WordPress.org

Make WordPress Core

Changeset 11838


Ignore:
Timestamp:
08/18/09 16:05:07 (5 years ago)
Author:
ryan
Message:

Prophylactic escapes

Location:
trunk/wp-includes
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/author-template.php

    r11450 r11838  
    133133function the_author_link() { 
    134134    if ( get_the_author_meta('url') ) { 
    135         echo '<a href="' . get_the_author_meta('url') . '" title="' . sprintf(__("Visit %s&#8217;s website"), get_the_author()) . '" rel="external">' . get_the_author() . '</a>'; 
     135        echo '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="external">' . get_the_author() . '</a>'; 
    136136    } else { 
    137137        the_author(); 
     
    182182        '<a href="%1$s" title="%2$s">%3$s</a>', 
    183183        get_author_posts_url( $authordata->ID, $authordata->user_nicename ), 
    184         sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ), 
     184        esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ), 
    185185        get_the_author() 
    186186    ); 
     
    293293                $link = $name; 
    294294        } else { 
    295             $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), esc_attr($author->display_name)) . '">' . $name . '</a>'; 
     295            $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . esc_attr( sprintf(__("Posts by %s"), $author->display_name) ) . '">' . $name . '</a>'; 
    296296 
    297297            if ( (! empty($feed_image)) || (! empty($feed)) ) { 
     
    302302 
    303303                if ( !empty($feed) ) { 
    304                     $title = ' title="' . $feed . '"'; 
    305                     $alt = ' alt="' . $feed . '"'; 
     304                    $title = ' title="' . esc_attr($feed) . '"'; 
     305                    $alt = ' alt="' . esc_attr($feed) . '"'; 
    306306                    $name = $feed; 
    307307                    $link .= $title; 
     
    311311 
    312312                if ( !empty($feed_image) ) 
    313                     $link .= "<img src=\"$feed_image\" style=\"border: none;\"$alt$title" . ' />'; 
     313                    $link .= "<img src=\"" . esc_url($feed_image) . "\" style=\"border: none;\"$alt$title" . ' />'; 
    314314                else 
    315315                    $link .= $name; 
  • trunk/wp-includes/bookmark-template.php

    r11383 r11838  
    9191        $rel = $bookmark->link_rel; 
    9292        if ( '' != $rel ) 
    93             $rel = ' rel="' . $rel . '"'; 
     93            $rel = ' rel="' . esc_attr($rel) . '"'; 
    9494 
    9595        $target = $bookmark->link_target; 
  • trunk/wp-includes/category-template.php

    r11744 r11838  
    6969 
    7070    if ( $link ) 
    71         $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $parent->cat_name ) . '">'.$name.'</a>' . $separator; 
     71        $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->cat_name ) ) . '">'.$name.'</a>' . $separator; 
    7272    else 
    7373        $chain .= $name.$separator; 
     
    191191                    if ( $category->parent ) 
    192192                        $thelist .= get_category_parents( $category->parent, true, $separator ); 
    193                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a></li>'; 
     193                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>'; 
    194194                    break; 
    195195                case 'single': 
    196                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>'; 
     196                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>'; 
    197197                    if ( $category->parent ) 
    198198                        $thelist .= get_category_parents( $category->parent, false, $separator ); 
     
    201201                case '': 
    202202                default: 
    203                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>'; 
     203                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>'; 
    204204            } 
    205205        } 
     
    214214                    if ( $category->parent ) 
    215215                        $thelist .= get_category_parents( $category->parent, true, $separator ); 
    216                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a>'; 
     216                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a>'; 
    217217                    break; 
    218218                case 'single': 
    219                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>'; 
     219                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>'; 
    220220                    if ( $category->parent ) 
    221221                        $thelist .= get_category_parents( $category->parent, false, $separator ); 
     
    224224                case '': 
    225225                default: 
    226                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a>'; 
     226                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>'; 
    227227            } 
    228228            ++$i; 
     
    353353 
    354354    $categories = get_categories( $r ); 
     355    $name = esc_attr($name); 
     356    $class = esc_attr($class); 
    355357 
    356358    $output = ''; 
  • trunk/wp-includes/comment-template.php

    r11724 r11838  
    338338        $classes = array_merge($classes, $class); 
    339339    } 
     340 
     341    $classes = array_map('esc_attr', $classes); 
    340342 
    341343    return apply_filters('comment_class', $classes, $class, $comment_id, $post_id); 
     
