Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (16 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/admin-ajax.php

    r11343 r11380  
    423423        }
    424424        $cat_id = $cat_id['term_id'];
    425         $cat_name = wp_specialchars(stripslashes($cat_name));
     425        $cat_name = esc_html(stripslashes($cat_name));
    426426        $x->add( array(
    427427            'what' => 'link-category',
     
    899899            $data = new WP_Error( 'locked', sprintf(
    900900                $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ),
    901                 wp_specialchars( $last_user_name )
     901                esc_html( $last_user_name )
    902902            ) );
    903903
     
    10581058        $last_user = get_userdata( $last );
    10591059        $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' );
    1060         printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    wp_specialchars( $last_user_name ) );
     1060        printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ),    esc_html( $last_user_name ) );
    10611061        exit;
    10621062    }
     
    12181218
    12191219        $html .= '<tr class="found-posts"><td class="found-radio"><input type="radio" id="found-'.$post->ID.'" name="found_post_id" value="' . esc_attr($post->ID) . '"></td>';
    1220         $html .= '<td><label for="found-'.$post->ID.'">'.wp_specialchars($post->post_title, true).'</label></td><td>'.wp_specialchars($time, true).'</td><td>'.wp_specialchars($stat, true).'</td></tr>'."\n\n";
     1220        $html .= '<td><label for="found-'.$post->ID.'">'.esc_html( $post->post_title ).'</label></td><td>'.esc_html( $time ).'</td><td>'.esc_html( $stat ).'</td></tr>'."\n\n";
    12211221    }
    12221222    $html .= '</tbody></table>';
Note: See TracChangeset for help on using the changeset viewer.