Make WordPress Core

Changeset 16431


Ignore:
Timestamp:
11/17/2010 05:12:01 PM (14 years ago)
Author:
markjaquith
Message:

esc_textarea() and application for obvious textarea escaping. props alexkingorg. fixes #15454

Location:
trunk
Files:
22 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/edit-tag-form.php

    r15830 r16431  
    6262        <tr class="form-field">
    6363            <th scope="row" valign="top"><label for="description"><?php _ex('Description', 'Taxonomy Description'); ?></label></th>
    64             <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br />
     64            <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_textarea( $tag->description ); ?></textarea><br />
    6565            <span class="description"><?php _e('The description is not prominent by default, however some themes may show it.'); ?></span></td>
    6666        </tr>
  • trunk/wp-admin/includes/class-wp-comments-list-table.php

    r16375 r16431  
    351351        if ( $user_can ) { ?>
    352352        <div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
    353         <textarea class="comment" rows="1" cols="1"><?php echo esc_html( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
     353        <textarea class="comment" rows="1" cols="1"><?php echo esc_textarea( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
    354354        <div class="author-email"><?php echo esc_attr( $comment->comment_author_email ); ?></div>
    355355        <div class="author"><?php echo esc_attr( $comment->comment_author ); ?></div>
  • trunk/wp-admin/includes/dashboard.php

    r16240 r16431  
    519519        <h4 id="content-label"><label for="content"><?php _e('Content') ?></label></h4>
    520520        <div class="textarea-wrap">
    521             <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo $post->post_content; ?></textarea>
     521            <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo esc_textarea( $post->post_content ); ?></textarea>
    522522        </div>
    523523
  • trunk/wp-admin/includes/media.php

    r16383 r16431  
    12831283            $item .= $field[ $field['input'] ];
    12841284        elseif ( $field['input'] == 'textarea' ) {
    1285             $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_html( $field['value'] ) . '</textarea>';
     1285            $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_textarea( $field['value'] ) . '</textarea>';
    12861286        } else {
    12871287            $item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "' $aria_required />";
  • trunk/wp-admin/includes/meta-boxes.php

    r16324 r16431  
    286286    <div class="nojs-tags hide-if-js">
    287287    <p><?php echo $taxonomy->labels->add_or_remove_items; ?></p>
    288     <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_attr(get_terms_to_edit( $post->ID, $tax_name )); ?></textarea></div>
     288    <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_textarea( get_terms_to_edit( $post->ID, $tax_name ) ); ?></textarea></div>
    289289    <?php if ( current_user_can($taxonomy->cap->assign_terms) ) : ?>
    290290    <div class="ajaxtag hide-if-no-js">
     
    386386function post_excerpt_meta_box($post) {
    387387?>
    388 <label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo $post->post_excerpt ?></textarea>
     388<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo esc_textarea( $post->post_excerpt ); ?></textarea>
    389389<p><?php _e('Excerpts are optional hand-crafted summaries of your content that can be used in your theme. <a href="http://codex.wordpress.org/Excerpt" target="_blank">Learn more about manual excerpts.</a>'); ?></p>
    390390<?php
     
    895895    <tr class="form-field">
    896896        <th valign="top"  scope="row"><label for="link_notes"><?php _e('Notes') ?></label></th>
    897         <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo  ( isset( $link->link_notes ) ? $link->link_notes : ''); ?></textarea></td>
     897        <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo esc_textarea( ( isset( $link->link_notes ) ? $link->link_notes : '') ); ?></textarea></td>
    898898    </tr>
    899899    <tr class="form-field">
  • trunk/wp-admin/includes/nav-menu.php

    r16096 r16431  
    162162                    <label for="edit-menu-item-description-<?php echo $item_id; ?>">
    163163                        <?php _e( 'Description' ); ?><br />
    164                         <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $item->description ); ?></textarea>
     164                        <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $item->description ); ?></textarea>
    165165                        <span class="description"><?php _e('The description will be displayed in the menu if the current theme supports it.'); ?></span>
    166166                    </label>
  • trunk/wp-admin/includes/template.php

    r16426 r16431  
    484484
    485485    $entry['meta_key'] = esc_attr($entry['meta_key']);
    486     $entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea />
     486    $entry['meta_value'] = esc_textarea( $entry['meta_value'] ); // using a <textarea />
    487487    $entry['meta_id'] = (int) $entry['meta_id'];
    488488
     
