WordPress.org

Make WordPress Core


Ignore:
Timestamp:
05/18/2009 03:11:07 PM (11 years ago)
Author:
markjaquith
Message:

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/functions.php

    r11370 r11380  
    380380    $protected = array( 'alloptions', 'notoptions' );
    381381    if ( in_array( $option, $protected ) )
    382         die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) );
     382        die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) );
    383383}
    384384
     
    15941594    $hook = 'do_feed_' . $feed;
    15951595    if ( !has_action($hook) ) {
    1596         $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed));
     1596        $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed));
    15971597        wp_die($message);
    15981598    }
     
    17191719function wp_nonce_url( $actionurl, $action = -1 ) {
    17201720    $actionurl = str_replace( '&', '&', $actionurl );
    1721     return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
     1721    return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) );
    17221722}
    17231723
     
    23092309                        $object = call_user_func( $lookup, $object );
    23102310                }
    2311                 return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) );
     2311                return sprintf( $trans[$verb][$noun][0], esc_html($object) );
    23122312            } else {
    23132313                return $trans[$verb][$noun][0];
     
    23352335function wp_nonce_ays( $action ) {
    23362336    $title = __( 'WordPress Failure Notice' );
    2337     $html = wp_specialchars( wp_explain_nonce( $action ) );
     2337    $html = esc_html( wp_explain_nonce( $action ) );
    23382338    if ( wp_get_referer() )
    23392339        $html .= "</p><p><a href='" . clean_url( remove_query_arg( 'updated', wp_get_referer() ) ) . "'>" . __( 'Please try again.' ) . "</a>";
Note: See TracChangeset for help on using the changeset viewer.