Make WordPress Core

Changeset 11838


Ignore:
Timestamp:
08/18/2009 04:05:07 PM (15 years ago)
Author:
ryan
Message:

Prophylactic escapes

Location:
trunk/wp-includes
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/author-template.php

    r11450 r11838  
    133133function the_author_link() {
    134134    if ( get_the_author_meta('url') ) {
    135         echo '<a href="' . get_the_author_meta('url') . '" title="' . sprintf(__("Visit %s&#8217;s website"), get_the_author()) . '" rel="external">' . get_the_author() . '</a>';
     135        echo '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="external">' . get_the_author() . '</a>';
    136136    } else {
    137137        the_author();
     
    182182        '<a href="%1$s" title="%2$s">%3$s</a>',
    183183        get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
    184         sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ),
     184        esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
    185185        get_the_author()
    186186    );
     
    293293                $link = $name;
    294294        } else {
    295             $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), esc_attr($author->display_name)) . '">' . $name . '</a>';
     295            $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . esc_attr( sprintf(__("Posts by %s"), $author->display_name) ) . '">' . $name . '</a>';
    296296
    297297            if ( (! empty($feed_image)) || (! empty($feed)) ) {
     
    302302
    303303                if ( !empty($feed) ) {
    304                     $title = ' title="' . $feed . '"';
    305                     $alt = ' alt="' . $feed . '"';
     304                    $title = ' title="' . esc_attr($feed) . '"';
     305                    $alt = ' alt="' . esc_attr($feed) . '"';
    306306                    $name = $feed;
    307307                    $link .= $title;
     
    311311
    312312                if ( !empty($feed_image) )
    313                     $link .= "<img src=\"$feed_image\" style=\"border: none;\"$alt$title" . ' />';
     313                    $link .= "<img src=\"" . esc_url($feed_image) . "\" style=\"border: none;\"$alt$title" . ' />';
    314314                else
    315315                    $link .= $name;
  • trunk/wp-includes/bookmark-template.php

    r11383 r11838  
    9191        $rel = $bookmark->link_rel;
    9292        if ( '' != $rel )
    93             $rel = ' rel="' . $rel . '"';
     93            $rel = ' rel="' . esc_attr($rel) . '"';
    9494
    9595        $target = $bookmark->link_target;
  • trunk/wp-includes/category-template.php

    r11744 r11838  
    6969
    7070    if ( $link )
    71         $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $parent->cat_name ) . '">'.$name.'</a>' . $separator;
     71        $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->cat_name ) ) . '">'.$name.'</a>' . $separator;
    7272    else
    7373        $chain .= $name.$separator;
     
    191191                    if ( $category->parent )
    192192                        $thelist .= get_category_parents( $category->parent, true, $separator );
    193                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a></li>';
     193                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
    194194                    break;
    195195                case 'single':
    196                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
     196                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
    197197                    if ( $category->parent )
    198198                        $thelist .= get_category_parents( $category->parent, false, $separator );
     
    201201                case '':
    202202                default:
    203                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
     203                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
    204204            }
    205205        }
     
    214214                    if ( $category->parent )
    215215                        $thelist .= get_category_parents( $category->parent, true, $separator );
    216                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
     216                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
    217217                    break;
    218218                case 'single':
    219                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
     219                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
    220220                    if ( $category->parent )
    221221                        $thelist .= get_category_parents( $category->parent, false, $separator );
     
    224224                case '':
    225225                default:
    226                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a>';
     226                    $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
    227227            }
    228228            ++$i;
     
    353353
    354354    $categories = get_categories( $r );
     355    $name = esc_attr($name);
     356    $class = esc_attr($class);
    355357
    356358    $output = '';
  • trunk/wp-includes/comment-template.php

    r11724 r11838  
    338338        $classes = array_merge($classes, $class);
    339339    }
     340
     341    $classes = array_map('esc_attr', $classes);
    340342
    341343    return apply_filters('comment_class', $classes, $class, $comment_id, $post_id);
     
    941943
    942944    if ( 0 == $number && !comments_open() && !pings_open() ) {
    943         echo '<span' . ((!empty($css_class)) ? ' class="' . $css_class . '"' : '') . '>' . $none . '</span>';
     945        echo '<span' . ((!empty($css_class)) ? ' class="' . esc_attr( $css_class ) . '"' : '') . '>' . $none . '</span>';
    944946        return;
    945947    }
     
