
    113                 $out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
     113                $out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
    114114            echo join( ', ', $out );
    115115        } else {
  • trunk/wp-admin/edit-category-form.php

    r11204 r11380  
    6767        <tr class="form-field">
    6868            <th scope="row" valign="top"><label for="category_description"><?php _e('Description') ?></label></th>
    69             <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->description); ?></textarea><br />
     69            <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($category->description); ?></textarea><br />
    7070            <?php _e('The description is not prominent by default, however some themes may show it.'); ?></td>
    7171        </tr>
  • trunk/wp-admin/edit-comments.php

    r11312 r11380  
    9797<div class="wrap">
    9898<?php screen_icon(); ?>
    99 <h2><?php echo wp_specialchars( $title );
     99<h2><?php echo esc_html( $title );
    100100if ( isset($_GET['s']) && $_GET['s'] )
    101     printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( wp_specialchars( stripslashes( $_GET['s'] ) ), 50 ) ) . '</span>' ); ?>
     101    printf( '<span class="subtitle">' . sprintf( __( 'Search results for &#8220;%s&#8221;' ), wp_html_excerpt( esc_html( stripslashes( $_GET['s'] ) ), 50 ) ) . '</span>' ); ?>
    102102</h2>
    103103
  • trunk/wp-admin/edit-form-advanced.php

    r11323 r11380  
    167167}
    168168
    169 ?><?php echo wp_specialchars( $visibility_trans ); ?></span> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a>
     169?><?php echo esc_html( $visibility_trans ); ?></span> <?php if ( $can_publish ) { ?> <a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a>
    170170
    171171<div id="post-visibility-select" class="hide-if-js">
     
    391391        $already_pinged = explode("\n", trim($post->pinged));
    392392        foreach ($already_pinged as $pinged_url) {
    393             $pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
     393            $pings .= "\n\t<li>" . esc_html($pinged_url) . "</li>";
    394394        }
    395395        $pings .= '</ul>';
     
    550550<div class="wrap">
    551551<?php screen_icon(); ?>
    552 <h2><?php echo wp_specialchars( $title ); ?></h2>
     552<h2><?php echo esc_html( $title ); ?></h2>
    553553<?php if ( $notice ) : ?>
    554554<div id="notice" class="error"><p><?php echo $notice ?></p></div>
     
    623623        if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) {
    624624            $last_user = get_userdata($last_id);
    625             printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
     625            printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
    626626        } else {
    627627            printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
  • trunk/wp-admin/edit-link-categories.php

    r11312 r11380  
    6262<div class="wrap nosubsub">
    6363<?php screen_icon(); ?>
    64 <h2><?php echo wp_specialchars( $title );
     64<h2><?php echo esc_html( $title );
    6565if ( isset($_GET['s']) && $_GET['s'] )
    66     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?>
     66    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?>
    6767</h2>
    6868
  • trunk/wp-admin/edit-link-form.php

    r11312 r11380  
    343343<div class="wrap">
    344344<?php screen_icon(); ?>
    345 <h2><?php echo wp_specialchars( $title ); ?></h2>
     345<h2><?php echo esc_html( $title ); ?></h2>
    346346
    347347<?php if ( isset( $_GET['added'] ) ) : ?>
  • trunk/wp-admin/edit-page-form.php

    r11323 r11380  
    159159}
    160160
    161 echo wp_specialchars( $visibility_trans ); ?></span>
     161echo esc_html( $visibility_trans ); ?></span>
    162162<?php if ( $can_publish ) { ?>
    163163<a href="#visibility" class="edit-visibility hide-if-no-js"><?php _e('Edit'); ?></a>
     
    398398<div class="wrap">
    399399<?php screen_icon(); ?>
    400 <h2><?php echo wp_specialchars( $title ); ?></h2>
     400<h2><?php echo esc_html( $title ); ?></h2>
    401401
    402402<form name="post" action="page.php" method="post" id="post">
     
    461461        if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) {
    462462            $last_user = get_userdata($last_id);
    463             printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
     463            printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
    464464        } else {
    465465            printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified));
  • trunk/wp-admin/edit-pages.php

    r11318 r11380  
    105105<div class="wrap">
    106106<?php screen_icon(); ?>
    107 <h2><?php echo wp_specialchars( $title );
     107<h2><?php echo esc_html( $title );
    108108if ( isset($_GET['s']) && $_GET['s'] )
    109     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?>
     109    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
    110110</h2>
    111111
  • trunk/wp-admin/edit-tag-form.php

    r11204 r11380  
    3737        <tr class="form-field">
    3838            <th scope="row" valign="top"><label for="description"><?php _e('Description') ?></label></th>
    39             <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($tag->description); ?></textarea><br />
     39            <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br />
    4040            <?php _e('The description is not prominent by default, however some themes may show it.'); ?></td>
    4141        </tr>
  • trunk/wp-admin/edit-tags.php

    r11312 r11380  
    147147<div class="wrap nosubsub">
    148148<?php screen_icon(); ?>
    149 <h2><?php echo wp_specialchars( $title );
     149<h2><?php echo esc_html( $title );
    150150if ( isset($_GET['s']) && $_GET['s'] )
    151     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?>
     151    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?>
    152152</h2>
    153153
  • trunk/wp-admin/edit.php

    r11312 r11380  
    9797<div class="wrap">
    9898<?php screen_icon(); ?>
    99 <h2><?php echo wp_specialchars( $title );
     99<h2><?php echo esc_html( $title );
    100100if ( isset($_GET['s']) && $_GET['s'] )
    101     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?>
     101    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
    102102</h2>
    103103
  • trunk/wp-admin/export.php