    719719    <tr>
    720720        <th scope="row"><?php _e( 'URL' ) ?></th>
    721         <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo wp_get_attachment_url(); ?></textarea></td>
     721        <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo esc_textarea( wp_get_attachment_url() ); ?></textarea></td>
    722722    </tr>
    723723<?php if ( $icon ) : ?>
  • trunk/wp-admin/maint/repair.php

    r16049 r16431  
    7373        foreach ( $problems as $table => $problem )
    7474            $problem_output[] = "$table: $problem";
    75         echo '<textarea name="errors" id="errors" rows="20" cols="60">' . format_to_edit(implode("\n", $problem_output)) . '</textarea>';
     75        echo '<textarea name="errors" id="errors" rows="20" cols="60">' . esc_textarea( implode("\n", $problem_output) ) . '</textarea>';
    7676    } else {
    7777        echo '<p>'.__('Repairs complete.  Please remove the following line from wp-config.php to prevent this page from being used by unauthorized users.')."</p><code>define('WP_ALLOW_REPAIR', true);</code>";
  • trunk/wp-admin/network.php

    r16094 r16431  
    369369    <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $num_keys_salts; ?>"><?php
    370370    foreach ( $keys_salts as $c => $v ) {
    371         echo "\ndefine( '$c', '" . wp_htmledit_pre( $v ) . "' );";
     371        echo "\ndefine( '$c', '" . esc_textarea( $v ) . "' );";
    372372    }
    373373?></textarea>
     
    457457        <li><p><?php printf( __( 'Add the following to your <code>web.config</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
    458458        <textarea class="code" readonly="readonly" cols="100" rows="20">
    459         <?php echo wp_htmledit_pre( $web_config_file ); ?>
     459        <?php echo esc_textarea( $web_config_file ); ?>
    460460        </textarea></li>
    461461        </ol>
     
    486486        <li><p><?php printf( __( 'Add the following to your <code>.htaccess</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
    487487        <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $subdomain_install ? 11 : 16; ?>">
    488 <?php echo wp_htmledit_pre( $htaccess_file ); ?></textarea></li>
     488<?php echo esc_textarea( $htaccess_file ); ?></textarea></li>
    489489        </ol>
    490490
  • trunk/wp-admin/network/settings.php

    r16406 r16431  
    122122                    $limited_email_domains = str_replace( ' ', "\n", $limited_email_domains ); ?>
    123123                    <textarea name="limited_email_domains" id="limited_email_domains" cols="45" rows="5">
    124 <?php echo wp_htmledit_pre( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
     124<?php echo esc_textarea( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
    125125                    <br />
    126126                    <?php _e( 'If you want to limit site registrations to certain domains. One domain per line.' ) ?>
     
    132132                <td>
    133133                    <textarea name="banned_email_domains" id="banned_email_domains" cols="45" rows="5">
    134 <?php echo wp_htmledit_pre( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
     134<?php echo esc_textarea( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
    135135                    <br />
    136136                    <?php _e( 'If you want to ban domains from site registrations. One domain per line.' ) ?>
     
    146146                <td>
    147147                    <textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text">
    148 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
     148<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
    149149                    <br />
    150150                    <?php _e( 'The welcome email sent to new site owners.' ) ?>
     
    155155                <td>
    156156                    <textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text">
    157 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
     157<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
    158158                    <br />
    159159                    <?php _e( 'The welcome email sent to new users.' ) ?>
     
    164164                <td>
    165165                    <textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text">
    166 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
     166<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
    167167                    <br />
    168168                    <?php _e( 'The first post on a new site.' ) ?>
     
    173173                <td>
    174174                    <textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text">
    175 <?php echo wp_htmledit_pre( stripslashes( get_site_option('first_page') ) ) ?></textarea>
     175<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea>
    176176                    <br />
    177177                    <?php _e( 'The first page on a new site.' ) ?>
     
    182182                <td>
    183183                    <textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text">
    184 <?php echo wp_htmledit_pre( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
     184<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
    185185                    <br />
    186186                    <?php _e( 'The first comment on a new site.' ) ?>
  • trunk/wp-admin/network/site-options.php

    r16272 r16431  
    107107                <tr class="form-field">
    108108                    <th scope="row"><?php echo ucwords( str_replace( "_", " ", $option->option_name ) ) ?></th>
    109                     <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo wp_htmledit_pre( $option->option_value ) ?></textarea></td>
     109                    <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo esc_textarea( $option->option_value ) ?></textarea></td>
    110110                </tr>
    111111            <?php
  • trunk/wp-admin/options-discussion.php

    r15810 r16431  
    142142<p><label for="moderation_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be held in the <a href="edit-comments.php?comment_status=moderated">moderation queue</a>. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
    143143<p>
    144 <textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php form_option('moderation_keys'); ?></textarea>
     144<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php esc_textarea( get_option( 'moderation_keys' ) ); ?></textarea>
    145145</p>
    146146</fieldset></td>
     
