WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (11 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r11345 r11380  
    214214 * @return string The encoded text with HTML entities.
    215215 */
    216 function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
     216function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
    217217    $string = (string) $string;
    218218
     
    287287 *
    288288 * @param string $string The text which is to be decoded.
    289  * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
     289 * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES.
    290290 * @return string The decoded text without HTML entities.
    291291 */
     
    302302    }
    303303
    304     // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value
     304    // Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value
    305305    if ( empty( $quote_style ) ) {
    306306        $quote_style = ENT_NOQUOTES;
     
    20752075function esc_js( $text ) {
    20762076    $safe_text = wp_check_invalid_utf8( $text );
    2077     $safe_text = wp_specialchars( $safe_text, ENT_COMPAT );
     2077    $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
    20782078    $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
    20792079    $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) );
     
    20992099
    21002100/**
    2101  * Escaping for HTML attributes.
     2101 * Escaping for HTML blocks.
    21022102 *
    21032103 * @since 2.8.0
     
    21062106 * @return string
    21072107 */
     2108function esc_html( $text ) {
     2109    $safe_text = wp_check_invalid_utf8( $text );
     2110    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
     2111    return apply_filters( 'esc_html', $safe_text, $text );
     2112    return $text;
     2113}
     2114
     2115/**
     2116 * Escaping for HTML blocks
     2117 * @deprecated 2.8.0
     2118 * @see esc_html()
     2119 */
     2120function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) {
     2121    if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args
     2122        $args = func_get_args();
     2123        return call_user_func_array( '_wp_specialchars', $args );
     2124    } else {
     2125        return esc_html( $string );
     2126    }
     2127}
     2128
     2129/**
     2130 * Escaping for HTML attributes.
     2131 *
     2132 * @since 2.8.0
     2133 *
     2134 * @param string $text
     2135 * @return string
     2136 */
    21082137function esc_attr( $text ) {
    21092138    $safe_text = wp_check_invalid_utf8( $text );
    2110     $safe_text = wp_specialchars( $safe_text, ENT_QUOTES );
     2139    $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES );
    21112140    return apply_filters( 'attribute_escape', $safe_text, $text );
    21122141}
     
    22252254            $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes
    22262255            $value = stripslashes($value);
    2227             $value = wp_specialchars( $value );
     2256            $value = esc_html( $value );
    22282257            break;
    22292258
     
    22992328 * Callback function used by preg_replace.
    23002329 *
    2301  * @uses wp_specialchars to format the $matches text.
     2330 * @uses esc_html to format the $matches text.
    23022331 * @since 2.3.0
    23032332 *
    23042333 * @param array $matches Populated by matches to preg_replace.
    2305  * @return string The text returned after wp_specialchars if needed.
     2334 * @return string The text returned after esc_html if needed.
    23062335 */
    23072336function wp_pre_kses_less_than_callback( $matches ) {
    23082337    if ( false === strpos($matches[0], '>') )
    2309         return wp_specialchars($matches[0]);
     2338        return esc_html($matches[0]);
    23102339    return $matches[0];
    23112340}
Note: See TracChangeset for help on using the changeset viewer.