    r11204 r11380  
    2525<div class="wrap">
    2626<?php screen_icon(); ?>
    27 <h2><?php echo wp_specialchars( $title ); ?></h2>
     27<h2><?php echo esc_html( $title ); ?></h2>
    2828
    2929<p><?php _e('When you click the button below WordPress will create an XML file for you to save to your computer.'); ?></p>
  • trunk/wp-admin/import.php

    r10150 r11380  
    1616<div class="wrap">
    1717<?php screen_icon(); ?>
    18 <h2><?php echo wp_specialchars( $title ); ?></h2>
     18<h2><?php echo esc_html( $title ); ?></h2>
    1919<p><?php _e('If you have posts or comments in another system, WordPress can import those into this blog. To get started, choose a system to import from below:'); ?></p>
    2020
  • trunk/wp-admin/import/opml.php

    r11204 r11380  
    5959foreach ($categories as $category) {
    6060?>
    61 <option value="<?php echo $category->term_id; ?>"><?php echo wp_specialchars(apply_filters('link_category', $category->name)); ?></option>
     61<option value="<?php echo $category->term_id; ?>"><?php echo esc_html(apply_filters('link_category', $category->name)); ?></option>
    6262<?php
    6363} // end foreach
  • trunk/wp-admin/includes/bookmark.php

    r11204 r11380  
    3030        wp_die( __( 'Cheatin&#8217; uh?' ));
    3131
    32     $_POST['link_url'] = wp_specialchars( $_POST['link_url'] );
     32    $_POST['link_url'] = esc_html( $_POST['link_url'] );
    3333    $_POST['link_url'] = clean_url($_POST['link_url']);
    34     $_POST['link_name'] = wp_specialchars( $_POST['link_name'] );
    35     $_POST['link_image'] = wp_specialchars( $_POST['link_image'] );
     34    $_POST['link_name'] = esc_html( $_POST['link_name'] );
     35    $_POST['link_image'] = esc_html( $_POST['link_image'] );
    3636    $_POST['link_rss'] = clean_url($_POST['link_rss']);
    3737    if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] )
  • trunk/wp-admin/includes/dashboard.php

    r11375 r11380  
    582582                    $type = ucwords( $comment->comment_type );
    583583                endswitch;
    584                 $type = wp_specialchars( $type );
     584                $type = esc_html( $type );
    585585            ?>
    586586            <div class="dashboard-comment-wrap">
     
    647647        $site_link = clean_url( strip_tags( $author->get_link() ) );
    648648
    649         if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) )
     649        if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) )
    650650            $publisher = __( 'Somebody' );
    651651        if ( $site_link )
     
    668668                /* translators: incoming links feed, %4$s is the date */
    669669                $text .= ' ' . __( 'on %4$s' );
    670             $date = wp_specialchars( strip_tags( $item->get_date() ) );
     670            $date = esc_html( strip_tags( $item->get_date() ) );
    671671            $date = strtotime( $date );
    672672            $date = gmdate( get_option( 'date_format' ), $date );
     
    814814        else // but let's make it forward compatible if things change
    815815            $title = $item->get_title();
    816         $title = wp_specialchars( $title );
    817 
    818         $description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
     816        $title = esc_html( $title );
     817
     818        $description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
    819819
    820820        $ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) .
  • trunk/wp-admin/includes/export.php

    r10045 r11380  
    100100        $str = utf8_encode($str);
    101101
    102     // $str = ent2ncr(wp_specialchars($str));
     102    // $str = ent2ncr(esc_html($str));
    103103
    104104    $str = "<![CDATA[$str" . ( ( substr($str, -1) == ']' ) ? ' ' : '') . "]]>";
  • trunk/wp-admin/includes/media.php

    r11372 r11380  
    11991199            $item .= $field[$field['input']];
    12001200        elseif ( $field['input'] == 'textarea' ) {
    1201             $item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . wp_specialchars( $field['value'] ) . "</textarea>";
     1201            $item .= "<textarea type='text' id='$name' name='$name'" . $aria_required . ">" . esc_html( $field['value'] ) . "</textarea>";
    12021202        } else {
    12031203            $item .= "<input type='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "'" . $aria_required . "/>";
     
    14201420        echo get_media_items( $id, $errors );
    14211421    } else {
    1422         echo '<div id="media-upload-error">'.wp_specialchars($id->get_error_message()).'</div>';
     1422        echo '<div id="media-upload-error">'.esc_html($id->get_error_message()).'</div>';
    14231423        exit;
    14241424    }
     
    18031803
    18041804    echo "<option$default value='" . esc_attr( $arc_row->yyear . $arc_row->mmonth ) . "'>";
    1805     echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
     1805    echo esc_html( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
    18061806    echo "</option>\n";
    18071807}
  • trunk/wp-admin/includes/post.php

    r11375 r11380  
    320320function get_default_post_to_edit() {
    321321    if ( !empty( $_REQUEST['post_title'] ) )
    322         $post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] ));
     322        $post_title = esc_html( stripslashes( $_REQUEST['post_title'] ));
    323323    else if ( !empty( $_REQUEST['popuptitle'] ) ) {
    324         $post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] ));
     324        $post_title = esc_html( stripslashes( $_REQUEST['popuptitle'] ));
    325325        $post_title = funky_javascript_fix( $post_title );
    326326    } else {
     
    330330    $post_content = '';
    331331    if ( !empty( $_REQUEST['content'] ) )
    332         $post_content = wp_specialchars( stripslashes( $_REQUEST['content'] ));
     332        $post_content = esc_html( stripslashes( $_REQUEST['content'] ));
    333333    else if ( !empty( $post_title ) ) {
    334         $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
     334        $text       = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) );
    335335        $text       = funky_javascript_fix( $text);
    336336        $popupurl   = clean_url($_REQUEST['popupurl']);
     