    941943 
    942944    if ( 0 == $number && !comments_open() && !pings_open() ) { 
    943         echo '<span' . ((!empty($css_class)) ? ' class="' . $css_class . '"' : '') . '>' . $none . '</span>'; 
     945        echo '<span' . ((!empty($css_class)) ? ' class="' . esc_attr( $css_class ) . '"' : '') . '>' . $none . '</span>'; 
    944946        return; 
    945947    } 
     
    973975    echo apply_filters( 'comments_popup_link_attributes', '' ); 
    974976 
    975     echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">'; 
     977    echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">'; 
    976978    comments_number( $zero, $one, $more, $number ); 
    977979    echo '</a>'; 
  • trunk/wp-includes/general-template.php

    r11548 r11838  
    10241024    /* translators: Calendar caption: 1: month name, 2: 4-digit year */ 
    10251025    $calendar_caption = _x('%1$s %2$s', 'calendar caption'); 
    1026     echo '<table id="wp-calendar" summary="' . __('Calendar') . '"> 
     1026    echo '<table id="wp-calendar" summary="' . esc_attr__('Calendar') . '"> 
    10271027    <caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption> 
    10281028    <thead> 
     
    10371037    foreach ( $myweek as $wd ) { 
    10381038        $day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd); 
     1039        $wd = esc_attr($wd); 
    10391040        echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>"; 
    10401041    } 
     
    10591060    if ( $next ) { 
    10601061        echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' . 
    1061         get_month_link($next->year, $next->month) . '" title="' . sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month), 
    1062             date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>'; 
     1062        get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) , 
     1063            date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>'; 
    10631064    } else { 
    10641065        echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>'; 
     
    11171118    $pad = calendar_week_mod(date('w', $unixmonth)-$week_begins); 
    11181119    if ( 0 != $pad ) 
    1119         echo "\n\t\t".'<td colspan="'.$pad.'" class="pad">&nbsp;</td>'; 
     1120        echo "\n\t\t".'<td colspan="'. esc_attr($pad) .'" class="pad">&nbsp;</td>'; 
    11201121 
    11211122    $daysinmonth = intval(date('t', $unixmonth)); 
     
    11311132 
    11321133        if ( in_array($day, $daywithpost) ) // any posts today? 
    1133                 echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"$ak_titles_for_day[$day]\">$day</a>"; 
     1134                echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"" . esc_attr($ak_titles_for_day[$day]) . "\">$day</a>"; 
    11341135        else 
    11351136            echo $day; 
     
    11421143    $pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins); 
    11431144    if ( $pad != 0 && $pad != 7 ) 
    1144         echo "\n\t\t".'<td class="pad" colspan="'.$pad.'">&nbsp;</td>'; 
     1145        echo "\n\t\t".'<td class="pad" colspan="'. esc_attr($pad) .'">&nbsp;</td>'; 
    11451146 
    11461147    echo "\n\t</tr>\n\t</tbody>\n\t</table>"; 
  • trunk/wp-includes/media.php

    r11825 r11838  
    617617        return $content; 
    618618 
    619     if ( $id ) $id = 'id="' . $id . '" '; 
    620  
    621     return '<div ' . $id . 'class="wp-caption ' . $align . '" style="width: ' . (10 + (int) $width) . 'px">' 
     619    if ( $id ) $id = 'id="' . esc_attr($id) . '" '; 
     620 
     621    return '<div ' . $id . 'class="wp-caption ' . esc_attr($align) . '" style="width: ' . (10 + (int) $width) . 'px">' 
    622622    . do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>'; 
    623623} 
  • trunk/wp-includes/post-template.php

    r11642 r11838  
    342342        $classes = array_merge($classes, $class); 
    343343    } 
     344 
     345    $classes = array_map('esc_attr', $classes); 
    344346 
    345347    return apply_filters('post_class', $classes, $class, $post_id); 
     
    478480        $classes = array_merge($classes, $class); 
    479481    } 
     482 
     483    $classes = array_map('esc_attr', $classes); 
    480484 
    481485    return apply_filters('body_class', $classes, $class); 
     
    707711    $pages = get_pages($r); 
    708712    $output = ''; 
     713    $name = esc_attr($name); 
    709714 
    710715    if ( ! empty($pages) ) { 
     
    843848        $menu = '<ul>' . $menu . '</ul>'; 
    844849 
    845     $menu = '<div class="' . $args['menu_class'] . '">' . $menu . "</div>\n"; 
     850    $menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n"; 
    846851    $menu = apply_filters( 'wp_page_menu', $menu, $args ); 
    847852    if ( $args['echo'] ) 
Note: See TracChangeset for help on using the changeset viewer.