    973975    echo apply_filters( 'comments_popup_link_attributes', '' );
    974976
    975     echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">';
     977    echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">';
    976978    comments_number( $zero, $one, $more, $number );
    977979    echo '</a>';
  • trunk/wp-includes/general-template.php

    r11548 r11838  
    10241024    /* translators: Calendar caption: 1: month name, 2: 4-digit year */
    10251025    $calendar_caption = _x('%1$s %2$s', 'calendar caption');
    1026     echo '<table id="wp-calendar" summary="' . __('Calendar') . '">
     1026    echo '<table id="wp-calendar" summary="' . esc_attr__('Calendar') . '">
    10271027    <caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption>
    10281028    <thead>
     
    10371037    foreach ( $myweek as $wd ) {
    10381038        $day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd);
     1039        $wd = esc_attr($wd);
    10391040        echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>";
    10401041    }
     
    10591060    if ( $next ) {
    10601061        echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' .
    1061         get_month_link($next->year, $next->month) . '" title="' . sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month),
    1062             date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
     1062        get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) ,
     1063            date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
    10631064    } else {
    10641065        echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>';
     
    11171118    $pad = calendar_week_mod(date('w', $unixmonth)-$week_begins);
    11181119    if ( 0 != $pad )
    1119         echo "\n\t\t".'<td colspan="'.$pad.'" class="pad">&nbsp;</td>';
     1120        echo "\n\t\t".'<td colspan="'. esc_attr($pad) .'" class="pad">&nbsp;</td>';
    11201121
    11211122    $daysinmonth = intval(date('t', $unixmonth));
     
    11311132
    11321133        if ( in_array($day, $daywithpost) ) // any posts today?
    1133                 echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"$ak_titles_for_day[$day]\">$day</a>";
     1134                echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"" . esc_attr($ak_titles_for_day[$day]) . "\">$day</a>";
    11341135        else
    11351136            echo $day;
     
    11421143    $pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins);
    11431144    if ( $pad != 0 && $pad != 7 )
    1144         echo "\n\t\t".'<td class="pad" colspan="'.$pad.'">&nbsp;</td>';
     1145        echo "\n\t\t".'<td class="pad" colspan="'. esc_attr($pad) .'">&nbsp;</td>';
    11451146
    11461147    echo "\n\t</tr>\n\t</tbody>\n\t</table>";
  • trunk/wp-includes/media.php

    r11825 r11838  
    617617        return $content;
    618618
    619     if ( $id ) $id = 'id="' . $id . '" ';
    620 
    621     return '<div ' . $id . 'class="wp-caption ' . $align . '" style="width: ' . (10 + (int) $width) . 'px">'
     619    if ( $id ) $id = 'id="' . esc_attr($id) . '" ';
     620
     621    return '<div ' . $id . 'class="wp-caption ' . esc_attr($align) . '" style="width: ' . (10 + (int) $width) . 'px">'
    622622    . do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>';
    623623}
  • trunk/wp-includes/post-template.php

    r11642 r11838  
    342342        $classes = array_merge($classes, $class);
    343343    }
     344
     345    $classes = array_map('esc_attr', $classes);
    344346
    345347    return apply_filters('post_class', $classes, $class, $post_id);
     
    478480        $classes = array_merge($classes, $class);
    479481    }
     482
     483    $classes = array_map('esc_attr', $classes);
    480484
    481485    return apply_filters('body_class', $classes, $class);
     
    707711    $pages = get_pages($r);
    708712    $output = '';
     713    $name = esc_attr($name);
    709714
    710715    if ( ! empty($pages) ) {
     
    843848        $menu = '<ul>' . $menu . '</ul>';
    844849
    845     $menu = '<div class="' . $args['menu_class'] . '">' . $menu . "</div>\n";
     850    $menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n";
    846851    $menu = apply_filters( 'wp_page_menu', $menu, $args );
    847852    if ( $args['echo'] )
Note: See TracChangeset for help on using the changeset viewer.