    339339
    340340    if ( !empty( $_REQUEST['excerpt'] ) )
    341         $post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] ));
     341        $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] ));
    342342    else
    343343        $post_excerpt = '';
  • trunk/wp-admin/includes/template.php

    r11366 r11380  
    470470
    471471        $class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : '';
    472         $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . wp_specialchars( apply_filters('the_category', $category->name )) . '</label>';
     472        $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . esc_html( apply_filters('the_category', $category->name )) . '</label>';
    473473    }
    474474
     
    563563            <label class="selectit">
    564564            <input id="in-<?php echo $id; ?>" type="checkbox" value="<?php echo (int) $category->term_id; ?>" />
    565                 <?php echo wp_specialchars( apply_filters( 'the_category', $category->name ) ); ?>
     565                <?php echo esc_html( apply_filters( 'the_category', $category->name ) ); ?>
    566566            </label>
    567567        </li>
     
    615615    foreach ( $categories as $category ) {
    616616        $cat_id = $category->term_id;
    617         $name = wp_specialchars( apply_filters('the_category', $category->name));
     617        $name = esc_html( apply_filters('the_category', $category->name));
    618618        $checked = in_array( $cat_id, $checked_categories );
    619619        echo '<li id="link-category-', $cat_id, '"><label for="in-link-category-', $cat_id, '" class="selectit"><input value="', $cat_id, '" type="checkbox" name="link_category[]" id="in-link-category-', $cat_id, '"', ($checked ? ' checked="checked"' : "" ), '/> ', $name, "</label></li>";
     
    13051305    <div class="mn">' . mysql2date( 'i', $post->post_date, false ) . '</div>
    13061306    <div class="ss">' . mysql2date( 's', $post->post_date, false ) . '</div>
    1307     <div class="post_password">' . wp_specialchars($post->post_password, 1) . '</div>';
     1307    <div class="post_password">' . esc_html( $post->post_password ) . '</div>';
    13081308
    13091309    if( $post->post_type == 'page' )
    13101310        echo '
    13111311    <div class="post_parent">' . $post->post_parent . '</div>
    1312     <div class="page_template">' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '</div>
     1312    <div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div>
    13131313    <div class="menu_order">' . $post->menu_order . '</div>';
    13141314
    13151315    if( $post->post_type == 'post' )
    13161316        echo '
    1317     <div class="tags_input">' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '</div>
     1317    <div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div>
    13181318    <div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div>
    13191319    <div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>';
     
    13321332    global $wp_query, $post, $mode;
    13331333
    1334     add_filter('the_title','wp_specialchars');
     1334    add_filter('the_title','esc_html');
    13351335
    13361336    // Create array of post IDs.
     
    14791479                $out = array();
    14801480                foreach ( $categories as $c )
    1481                     $out[] = "<a href='edit.php?category_name=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
     1481                    $out[] = "<a href='edit.php?category_name=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
    14821482                    echo join( ', ', $out );
    14831483            } else {
     
    14951495                $out = array();
    14961496                foreach ( $tags as $c )
    1497                     $out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
     1497                    $out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
    14981498                echo join( ', ', $out );
    14991499            } else {
     
    15921592    }
    15931593
    1594     $page->post_title = wp_specialchars( $page->post_title );
     1594    $page->post_title = esc_html( $page->post_title );
    15951595    $pad = str_repeat( '&#8212; ', $level );
    15961596    $id = (int) $page->ID;
     
    16541654        $edit_link = get_edit_post_link( $page->ID );
    16551655        ?>
    1656         <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
     1656        <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong>
    16571657        <?php
    16581658        $actions = array();
     
    23382338            if ( $currentcat != $category->term_id && $parent == $category->parent) {
    23392339                $pad = str_repeat( '&#8211; ', $level );
    2340                 $category->name = wp_specialchars( $category->name );
     2340                $category->name = esc_html( $category->name );
    23412341                echo "\n\t<option value='$category->term_id'";
    23422342                if ( $currentparent == $category->term_id )
     
    26282628                $current = '';
    26292629
    2630             echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>";
     2630            echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . esc_html($item->post_title) . "</option>";
    26312631            parent_dropdown( $default, $item->ID, $level +1 );
    26322632        }
  • trunk/wp-admin/includes/theme-install.php

    r11286 r11380  
    194194        if ( isset($trans[$feature_name]) )
    195195             $feature_name = $trans[$feature_name];
    196         $feature_name = wp_specialchars( $feature_name );
     196        $feature_name = esc_html( $feature_name );
    197197        echo '<div class="feature-name">' . $feature_name . '</div>';
    198198
     
    202202            if ( isset($trans[$feature]) )
    203203                $feature_name = $trans[$feature];
    204             $feature_name = wp_specialchars( $feature_name );
     204            $feature_name = esc_html( $feature_name );
    205205            $feature = esc_attr($feature);
    206206?>
  • trunk/wp-admin/includes/user.php

    r11320 r11380  
    6666
    6767    if ( isset( $_POST['user_login'] ))
    68         $user->user_login = wp_specialchars( trim( $_POST['user_login'] ));
     68        $user->user_login = esc_html( trim( $_POST['user_login'] ));
    6969
    7070    $pass1 = $pass2 = '';
     
    8787
    8888    if ( isset( $_POST['email'] ))
    89         $user->user_email = wp_specialchars( trim( $_POST['email'] ));
     89        $user->user_email = esc_html( trim( $_POST['email'] ));
    9090    if ( isset( $_POST['url'] ) ) {
    9191        if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
     
