WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (11 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/dashboard.php

    r11375 r11380  
    582582                    $type = ucwords( $comment->comment_type );
    583583                endswitch;
    584                 $type = wp_specialchars( $type );
     584                $type = esc_html( $type );
    585585            ?>
    586586            <div class="dashboard-comment-wrap">
     
    647647        $site_link = clean_url( strip_tags( $author->get_link() ) );
    648648
    649         if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) )
     649        if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) )
    650650            $publisher = __( 'Somebody' );
    651651        if ( $site_link )
     
    668668                /* translators: incoming links feed, %4$s is the date */
    669669                $text .= ' ' . __( 'on %4$s' );
    670             $date = wp_specialchars( strip_tags( $item->get_date() ) );
     670            $date = esc_html( strip_tags( $item->get_date() ) );
    671671            $date = strtotime( $date );
    672672            $date = gmdate( get_option( 'date_format' ), $date );
     
    814814        else // but let's make it forward compatible if things change
    815815            $title = $item->get_title();
    816         $title = wp_specialchars( $title );
    817 
    818         $description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
     816        $title = esc_html( $title );
     817
     818        $description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) );
    819819
    820820        $ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) .
Note: See TracChangeset for help on using the changeset viewer.