    151151<p><label for="blacklist_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be marked as spam. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
    152152<p>
    153 <textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php form_option('blacklist_keys'); ?></textarea>
     153<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php esc_textarea( get_option( 'blacklist_keys' ) ); ?></textarea>
    154154</p>
    155155</fieldset></td>
  • trunk/wp-admin/options-permalink.php

    r15810 r16431  
    231231<form action="options-permalink.php" method="post">
    232232<?php wp_nonce_field('update-permalink') ?>
    233     <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p>
     233    <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules() ); ?></textarea></p>
    234234</form>
    235235<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.')  ?></p>
     
    238238<form action="options-permalink.php" method="post">
    239239<?php wp_nonce_field('update-permalink') ?>
    240     <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules(true)); ?></textarea></p>
     240    <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules(true) ); ?></textarea></p>
    241241</form>
    242242<p><?php _e('If you temporarily make your site&#8217;s root directory writable for us to generate the <code>web.config</code> file automatically, do not forget to revert the permissions after the file has been created.')  ?></p>
     
    248248<form action="options-permalink.php" method="post">
    249249<?php wp_nonce_field('update-permalink') ?>
    250     <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p>
     250    <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->mod_rewrite_rules() ); ?></textarea></p>
    251251</form>
    252252    <?php endif; ?>
  • trunk/wp-admin/options-writing.php

    r15810 r16431  
    138138<p><label for="ping_sites"><?php _e('When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see <a href="http://codex.wordpress.org/Update_Services">Update Services</a> on the Codex. Separate multiple service <abbr title="Universal Resource Locator">URL</abbr>s with line breaks.') ?></label></p>
    139139
    140 <textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php form_option('ping_sites'); ?></textarea>
     140<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php esc_textarea( get_option('ping_sites') ); ?></textarea>
    141141
    142142<?php else : ?>
  • trunk/wp-admin/options.php

    r16061 r16431  
    202202<td>";
    203203    if ( strpos( $value, "\n" ) !== false )
    204         echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
     204        echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . esc_textarea( $value ) . "</textarea>";
    205205    else
    206206        echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'" . disabled( $disabled, true, false ) . " />";
  • trunk/wp-admin/plugin-editor.php

    r16061 r16431  
    137137    }
    138138
    139     $content = htmlspecialchars( $content );
     139    $content = esc_textarea( $content );
    140140    ?>
    141141<?php if (isset($_GET['a'])) : ?>
  • trunk/wp-admin/press-this.php

    r16221 r16431  
    114114                <h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2>
    115115                <div class="inside">
    116                     <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea>
     116                    <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo esc_textarea( $selection ); ?></textarea>
    117117                    <p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p>
    118118                </div>
  • trunk/wp-admin/theme-editor.php

    r16061 r16431  
    117117        }
    118118
    119         $content = htmlspecialchars( $content );
     119        $content = esc_textarea( $content );
    120120    }
    121121
  • trunk/wp-admin/user-edit.php

    r16210 r16431  
    341341<tr>
    342342    <th><label for="description"><?php _e('Biographical Info'); ?></label></th>
    343     <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br />
     343    <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_textarea( $profileuser->description ); ?></textarea><br />
    344344    <span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td>
    345345</tr>
  • trunk/wp-includes/default-widgets.php

    r16013 r16431  
    400400        $instance = wp_parse_args( (array) $instance, array( 'title' => '', 'text' => '' ) );
    401401        $title = strip_tags($instance['title']);
    402         $text = format_to_edit($instance['text']);
     402        $text = esc_textarea($instance['text']);
    403403?>
    404404        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label>
  • trunk/wp-includes/formatting.php

    r16409 r16431  
    23542354
    23552355/**
     2356 * Escaping for textarea values.
     2357 *
     2358 * @since 3.1
     2359 *
     2360 * @param string $text
     2361 * @return string
     2362 */
     2363function esc_textarea( $text ) {
     2364    $safe_text = htmlspecialchars( $text );
     2365    return apply_filters( 'esc_textarea', $safe_text, $text );
     2366}
     2367
     2368/**
    23562369 * Escape a HTML tag name.
    23572370 *
  • trunk/wp-includes/post.php

    r16422 r16431  
    51245124            'output' => '<h4 id="%s-content-label"><label for="content">'. __('Content') .'</label></h4>
    51255125        <div class="textarea-wrap">
    5126             <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. $post->post_content.'</textarea>
     5126            <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. esc_textarea( $post->post_content ) .'</textarea>
    51275127        </div>
    51285128            '."     <script type='text/javascript'>edCanvas = document.getElementById('content');edInsertContent = null;</script>
Note: See TracChangeset for help on using the changeset viewer.