    9797    }
    9898    if ( isset( $_POST['first_name'] ))
    99         $user->first_name = wp_specialchars( trim( $_POST['first_name'] ));
     99        $user->first_name = esc_html( trim( $_POST['first_name'] ));
    100100    if ( isset( $_POST['last_name'] ))
    101         $user->last_name = wp_specialchars( trim( $_POST['last_name'] ));
     101        $user->last_name = esc_html( trim( $_POST['last_name'] ));
    102102    if ( isset( $_POST['nickname'] ))
    103         $user->nickname = wp_specialchars( trim( $_POST['nickname'] ));
     103        $user->nickname = esc_html( trim( $_POST['nickname'] ));
    104104    if ( isset( $_POST['display_name'] ))
    105         $user->display_name = wp_specialchars( trim( $_POST['display_name'] ));
     105        $user->display_name = esc_html( trim( $_POST['display_name'] ));
    106106    if ( isset( $_POST['description'] ))
    107107        $user->description = trim( $_POST['description'] );
    108108    if ( isset( $_POST['jabber'] ))
    109         $user->jabber = wp_specialchars( trim( $_POST['jabber'] ));
     109        $user->jabber = esc_html( trim( $_POST['jabber'] ));
    110110    if ( isset( $_POST['aim'] ))
    111         $user->aim = wp_specialchars( trim( $_POST['aim'] ));
     111        $user->aim = esc_html( trim( $_POST['aim'] ));
    112112    if ( isset( $_POST['yim'] ))
    113         $user->yim = wp_specialchars( trim( $_POST['yim'] ));
     113        $user->yim = esc_html( trim( $_POST['yim'] ));
    114114    if ( !$update )
    115115        $user->rich_editing = 'true';  // Default to true for new users.
     
    381381    $user->yim          = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : '';
    382382    $user->jabber       = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : '';
    383     $user->description  = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : '';
     383    $user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : '';
    384384
    385385    return $user;
  • trunk/wp-admin/includes/widgets.php

    r11309 r11380  
    163163    unset($wp_registered_widgets[$widget_id]['_callback']);
    164164
    165     $widget_title = wp_specialchars( strip_tags( $sidebar_args['widget_name'] ) );
     165    $widget_title = esc_html( strip_tags( $sidebar_args['widget_name'] ) );
    166166    $has_form = 'noform';
    167167
  • trunk/wp-admin/index.php

    r10378 r11380  
    3131<div class="wrap">
    3232<?php screen_icon(); ?>
    33 <h2><?php echo wp_specialchars( $title ); ?></h2>
     33<h2><?php echo esc_html( $title ); ?></h2>
    3434
    3535<div id="dashboard-widgets-wrap">
  • trunk/wp-admin/js/revisions-js.php

    r9010 r11380  
    1414
    1515$j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) );
    16 $n = wp_specialchars( $GLOBALS['current_user']->data->display_name );
     16$n = esc_html( $GLOBALS['current_user']->data->display_name );
    1717$d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) );
    1818
  • trunk/wp-admin/link-manager.php

    r11312 r11380  
    7272<div class="wrap nosubsub">
    7373<?php screen_icon(); ?>
    74 <h2><?php echo wp_specialchars( $title );
     74<h2><?php echo esc_html( $title );
    7575if ( isset($_GET['s']) && $_GET['s'] )
    76     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( stripslashes($_GET['s']) ) ); ?>
     76    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( stripslashes($_GET['s']) ) ); ?>
    7777</h2>
    7878
  • trunk/wp-admin/media-upload.php

    r11372 r11380  
    5656    <div class="wrap">
    5757    <?php screen_icon(); ?>
    58     <h2><?php echo wp_specialchars( $title ); ?></h2>
     58    <h2><?php echo esc_html( $title ); ?></h2>
    5959
    6060    <form enctype="multipart/form-data" method="post" action="media-upload.php?inline=&amp;upload-page-form=" class="media-upload-form type-form validate" id="file-form">
  • trunk/wp-admin/options-discussion.php

    r11312 r11380  
    1818<div class="wrap">
    1919<?php screen_icon(); ?>
    20 <h2><?php echo wp_specialchars( $title ); ?></h2>
     20<h2><?php echo esc_html( $title ); ?></h2>
    2121
    2222<form method="post" action="options.php">
  • trunk/wp-admin/options-general.php

    r11323 r11380  
    5353<div class="wrap">
    5454<?php screen_icon(); ?>
    55 <h2><?php echo wp_specialchars( $title ); ?></h2>
     55<h2><?php echo esc_html( $title ); ?></h2>
    5656
    5757<form method="post" action="options.php">
  • trunk/wp-admin/options-media.php

    r11312 r11380  
    1919<div class="wrap">
    2020<?php screen_icon(); ?>
    21 <h2><?php echo wp_specialchars( $title ); ?></h2>
     21<h2><?php echo esc_html( $title ); ?></h2>
    2222
    2323<form action="options.php" method="post">
  • trunk/wp-admin/options-misc.php

    r11204 r11380  
    1919<div class="wrap">
    2020<?php screen_icon(); ?>
    21 <h2><?php echo wp_specialchars( $title ); ?></h2>
     21<h2><?php echo esc_html( $title ); ?></h2>
    2222
    2323<form method="post" action="options.php">
  • trunk/wp-admin/options-permalink.php

    r11350 r11380  
    143143<div class="wrap">
    144144<?php screen_icon(); ?>
    145 <h2><?php echo wp_specialchars( $title ); ?></h2>
     145<h2><?php echo esc_html( $title ); ?></h2>
    146146
    147147<form name="form" action="options-permalink.php" method="post">
     
    227227<form action="options-permalink.php" method="post">
    228228<?php wp_nonce_field('update-permalink') ?>
    229     <p><textarea rows="10" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo wp_specialchars($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p>
     229    <p><textarea rows="10" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p>
    230230</form>
    231231<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.')  ?></p> 
     
