Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (16 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/template.php

    r11366 r11380  
    470470
    471471        $class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : '';
    472         $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . wp_specialchars( apply_filters('the_category', $category->name )) . '</label>';
     472        $output .= "\n<li id='category-$category->term_id'$class>" . '<label class="selectit"><input value="' . $category->term_id . '" type="checkbox" name="post_category[]" id="in-category-' . $category->term_id . '"' . (in_array( $category->term_id, $selected_cats ) ? ' checked="checked"' : "" ) . '/> ' . esc_html( apply_filters('the_category', $category->name )) . '</label>';
    473473    }
    474474
     
    563563            <label class="selectit">
    564564            <input id="in-<?php echo $id; ?>" type="checkbox" value="<?php echo (int) $category->term_id; ?>" />
    565                 <?php echo wp_specialchars( apply_filters( 'the_category', $category->name ) ); ?>
     565                <?php echo esc_html( apply_filters( 'the_category', $category->name ) ); ?>
    566566            </label>
    567567        </li>
     
    615615    foreach ( $categories as $category ) {
    616616        $cat_id = $category->term_id;
    617         $name = wp_specialchars( apply_filters('the_category', $category->name));
     617        $name = esc_html( apply_filters('the_category', $category->name));
    618618        $checked = in_array( $cat_id, $checked_categories );
    619619        echo '<li id="link-category-', $cat_id, '"><label for="in-link-category-', $cat_id, '" class="selectit"><input value="', $cat_id, '" type="checkbox" name="link_category[]" id="in-link-category-', $cat_id, '"', ($checked ? ' checked="checked"' : "" ), '/> ', $name, "</label></li>";
     
    13051305    <div class="mn">' . mysql2date( 'i', $post->post_date, false ) . '</div>
    13061306    <div class="ss">' . mysql2date( 's', $post->post_date, false ) . '</div>
    1307     <div class="post_password">' . wp_specialchars($post->post_password, 1) . '</div>';
     1307    <div class="post_password">' . esc_html( $post->post_password ) . '</div>';
    13081308
    13091309    if( $post->post_type == 'page' )
    13101310        echo '
    13111311    <div class="post_parent">' . $post->post_parent . '</div>
    1312     <div class="page_template">' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '</div>
     1312    <div class="page_template">' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '</div>
    13131313    <div class="menu_order">' . $post->menu_order . '</div>';
    13141314
    13151315    if( $post->post_type == 'post' )
    13161316        echo '
    1317     <div class="tags_input">' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '</div>
     1317    <div class="tags_input">' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '</div>
    13181318    <div class="post_category">' . implode( ',', wp_get_post_categories( $post->ID ) ) . '</div>
    13191319    <div class="sticky">' . (is_sticky($post->ID) ? 'sticky' : '') . '</div>';
     
    13321332    global $wp_query, $post, $mode;
    13331333
    1334     add_filter('the_title','wp_specialchars');
     1334    add_filter('the_title','esc_html');
    13351335
    13361336    // Create array of post IDs.
     
    14791479                $out = array();
    14801480                foreach ( $categories as $c )
    1481                     $out[] = "<a href='edit.php?category_name=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
     1481                    $out[] = "<a href='edit.php?category_name=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . "</a>";
    14821482                    echo join( ', ', $out );
    14831483            } else {
     
    14951495                $out = array();
    14961496                foreach ( $tags as $c )
    1497                     $out[] = "<a href='edit.php?tag=$c->slug'> " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
     1497                    $out[] = "<a href='edit.php?tag=$c->slug'> " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . "</a>";
    14981498                echo join( ', ', $out );
    14991499            } else {
     
    15921592    }
    15931593
    1594     $page->post_title = wp_specialchars( $page->post_title );
     1594    $page->post_title = esc_html( $page->post_title );
    15951595    $pad = str_repeat( '&#8212; ', $level );
    15961596    $id = (int) $page->ID;
     
    16541654        $edit_link = get_edit_post_link( $page->ID );
    16551655        ?>
    1656         <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . wp_specialchars($parent_name) : ''; ?></strong>
     1656        <td <?php echo $attributes ?>><strong><?php if ( current_user_can( 'edit_post', $page->ID ) ) { ?><a class="row-title" href="<?php echo $edit_link; ?>" title="<?php echo esc_attr(sprintf(__('Edit &#8220;%s&#8221;'), $title)); ?>"><?php echo $pad; echo $title ?></a><?php } else { echo $pad; echo $title; }; _post_states($page); echo isset($parent_name) ? ' | ' . __('Parent Page: ') . esc_html($parent_name) : ''; ?></strong>
    16571657        <?php
    16581658        $actions = array();
     
    23382338            if ( $currentcat != $category->term_id && $parent == $category->parent) {
    23392339                $pad = str_repeat( '&#8211; ', $level );
    2340                 $category->name = wp_specialchars( $category->name );
     2340                $category->name = esc_html( $category->name );
    23412341                echo "\n\t<option value='$category->term_id'";
    23422342                if ( $currentparent == $category->term_id )
     
    26282628                $current = '';
    26292629
    2630             echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . wp_specialchars($item->post_title) . "</option>";
     2630            echo "\n\t<option class='level-$level' value='$item->ID'$current>$pad " . esc_html($item->post_title) . "</option>";
    26312631            parent_dropdown( $default, $item->ID, $level +1 );
    26322632        }
Note: See TracChangeset for help on using the changeset viewer.