WordPress.org

Make WordPress Core

Changeset 13471


Ignore:
Timestamp:
02/27/10 22:50:00 (4 years ago)
Author:
nacin
Message:

Make it more obvious we're escaping values in options.php. fixes #12417

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/options.php

    r13177 r13471  
    153153<div class="wrap"> 
    154154<?php screen_icon(); ?> 
    155   <h2><?php _e('All Settings'); ?></h2> 
     155  <h2><?php esc_html_e('All Settings'); ?></h2> 
    156156  <form name="form" action="options.php" method="post" id="all-options"> 
    157157  <?php wp_nonce_field('options-options') ?> 
     
    160160  <table class="form-table"> 
    161161<?php 
    162 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name"); 
    163  
    164 foreach ( (array) $options as $option) : 
     162$options = $wpdb->get_results( "SELECT * FROM $wpdb->options ORDER BY option_name" ); 
     163 
     164foreach ( (array) $options as $option ) : 
    165165    $disabled = ''; 
    166     $option->option_name = esc_attr($option->option_name); 
    167166    if ( $option->option_name == '' ) 
    168167        continue; 
    169     if ( is_serialized($option->option_value) ) { 
    170         if ( is_serialized_string($option->option_value) ) { 
     168    if ( is_serialized( $option->option_value ) ) { 
     169        if ( is_serialized_string( $option->option_value ) ) { 
    171170            // this is a serialized string, so we should display it 
    172             $value = maybe_unserialize($option->option_value); 
     171            $value = maybe_unserialize( $option->option_value ); 
    173172            $options_to_update[] = $option->option_name; 
    174173            $class = 'all-options'; 
     
    183182        $class = 'all-options'; 
    184183    } 
     184    $name = esc_attr( $option->option_name ); 
    185185    echo " 
    186186<tr> 
    187     <th scope='row'><label for='$option->option_name'>$option->option_name</label></th> 
     187    <th scope='row'><label for='$'>" . esc_html( $option->option_name ) . "</label></th> 
    188188<td>"; 
    189  
    190     if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>"; 
    191     else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />"; 
    192  
     189    if ( strpos( $value, "\n" ) !== false ) 
     190        echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>"; 
     191    else 
     192        echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'$disabled />"; 
    193193    echo "</td> 
    194194</tr>"; 
     
    196196?> 
    197197  </table> 
    198 <?php $options_to_update = implode(',', $options_to_update); ?> 
    199 <p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Save Changes') ?>" class="button-primary" /></p> 
     198<p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr( implode( ',', $options_to_update ) ); ?>" /><input type="submit" name="Update" value="<?php esc_attr_e( 'Save Changes' ); ?>" class="button-primary" /></p> 
    200199  </form> 
    201200</div> 
Note: See TracChangeset for help on using the changeset viewer.