    236236<form action="options-permalink.php" method="post">
    237237<?php wp_nonce_field('update-permalink') ?>
    238     <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo wp_specialchars($wp_rewrite->mod_rewrite_rules()); ?></textarea></p>
     238    <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p>
    239239</form>
    240240    <?php endif; ?>
  • trunk/wp-admin/options-privacy.php

    r11312 r11380  
    1818<div class="wrap">
    1919<?php screen_icon(); ?>
    20 <h2><?php echo wp_specialchars( $title ); ?></h2>
     20<h2><?php echo esc_html( $title ); ?></h2>
    2121
    2222<form method="post" action="options.php">
  • trunk/wp-admin/options-reading.php

    r11312 r11380  
    1818<div class="wrap">
    1919<?php screen_icon(); ?>
    20 <h2><?php echo wp_specialchars( $title ); ?></h2>
     20<h2><?php echo esc_html( $title ); ?></h2>
    2121
    2222<form name="form1" method="post" action="options.php">
  • trunk/wp-admin/options-writing.php

    r11312 r11380  
    1818<div class="wrap">
    1919<?php screen_icon(); ?>
    20 <h2><?php echo wp_specialchars( $title ); ?></h2>
     20<h2><?php echo esc_html( $title ); ?></h2>
    2121
    2222<form method="post" action="options.php">
  • trunk/wp-admin/options.php

    r11204 r11380  
    122122<td>";
    123123
    124     if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
     124    if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>";
    125125    else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />";
    126126
  • trunk/wp-admin/page.php

    r11190 r11380  
    101101            $last_user = get_userdata( $last );
    102102            $last_user_name = $last_user ? $last_user->display_name : __('Somebody');
    103             $message = sprintf( __( 'Warning: %s is currently editing this page' ), wp_specialchars( $last_user_name ) );
     103            $message = sprintf( __( 'Warning: %s is currently editing this page' ), esc_html( $last_user_name ) );
    104104            $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );
    105105            add_action('admin_notices', create_function( '', "echo '$message';" ) );
  • trunk/wp-admin/plugin-editor.php

    r11226 r11380  
    136136<div class="wrap">
    137137<?php screen_icon(); ?>
    138 <h2><?php echo wp_specialchars( $title ); ?></h2>
     138<h2><?php echo esc_html( $title ); ?></h2>
    139139<div class="bordertitle">
    140140    <form id="themeselector" action="plugin-editor.php" method="post">
  • trunk/wp-admin/plugin-install.php

    r11366 r11380  
    5757<div class="wrap">
    5858<?php screen_icon(); ?>
    59 <h2><?php echo wp_specialchars( $title ); ?></h2>
     59<h2><?php echo esc_html( $title ); ?></h2>
    6060
    6161    <ul class="subsubsub">
  • trunk/wp-admin/plugins.php

    r11371 r11380  
    190190if ( !empty($invalid) )
    191191    foreach ( $invalid as $plugin_file => $error )
    192         echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), wp_specialchars($plugin_file), $error->get_error_message()) . '</p></div>';
     192        echo '<div id="message" class="error"><p>' . sprintf(__('The plugin <code>%s</code> has been <strong>deactivated</strong> due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '</p></div>';
    193193?>
    194194
     
    223223<div class="wrap">
    224224<?php screen_icon(); ?>
    225 <h2><?php echo wp_specialchars( $title ); ?></h2>
     225<h2><?php echo esc_html( $title ); ?></h2>
    226226
    227227<?php
  • trunk/wp-admin/post.php

    r11190 r11380  
    136136            $last_user = get_userdata( $last );
    137137            $last_user_name = $last_user ? $last_user->display_name : __('Somebody');
    138             $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) );
     138            $message = sprintf( __( 'Warning: %s is currently editing this post' ), esc_html( $last_user_name ) );
    139139            $message = str_replace( "'", "\'", "<div class='error'><p>$message</p></div>" );
    140140            add_action('admin_notices', create_function( '', "echo '$message';" ) );
  • trunk/wp-admin/press-this.php

    r11312 r11380  
    9292
    9393// Set Variables
    94 $title = isset($_GET['t']) ? wp_specialchars(aposfix(stripslashes($_GET['t']))) : '';
     94$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : '';
    9595$selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : '';
    9696if ( ! empty($selection) ) {
  • trunk/wp-admin/revision.php

    r8732 r11380  
    178178
    179179    <tr id="revision-field-<?php echo $field; ?>">
    180         <th scope="row"><?php echo wp_specialchars( $field_title ); ?></th>
     180        <th scope="row"><?php echo esc_html( $field_title ); ?></th>
    181181        <td><div class="pre"><?php echo $content; ?></div></td>
    182182    </tr>
  • trunk/wp-admin/theme-editor.php

    r11204 r11380  
    116116<div class="wrap">
    117117<?php screen_icon(); ?>
    118 <h2><?php echo wp_specialchars( $title ); ?></h2>
     118<h2><?php echo esc_html( $title ); ?></h2>
    119119<div class="bordertitle">
    120120    <form id="themeselector" action="theme-editor.php" method="post">
  • trunk/wp-admin/theme-install.php

    r11005 r11380  
    5757<div class="wrap">
    5858<?php screen_icon(); ?>
    59 <h2><?php echo wp_specialchars( $title ); ?></h2>
     59<h2><?php echo esc_html( $title ); ?></h2>
    6060
    6161    <ul class="subsubsub">
  • trunk/wp-admin/themes.php

    r11285 r11380  
    120120<div class="wrap">
    121121<?php screen_icon(); ?>
    122 <h2><?php echo wp_specialchars( $title ); ?></h2>
     122<h2><?php echo esc_html( $title ); ?></h2>
    123123
    124124<h3><?php _e('Current Theme'); ?></h3>
  • trunk/wp-admin/tools.php

    r11204 r11380  
    1818?>
    1919<div class="wrap">
    20 <h2><?php echo wp_specialchars( $title ); ?></h2>
     20<h2><?php echo esc_html( $title ); ?></h2>
    2121
    2222<div class="tool-box">
  • trunk/wp-admin/upload.php

    r11312 r11380  
    165165<div class="wrap">
    166166<?php screen_icon(); ?>
    167 <h2><?php echo wp_specialchars( $title );
     167<h2><?php echo esc_html( $title );
    168168if ( isset($_GET['s']) && $_GET['s'] )
    169     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( get_search_query() ) ); ?>
     169    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( get_search_query() ) ); ?>
    170170</h2>
    171171
     
