Make WordPress Core

Changeset 13381


Ignore:
Timestamp:
02/24/2010 08:10:12 PM (15 years ago)
Author:
markjaquith
Message:

Some XSS escaping love for nav menus. see #11817

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/nav-menu-template.php

    r13375 r13381  
    9696                                <span class="controls">
    9797                                <span class="type"><?php echo esc_html($menu_item->type); ?></span>
    98                                 <a id="edit<?php echo $menu_item->menu_order; ?>" onclick="edititem(<?php echo $menu_item->menu_order; ?>)" value="<?php echo $menu_item->menu_order; ?>"><img class="edit" alt="<?php esc_attr_e('Edit Menu Item'); ?>" title="<?php esc_attr_e('Edit Menu Item'); ?>" src="<?php echo admin_url('images/ico-edit.png'); ?>" /></a>
    99                                 <a id="remove<?php echo $menu_item->menu_order; ?>" onclick="removeitem(<?php echo $menu_item->menu_order; ?>)" value="<?php echo $menu_item->menu_order; ?>"><img class="remove" alt="<?php esc_attr_e('Remove from Custom Menu'); ?>" title="<?php esc_attr_e('Remove from Custom Menu'); ?>" src="<?php echo admin_url('images/ico-close.png'); ?>" /></a>
    100                                 <a id="view<?php echo $menu_item->menu_order; ?>" target="_blank" href="<?php echo $menu_item->link; ?>"><img alt="<?php esc_attr_e('View Page'); ?>" title="<?php esc_attr_e('View Page'); ?>" src="<?php echo admin_url('images/ico-viewpage.png'); ?>" /></a>
     98                                <a id="edit<?php echo esc_attr( $menu_item->menu_order ); ?>" onclick="edititem(<?php echo esc_attr( $menu_item->menu_order ); ?>)" value="<?php echo esc_attr( $menu_item->menu_order ); ?>"><img class="edit" alt="<?php esc_attr_e('Edit Menu Item'); ?>" title="<?php esc_attr_e('Edit Menu Item'); ?>" src="<?php echo admin_url('images/ico-edit.png'); ?>" /></a>
     99                                <a id="remove<?php echo esc_attr( $menu_item->menu_order ); ?>" onclick="removeitem(<?php echo esc_attr( $menu_item->menu_order ); ?>)" value="<?php echo esc_attr( $menu_item->menu_order ); ?>"><img class="remove" alt="<?php esc_attr_e('Remove from Custom Menu'); ?>" title="<?php esc_attr_e('Remove from Custom Menu'); ?>" src="<?php echo admin_url('images/ico-close.png'); ?>" /></a>
     100                                <a id="view<?php echo esc_attr( $menu_item->menu_order ); ?>" target="_blank" href="<?php echo $menu_item->link; ?>"><img alt="<?php esc_attr_e('View Page'); ?>" title="<?php esc_attr_e('View Page'); ?>" src="<?php echo admin_url('images/ico-viewpage.png'); ?>" /></a>
    101101                                </span>
    102102                            </dt>
     
