WordPress.org

Make WordPress Core

Changeset 13471


Ignore:
Timestamp:
02/27/2010 10:50:00 PM (8 years ago)
Author:
nacin
Message:

Make it more obvious we're escaping values in options.php. fixes #12417

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/options.php

    r13177 r13471  
    153153<div class="wrap">
    154154<?php screen_icon(); ?>
    155   <h2><?php _e('All Settings'); ?></h2>
     155  <h2><?php esc_html_e('All Settings'); ?></h2>
    156156  <form name="form" action="options.php" method="post" id="all-options">
    157157  <?php wp_nonce_field('options-options') ?>
     
    160160  <table class="form-table">
    161161<?php
    162 $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name");
    163 
    164 foreach ( (array) $options as $option) :
     162$options = $wpdb->get_results( "SELECT * FROM $wpdb->options ORDER BY option_name" );
     163
     164foreach ( (array) $options as $option ) :
    165165    $disabled = '';
    166     $option->option_name = esc_attr($option->option_name);
    167166    if ( $option->option_name == '' )
    168167        continue;
    169     if ( is_serialized($option->option_value) ) {
    170         if ( is_serialized_string($option->option_value) ) {
     168    if ( is_serialized( $option->option_value ) ) {
     169        if ( is_serialized_string( $option->option_value ) ) {
    171170            // this is a serialized string, so we should display it
    172             $value = maybe_unserialize($option->option_value);
     171            $value = maybe_unserialize( $option->option_value );
    173172            $options_to_update[] = $option->option_name;
    174173            $class = 'all-options';
     
    183182        $class = 'all-options';
    184183    }
     184    $name = esc_attr( $option->option_name );
    185185    echo "
    186186<tr>
    187     <th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
     187    <th scope='row'><label for='$'>" . esc_html( $option->option_name ) . "</label></th>
    188188<td>";
    189 
    190     if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>";
    191     else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />";
    192 
     189    if ( strpos( $value, "\n" ) !== false )
     190        echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
     191    else
     192        echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'$disabled />";
    193193    echo "</td>
    194194</tr>";
     
    196196?>
    197197  </table>
    198 <?php $options_to_update = implode(',', $options_to_update); ?>
    199 <p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Save Changes') ?>" class="button-primary" /></p>
     198<p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr( implode( ',', $options_to_update ) ); ?>" /><input type="submit" name="Update" value="<?php esc_attr_e( 'Save Changes' ); ?>" class="button-primary" /></p>
    200199  </form>
    201200</div>
Note: See TracChangeset for help on using the changeset viewer.