    323323        foreach ( $orphans as $post ) {
    324324            $class = 'alternate' == $class ? '' : 'alternate';
    325             $att_title = wp_specialchars( _draft_or_post_title($post->ID) );
     325            $att_title = esc_html( _draft_or_post_title($post->ID) );
    326326?>
    327327    <tr id='post-<?php echo $post->ID; ?>' class='<?php echo $class; ?>' valign="top">
  • trunk/wp-admin/user-edit.php

    r11359 r11380  
    116116<div class="wrap" id="profile-page">
    117117<?php screen_icon(); ?>
    118 <h2><?php echo wp_specialchars( $title ); ?></h2>
     118<h2><?php echo esc_html( $title ); ?></h2>
    119119
    120120<form id="your-profile" action="" method="post">
  • trunk/wp-admin/users.php

    r11312 r11380  
    240240<div class="wrap">
    241241<?php screen_icon(); ?>
    242 <h2><?php echo wp_specialchars( $title );
     242<h2><?php echo esc_html( $title );
    243243if ( isset($_GET['usersearch']) && $_GET['usersearch'] )
    244     printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', wp_specialchars( $_GET['usersearch'] ) ); ?>
     244    printf( '<span class="subtitle">' . __('Search results for &#8220;%s&#8221;') . '</span>', esc_html( $_GET['usersearch'] ) ); ?>
    245245</h2>
    246246
  • trunk/wp-admin/widgets.php

    r11204 r11380  
    126126    <div class="wrap">
    127127    <?php screen_icon(); ?>
    128     <h2><?php echo wp_specialchars( $title ); ?></h2>
     128    <h2><?php echo esc_html( $title ); ?></h2>
    129129        <div class="error">
    130130            <p><?php _e( 'No Sidebars Defined' ); ?></p>
     
    259259        <div class="wrap">
    260260        <?php screen_icon(); ?>
    261         <h2><?php echo wp_specialchars( $title ); ?></h2>
     261        <h2><?php echo esc_html( $title ); ?></h2>
    262262        <div class="editwidget"<?php echo $width; ?>>
    263         <h3><?php printf( __( 'Widget %s' ), wp_specialchars( strip_tags($control['name']) ) ); ?></h3>
     263        <h3><?php printf( __( 'Widget %s' ), esc_html( strip_tags($control['name']) ) ); ?></h3>
    264264
    265265        <form action="widgets.php" method="post">
     
    335335<div class="wrap">
    336336<?php screen_icon(); ?>
    337 <h2><?php echo wp_specialchars( $title ); ?></h2>
     337<h2><?php echo esc_html( $title ); ?></h2>
    338338
    339339<?php if ( isset($_GET['message']) && isset($messages[$_GET['message']]) ) { ?>
     
    379379    <div class="sidebar-name">
    380380    <div class="sidebar-name-arrow"><br /></div>
    381     <h3><?php echo wp_specialchars( $registered_sidebar['name'] ); ?>
     381    <h3><?php echo esc_html( $registered_sidebar['name'] ); ?>
    382382    <span><img src="images/wpspin_dark.gif" class="ajax-feedback" title="" alt="" /></span></h3></div>
    383383    <?php wp_list_widget_controls( $sidebar ); // Show the control forms for each of the widgets in this sidebar ?>
  • trunk/wp-includes/classes.php

    r11318 r11380  
    12531253            $output .= ' selected="selected"';
    12541254        $output .= '>';
    1255         $title = wp_specialchars($page->post_title);
     1255        $title = esc_html($page->post_title);
    12561256        $output .= "$pad$title";
    12571257        $output .= "</option>\n";
  • trunk/wp-includes/comment-template.php

    r11323 r11380  
    10791079
    10801080    $style = isset($_GET['replytocom']) ? '' : ' style="display:none;"';
    1081     $link = wp_specialchars( remove_query_arg('replytocom') ) . '#respond';
     1081    $link = esc_html( remove_query_arg('replytocom') ) . '#respond';
    10821082    return apply_filters('cancel_comment_reply_link', '<a rel="nofollow" id="cancel-comment-reply-link" href="' . $link . '"' . $style . '>' . $text . '</a>', $link, $text);
    10831083}
  • trunk/wp-includes/default-filters.php

    r11208 r11380  
    2121    add_filter($filter, 'trim');
    2222    add_filter($filter, 'wp_filter_kses');
    23     add_filter($filter, 'wp_specialchars', 30);
     23    add_filter($filter, 'esc_html', 30);
    2424}
    2525
     
    8181    add_filter($filter, 'wptexturize');
    8282    add_filter($filter, 'convert_chars');
    83     add_filter($filter, 'wp_specialchars');
     83    add_filter($filter, 'esc_html');
    8484}
    8585
     