    107107                        <a class="hide" href="<?php echo $menu_item->link; ?>"><?php echo esc_html( $menu_item->title ); ?></a>
    108108                        <?php } ?>
    109                         <input type="hidden" name="dbid<?php echo $menu_item->menu_order; ?>" id="dbid<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->ID; ?>" />
    110                         <input type="hidden" name="postmenu<?php echo $menu_item->menu_order; ?>" id="postmenu<?php echo $menu_item->menu_order; ?>" value="<?php echo esc_attr( get_post_meta( $menu_item->ID, 'object_id', true ) ); ?>" />
    111                         <input type="hidden" name="parent<?php echo $menu_item->menu_order; ?>" id="parent<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->parent_item; ?>" />
    112                         <input type="hidden" name="title<?php echo $menu_item->menu_order; ?>" id="title<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->title; ?>" />
    113                         <input type="hidden" name="linkurl<?php echo $menu_item->menu_order; ?>" id="linkurl<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->link; ?>" />
    114                         <input type="hidden" name="description<?php echo $menu_item->menu_order; ?>" id="description<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->description; ?>" />
    115                         <input type="hidden" name="icon<?php echo $menu_item->menu_order; ?>" id="icon<?php echo $menu_item->menu_order; ?>" value="0" />
    116                         <input type="hidden" name="position<?php echo $menu_item->menu_order; ?>" id="position<?php echo $menu_item->menu_order; ?>" value="<?php echo $menu_item->menu_order; ?>" />
    117                         <input type="hidden" name="linktype<?php echo $menu_item->menu_order; ?>" id="linktype<?php echo $menu_item->menu_order; ?>" value="<?php echo esc_attr( get_post_meta( $menu_item->ID, 'menu_type', true ) ); ?>" />
    118                         <input type="hidden" name="anchortitle<?php echo $menu_item->menu_order; ?>" id="anchortitle<?php echo $menu_item->menu_order; ?>" value="<?php echo esc_html( $menu_item->post_excerpt ); ?>" />
    119                         <input type="hidden" name="newwindow<?php echo $menu_item->menu_order; ?>" id="newwindow<?php echo $menu_item->menu_order; ?>" value="<?php echo ( '' == $menu_item->post_content_filtered ? '0' : '1' ); ?>" />
     109                        <input type="hidden" name="dbid<?php echo esc_attr( $menu_item->menu_order ); ?>" id="dbid<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->ID ); ?>" />
     110                        <input type="hidden" name="postmenu<?php echo esc_attr( $menu_item->menu_order ); ?>" id="postmenu<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( get_post_meta( $menu_item->ID, 'object_id', true ) ); ?>" />
     111                        <input type="hidden" name="parent<?php echo esc_attr( $menu_item->menu_order ); ?>" id="parent<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->parent_item ); ?>" />
     112                        <input type="hidden" name="title<?php echo esc_attr( $menu_item->menu_order ); ?>" id="title<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->title ); ?>" />
     113                        <input type="hidden" name="linkurl<?php echo esc_attr( $menu_item->menu_order ); ?>" id="linkurl<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->link ); ?>" />
     114                        <input type="hidden" name="description<?php echo esc_attr( $menu_item->menu_order ); ?>" id="description<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->description ); ?>" />
     115                        <input type="hidden" name="icon<?php echo esc_attr( $menu_item->menu_order ); ?>" id="icon<?php echo esc_attr( $menu_item->menu_order ); ?>" value="0" />
     116                        <input type="hidden" name="position<?php echo esc_attr( $menu_item->menu_order ); ?>" id="position<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->menu_order ); ?>" />
     117                        <input type="hidden" name="linktype<?php echo esc_attr( $menu_item->menu_order ); ?>" id="linktype<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( get_post_meta( $menu_item->ID, 'menu_type', true ) ); ?>" />
     118                        <input type="hidden" name="anchortitle<?php echo esc_attr( $menu_item->menu_order ); ?>" id="anchortitle<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo esc_attr( $menu_item->post_excerpt ); ?>" />
     119                        <input type="hidden" name="newwindow<?php echo esc_attr( $menu_item->menu_order ); ?>" id="newwindow<?php echo esc_attr( $menu_item->menu_order ); ?>" value="<?php echo ( '' == $menu_item->post_content_filtered ? '0' : '1' ); ?>" />
    120120<?php
    121121        break;
     
    127127                $args['desc'] = 2;
    128128?>
    129             <a title="<?php echo $menu_item->anchor_title; ?>" href="<?php echo $menu_item->link; ?>" <?php echo $menu_item->target; ?>><?php echo $args['before_title'] . $menu_item->title . $args['after_title']; ?><?php
     129            <a title="<?php echo esc_attr( $menu_item->anchor_title ); ?>" href="<?php echo esc_url( $menu_item->link ); ?>" <?php echo $menu_item->target; ?>><?php echo $args['before_title'] . esc_html( $menu_item->title ) . $args['after_title']; ?><?php
    130130
    131131                            if ( $advanced_option_descriptions == 'no' ) {
Note: See TracChangeset for help on using the changeset viewer.