WordPress.org

Make WordPress Core

Changeset 12170


Ignore:
Timestamp:
11/12/09 02:50:13 (6 years ago)
Author:
markjaquith
Message:

Prevent XSS in press-this.php. props Benjamin Flesch. fixes #11119 for 2.8.x

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8/wp-admin/press-this.php

    r11383 r12170  
    9292 
    9393// Set Variables 
    94 $title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; 
    95 $selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; 
     94$title = isset( $_GET['t'] ) ? trim( strip_tags( aposfix( stripslashes( $_GET['t'] ) ) ) ) : ''; 
     95$selection = isset( $_GET['s'] ) ? trim( htmlspecialchars( html_entity_decode( aposfix( stripslashes( $_GET['s'] ) ) ) ) ) : ''; 
    9696if ( ! empty($selection) ) { 
    9797    $selection = preg_replace('/(\r?\n|\r)/', '</p><p>', $selection); 
     
    118118        <h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2> 
    119119        <div class="inside"> 
    120             <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo format_to_edit($selection, true); ?></textarea> 
     120            <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea> 
    121121            <p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p> 
    122122        </div> 
     
    549549            <div class="editor-container"> 
    550550                <textarea name="content" id="content" style="width:100%;" class="mceEditor" rows="15"> 
    551                     <?php if ($selection) echo wp_richedit_pre(htmlspecialchars_decode($selection)); ?> 
    552                     <?php if ($url) { echo '<p>'; if($selection) _e('via '); echo "<a href='$url'>$title</a>."; echo '</p>'; } ?> 
     551                    <?php if ($selection) echo wp_richedit_pre( $selection ); ?> 
     552                    <?php if ($url) { echo '<p>'; if($selection) _e('via '); printf( "<a href='%s'>%s</a>.", esc_url( $url ), esc_html( $title ) ); echo '</p>'; } ?> 
    553553                </textarea> 
    554554            </div> 
Note: See TracChangeset for help on using the changeset viewer.