    132132add_filter('the_title_rss', 'strip_tags');
    133133add_filter('the_title_rss', 'ent2ncr', 8);
    134 add_filter('the_title_rss', 'wp_specialchars');
     134add_filter('the_title_rss', 'esc_html');
    135135add_filter('the_content_rss', 'ent2ncr', 8);
    136136add_filter('the_excerpt_rss', 'convert_chars');
     
    138138add_filter('comment_author_rss', 'ent2ncr', 8);
    139139add_filter('comment_text_rss', 'ent2ncr', 8);
    140 add_filter('comment_text_rss', 'wp_specialchars');
     140add_filter('comment_text_rss', 'esc_html');
    141141add_filter('bloginfo_rss', 'ent2ncr', 8);
    142142add_filter('the_author', 'ent2ncr', 8);
     
    144144// Misc filters
    145145add_filter('option_ping_sites', 'privacy_ping_filter');
    146 add_filter('option_blog_charset', 'wp_specialchars');
     146add_filter('option_blog_charset', '_wp_specialchars'); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
    147147add_filter('option_home', '_config_wp_home');
    148148add_filter('option_siteurl', '_config_wp_siteurl');
  • trunk/wp-includes/default-widgets.php

    r11318 r11380  
    821821        $desc = str_replace(array("\n", "\r"), ' ', esc_attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset')))));
    822822        $desc = wp_html_excerpt( $desc, 360 ) . ' [&hellip;]';
    823         $desc = wp_specialchars( $desc );
     823        $desc = esc_html( $desc );
    824824
    825825        if ( $show_summary ) {
     
    845845            $author = $item->get_author();
    846846            $author = $author->get_name();
    847             $author = ' <cite>' . wp_specialchars( strip_tags( $author ) ) . '</cite>';
     847            $author = ' <cite>' . esc_html( strip_tags( $author ) ) . '</cite>';
    848848        }
    849849
  • trunk/wp-includes/feed.php

    r11358 r11380  
    166166        $encode_html = 2;
    167167    if ( 1== $encode_html ) {
    168         $content = wp_specialchars($content);
     168        $content = esc_html($content);
    169169        $cut = 0;
    170170    } elseif ( 0 == $encode_html ) {
  • trunk/wp-includes/formatting.php

    r11345 r11380  
    214214 * @return string The encoded text with HTML entities.
    215215 */
    216 function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
     216function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
    217217    $string = (string) $string;
    218218
     
    287287 *
    288288 * @param string $string The text which is to be decoded.
    289  * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
     289 * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
    290290 * @return string The decoded text without HTML entities.
    291291 */
     
    302302    }
    303303
    304     // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value
     304    // Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value
    305305    if ( empty( $quote_style ) ) {
    306306        $quote_style = ENT_NOQUOTES;
     
    20752075function esc_js( $text ) {
    20762076    $safe_text = wp_check_invalid_utf8( $text );
    2077     $safe_text = wp_specialchars( $safe_text, ENT_COMPAT );
     2077    $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
    20782078    $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
    20792079    $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
     
    20992099
    21002100/**
    2101  * Escaping for HTML attributes.
     2101 * Escaping for HTML blocks.
    21022102 *
    21032103 * @since 2.8.0
     
    21062106 * @return string
    21072107 */
     2108function esc_html( $text ) {
     2109    $safe_text = wp_check_invalid_utf8( $text );
     2110    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
     2111    return apply_filters( 'esc_html', $safe_text, $text );
     2112    return $text;
     2113}
     2114
     2115/**
     2116 * Escaping for HTML blocks
     2117 * @deprecated 2.8.0
     2118 * @see esc_html()
     2119 */
     2120function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
     2121    if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args
     2122        $args = func_get_args();
     2123        return call_user_func_array( '_wp_specialchars', $args );
     2124    } else {
     2125        return esc_html( $string );
     2126    }
     2127}
     2128
     2129/**
     2130 * Escaping for HTML attributes.
     2131 *
     2132 * @since 2.8.0
     2133 *
     2134 * @param string $text
     2135 * @return string
     2136 */
    21082137function esc_attr( $text ) {
    21092138    $safe_text = wp_check_invalid_utf8( $text );
    2110     $safe_text = wp_specialchars( $safe_text, ENT_QUOTES );
     2139    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    21112140    return apply_filters( 'attribute_escape', $safe_text, $text );
    21122141}
     
    22252254            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
    22262255            $value = stripslashes($value);
    2227             $value = wp_specialchars( $value );
     2256            $value = esc_html( $value );
    22282257            break;
    22292258
     
    22992328 * Callback function used by preg_replace.
    23002329 *
    2301  * @uses wp_specialchars to format the $matches text.
     2330 * @uses esc_html to format the $matches text.
    23022331 * @since 2.3.0
    23032332 *
    23042333 * @param array $matches Populated by matches to preg_replace.
    2305  * @return string The text returned after wp_specialchars if needed.
     2334 * @return string The text returned after esc_html if needed.
    23062335 */
    23072336function wp_pre_kses_less_than_callback( $matches ) {
    23082337    if ( false === strpos($matches[0], '>') )
    2309         return wp_specialchars($matches[0]);
     2338        return esc_html($matches[0]);
    23102339    return $matches[0];
    23112340}
  • trunk/wp-includes/functions.php

    r11370 r11380  
    380380    $protected = array( 'alloptions', 'notoptions' );
    381381    if ( in_array( $option, $protected ) )
    382         die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) );
     382        die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) );
    383383}
    384384
     
    15941594    $hook = 'do_feed_' . $feed;
    15951595    if ( !has_action($hook) ) {
    1596         $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed));
     1596        $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed));
    15971597        wp_die($message);
    15981598    }
     
    17191719function wp_nonce_url( $actionurl, $action = -1 ) {
    17201720    $actionurl = str_replace( '&amp;', '&', $actionurl );
    1721     return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
     1721    return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
    17221722}
    17231723
     
