Make WordPress Core

Changeset 11721


Ignore:
Timestamp:
07/18/2009 11:21:50 PM (15 years ago)
Author:
azaozz
Message:

Properly escape comment_author_url when displaying, for trunk

Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/comment.php

    r11204 r11721  
    2323 * @param string $msg Error Message. Assumed to contain HTML and be sanitized.
    2424 */
    25 function comment_footer_die( $msg ) {  //
     25function comment_footer_die( $msg ) {
    2626    echo "<div class='wrap'><p>$msg</p></div>";
    2727    include('admin-footer.php');
     
    120120<tr>
    121121<th scope="row"><?php _e('URL'); ?></th>
    122 <td><a href='<?php echo $comment->comment_author_url; ?>'><?php echo $comment->comment_author_url; ?></a></td>
     122<td><a href="<?php echo $comment->comment_author_url; ?>"><?php echo $comment->comment_author_url; ?></a></td>
    123123</tr>
    124124<?php } ?>
  • trunk/wp-admin/edit-form-comment.php

    r11383 r11721  
    2525<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
    2626<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
    27 <?php
    28 
    29 $email = esc_attr( $comment->comment_author_email );
    30 $url = esc_attr( $comment->comment_author_url );
    31 // add_meta_box('submitdiv', __('Save'), 'comment_submit_meta_box', 'comment', 'side', 'core');
    32 ?>
    3327
    3428<div id="side-info-column" class="inner-sidebar">
     
    9690    <td class="first">
    9791    <?php
    98         if ( $email ) {
     92        if ( $comment->comment_author_email ) {
    9993            printf( __( 'E-mail (%s):' ), get_comment_author_email_link( __( 'send e-mail' ), '', '' ) );
    10094        } else {
     
    10296        }
    10397?></td>
    104     <td><input type="text" name="newcomment_author_email" size="30" value="<?php echo esc_attr($email); ?>" tabindex="2" id="email" /></td>
     98    <td><input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" tabindex="2" id="email" /></td>
    10599</tr>
    106100<tr valign="top">
    107101    <td class="first">
    108102    <?php
    109         $url = get_comment_author_url();
    110         if ( ! empty( $url ) && 'http://' != $url ) {
    111             $link = "<a href='$url' rel='external nofollow' target='_blank'>" . __('visit site') . "</a>";
     103        if ( ! empty( $comment->comment_author_url ) && 'http://' != $comment->comment_author_url ) {
     104            $link = '<a href="' . $comment->comment_author_url . '" rel="external nofollow" target="_blank">' . __('visit site') . '</a>';
    112105            printf( __( 'URL (%s):' ), apply_filters('get_comment_author_link', $link ) );
    113106        } else {
  • trunk/wp-admin/includes/comment.php

    r11383 r11721  
    9090    $comment->comment_author = format_to_edit( $comment->comment_author );
    9191    $comment->comment_author_email = format_to_edit( $comment->comment_author_email );
     92    $comment->comment_author_url = format_to_edit( $comment->comment_author_url );
    9293    $comment->comment_author_url = esc_url($comment->comment_author_url);
    93     $comment->comment_author_url = format_to_edit( $comment->comment_author_url );
    9494
    9595    return $comment;
  • trunk/wp-admin/includes/template.php

    r11711 r11721  
    20832083    if ( 'http://' == $author_url )
    20842084        $author_url = '';
    2085     $author_url_display = $author_url;
    2086     $author_url_display = str_replace('http://www.', '', $author_url_display);
    2087     $author_url_display = str_replace('http://', '', $author_url_display);
     2085    $author_url_display = preg_replace('|http://(www\.)?|i', '', $author_url);
    20882086    if ( strlen($author_url_display) > 50 )
    20892087        $author_url_display = substr($author_url_display, 0, 49) . '...';
  • trunk/wp-includes/comment-template.php

    r11435 r11721  
    195195    global $comment;
    196196    $url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url;
     197    $url = esc_url( $url, array('http', 'https') );
    197198    return apply_filters('get_comment_author_url', $url);
    198199}
Note: See TracChangeset for help on using the changeset viewer.