WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (11 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/user.php

    r11320 r11380  
    6666
    6767    if ( isset( $_POST['user_login'] ))
    68         $user->user_login = wp_specialchars( trim( $_POST['user_login'] ));
     68        $user->user_login = esc_html( trim( $_POST['user_login'] ));
    6969
    7070    $pass1 = $pass2 = '';
     
    8787
    8888    if ( isset( $_POST['email'] ))
    89         $user->user_email = wp_specialchars( trim( $_POST['email'] ));
     89        $user->user_email = esc_html( trim( $_POST['email'] ));
    9090    if ( isset( $_POST['url'] ) ) {
    9191        if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) {
     
    9797    }
    9898    if ( isset( $_POST['first_name'] ))
    99         $user->first_name = wp_specialchars( trim( $_POST['first_name'] ));
     99        $user->first_name = esc_html( trim( $_POST['first_name'] ));
    100100    if ( isset( $_POST['last_name'] ))
    101         $user->last_name = wp_specialchars( trim( $_POST['last_name'] ));
     101        $user->last_name = esc_html( trim( $_POST['last_name'] ));
    102102    if ( isset( $_POST['nickname'] ))
    103         $user->nickname = wp_specialchars( trim( $_POST['nickname'] ));
     103        $user->nickname = esc_html( trim( $_POST['nickname'] ));
    104104    if ( isset( $_POST['display_name'] ))
    105         $user->display_name = wp_specialchars( trim( $_POST['display_name'] ));
     105        $user->display_name = esc_html( trim( $_POST['display_name'] ));
    106106    if ( isset( $_POST['description'] ))
    107107        $user->description = trim( $_POST['description'] );
    108108    if ( isset( $_POST['jabber'] ))
    109         $user->jabber = wp_specialchars( trim( $_POST['jabber'] ));
     109        $user->jabber = esc_html( trim( $_POST['jabber'] ));
    110110    if ( isset( $_POST['aim'] ))
    111         $user->aim = wp_specialchars( trim( $_POST['aim'] ));
     111        $user->aim = esc_html( trim( $_POST['aim'] ));
    112112    if ( isset( $_POST['yim'] ))
    113         $user->yim = wp_specialchars( trim( $_POST['yim'] ));
     113        $user->yim = esc_html( trim( $_POST['yim'] ));
    114114    if ( !$update )
    115115        $user->rich_editing = 'true';  // Default to true for new users.
     
    381381    $user->yim          = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : '';
    382382    $user->jabber       = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : '';
    383     $user->description  = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : '';
     383    $user->description  = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : '';
    384384
    385385    return $user;
Note: See TracChangeset for help on using the changeset viewer.