    23092309                        $object = call_user_func( $lookup, $object );
    23102310                }
    2311                 return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) );
     2311                return sprintf( $trans[$verb][$noun][0], esc_html($object) );
    23122312            } else {
    23132313                return $trans[$verb][$noun][0];
     
    23352335function wp_nonce_ays( $action ) {
    23362336    $title = __( 'WordPress Failure Notice' );
    2337     $html = wp_specialchars( wp_explain_nonce( $action ) );
     2337    $html = esc_html( wp_explain_nonce( $action ) );
    23382338    if ( wp_get_referer() )
    23392339        $html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
  • trunk/wp-includes/general-template.php

    r11370 r11380  
    14701470
    14711471        if ( comments_open() || pings_open() || $post->comment_count > 0 ) {
    1472             $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) ));
     1472            $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], esc_html( get_the_title() ) ));
    14731473            $href = get_post_comments_feed_link( $post->ID );
    14741474        }
  • trunk/wp-includes/l10n.php

    r11281 r11380  
    121121
    122122/**
     123 * Retrieves the translation of $text and escapes it for safe use in HTML output.
     124 * If there is no translation, or the domain isn't loaded the original text is returned.
     125 *
     126 * @see translate() An alias of translate()
     127 * @see esc_html()
     128 * @since 2.8.0
     129 *
     130 * @param string $text Text to translate
     131 * @param string $domain Optional. Domain to retrieve the translated text
     132 * @return string Translated text
     133 */
     134function esc_html__( $text, $domain = 'default' ) {
     135    return esc_html( translate( $text, $domain ) );
     136}
     137
     138/**
    123139 * Displays the returned translated text from translate().
    124140 *
     
    145161function esc_attr_e( $text, $domain = 'default' ) {
    146162    echo esc_attr( translate( $text, $domain ) );
     163}
     164
     165/**
     166 * Displays translated text that has been escaped for safe use in HTML output.
     167 *
     168 * @see translate() Echoes returned translate() string
     169 * @see esc_html()
     170 * @since 2.8.0
     171 *
     172 * @param string $text Text to translate
     173 * @param string $domain Optional. Domain to retrieve the translated text
     174 */
     175function esc_html_e( $text, $domain = 'default' ) {
     176    echo esc_html( translate( $text, $domain ) );
    147177}
    148178
  • trunk/wp-includes/user.php

    r10992 r11380  
    541541            $_selected = $user->ID == $selected ? " selected='selected'" : '';
    542542            $display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')';
    543             $output .= "\t<option value='$user->ID'$_selected>" . wp_specialchars($display) . "</option>\n";
     543            $output .= "\t<option value='$user->ID'$_selected>" . esc_html($display) . "</option>\n";
    544544        }
    545545
  • trunk/wp-includes/widgets.php

    r11374 r11380  
    602602
    603603    if ( isset($wp_registered_widgets[$id]['description']) )
    604         return wp_specialchars( $wp_registered_widgets[$id]['description'] );
     604        return esc_html( $wp_registered_widgets[$id]['description'] );
    605605}
    606606
  • trunk/wp-mail.php

    r11190 r11380  
    2424    ( ! $count = $pop3->pass(get_option('mailserver_pass')) ) ) {
    2525        $pop3->quit();
    26         wp_die( ( 0 === $count ) ? __('There doesn&#8217;t seem to be any new mail.') : wp_specialchars($pop3->ERROR) );
     26        wp_die( ( 0 === $count ) ? __('There doesn&#8217;t seem to be any new mail.') : esc_html($pop3->ERROR) );
    2727}
    2828
     
    196196    do_action('publish_phone', $post_ID);
    197197
    198     echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), wp_specialchars($post_author)) . '</p>';
    199     echo "\n<p>" . sprintf(__('<strong>Posted title:</strong> %s'), wp_specialchars($post_title)) . '</p>';
     198    echo "\n<p>" . sprintf(__('<strong>Author:</strong> %s'), esc_html($post_author)) . '</p>';
     199    echo "\n<p>" . sprintf(__('<strong>Posted title:</strong> %s'), esc_html($post_title)) . '</p>';
    200200
    201201    if(!$pop3->delete($i)) {
    202         echo '<p>' . sprintf(__('Oops: %s'), wp_specialchars($pop3->ERROR)) . '</p>';
     202        echo '<p>' . sprintf(__('Oops: %s'), esc_html($pop3->ERROR)) . '</p>';
    203203        $pop3->reset();
    204204        exit;
  • trunk/xmlrpc.php

    r11323 r11380  
    884884                $struct['count']            = $tag->count;
    885885                $struct['slug']             = $tag->slug;
    886                 $struct['html_url']         = wp_specialchars( get_tag_link( $tag->term_id ) );
    887                 $struct['rss_url']          = wp_specialchars( get_tag_feed_link( $tag->term_id ) );
     886                $struct['html_url']         = esc_html( get_tag_link( $tag->term_id ) );
     887                $struct['rss_url']          = esc_html( get_tag_feed_link( $tag->term_id ) );
    888888
    889889                $tags[] = $struct;
     
    27912791                $struct['categoryDescription'] = $cat->description;
    27922792                $struct['categoryName'] = $cat->name;
    2793                 $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id));
    2794                 $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2'));
     2793                $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id));
     2794                $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2'));
    27952795
    27962796                $categories_struct[] = $struct;
     
    33283328        $pagelinkedfrom = str_replace('&', '&amp;', $pagelinkedfrom);
    33293329
    3330         $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]';
     3330        $context = '[...] ' . esc_html( $excerpt ) . ' [...]';
    33313331        $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom );
    33323332
Note: See TracChangeset for help on using the changeset viewer.