WordPress.org

Make WordPress Core

Changeset 16431


Ignore:
Timestamp:
11/17/10 17:12:01 (6 years ago)
Author:
markjaquith
Message:

esc_textarea() and application for obvious textarea escaping. props alexkingorg. fixes #15454

Location:
trunk
Files:
22 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/edit-tag-form.php

    r15830 r16431  
    6262        <tr class="form-field"> 
    6363            <th scope="row" valign="top"><label for="description"><?php _ex('Description', 'Taxonomy Description'); ?></label></th> 
    64             <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br /> 
     64            <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_textarea( $tag->description ); ?></textarea><br /> 
    6565            <span class="description"><?php _e('The description is not prominent by default, however some themes may show it.'); ?></span></td> 
    6666        </tr> 
  • trunk/wp-admin/includes/class-wp-comments-list-table.php

    r16375 r16431  
    351351        if ( $user_can ) { ?> 
    352352        <div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden"> 
    353         <textarea class="comment" rows="1" cols="1"><?php echo esc_html( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea> 
     353        <textarea class="comment" rows="1" cols="1"><?php echo esc_textarea( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea> 
    354354        <div class="author-email"><?php echo esc_attr( $comment->comment_author_email ); ?></div> 
    355355        <div class="author"><?php echo esc_attr( $comment->comment_author ); ?></div> 
  • trunk/wp-admin/includes/dashboard.php

    r16240 r16431  
    519519        <h4 id="content-label"><label for="content"><?php _e('Content') ?></label></h4> 
    520520        <div class="textarea-wrap"> 
    521             <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo $post->post_content; ?></textarea> 
     521            <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo esc_textarea( $post->post_content ); ?></textarea> 
    522522        </div> 
    523523 
  • trunk/wp-admin/includes/media.php

    r16383 r16431  
    12831283            $item .= $field[ $field['input'] ]; 
    12841284        elseif ( $field['input'] == 'textarea' ) { 
    1285             $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_html( $field['value'] ) . '</textarea>'; 
     1285            $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_textarea( $field['value'] ) . '</textarea>'; 
    12861286        } else { 
    12871287            $item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "' $aria_required />"; 
  • trunk/wp-admin/includes/meta-boxes.php

    r16324 r16431  
    286286    <div class="nojs-tags hide-if-js"> 
    287287    <p><?php echo $taxonomy->labels->add_or_remove_items; ?></p> 
    288     <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_attr(get_terms_to_edit( $post->ID, $tax_name )); ?></textarea></div> 
     288    <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_textarea( get_terms_to_edit( $post->ID, $tax_name ) ); ?></textarea></div> 
    289289    <?php if ( current_user_can($taxonomy->cap->assign_terms) ) : ?> 
    290290    <div class="ajaxtag hide-if-no-js"> 
     
    386386function post_excerpt_meta_box($post) { 
    387387?> 
    388 <label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo $post->post_excerpt ?></textarea> 
     388<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo esc_textarea( $post->post_excerpt ); ?></textarea> 
    389389<p><?php _e('Excerpts are optional hand-crafted summaries of your content that can be used in your theme. <a href="http://codex.wordpress.org/Excerpt" target="_blank">Learn more about manual excerpts.</a>'); ?></p> 
    390390<?php 
     
    895895    <tr class="form-field"> 
    896896        <th valign="top"  scope="row"><label for="link_notes"><?php _e('Notes') ?></label></th> 
    897         <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo  ( isset( $link->link_notes ) ? $link->link_notes : ''); ?></textarea></td> 
     897        <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo esc_textarea( ( isset( $link->link_notes ) ? $link->link_notes : '') ); ?></textarea></td> 
    898898    </tr> 
    899899    <tr class="form-field"> 
  • trunk/wp-admin/includes/nav-menu.php

    r16096 r16431  
    162162                    <label for="edit-menu-item-description-<?php echo $item_id; ?>"> 
    163163                        <?php _e( 'Description' ); ?><br /> 
    164                         <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $item->description ); ?></textarea> 
     164                        <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $item->description ); ?></textarea> 
    165165                        <span class="description"><?php _e('The description will be displayed in the menu if the current theme supports it.'); ?></span> 
    166166                    </label> 
  • trunk/wp-admin/includes/template.php

    r16426 r16431  
    484484 
    485485    $entry['meta_key'] = esc_attr($entry['meta_key']); 
    486     $entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea /> 
     486    $entry['meta_value'] = esc_textarea( $entry['meta_value'] ); // using a <textarea /> 
    487487    $entry['meta_id'] = (int) $entry['meta_id']; 
    488488 
     
    719719    <tr> 
    720720        <th scope="row"><?php _e( 'URL' ) ?></th> 
    721         <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo wp_get_attachment_url(); ?></textarea></td> 
     721        <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo esc_textarea( wp_get_attachment_url() ); ?></textarea></td> 
    722722    </tr> 
    723723<?php if ( $icon ) : ?> 
  • trunk/wp-admin/maint/repair.php

    r16049 r16431  
    7373        foreach ( $problems as $table => $problem ) 
    7474            $problem_output[] = "$table: $problem"; 
    75         echo '<textarea name="errors" id="errors" rows="20" cols="60">' . format_to_edit(implode("\n", $problem_output)) . '</textarea>'; 
     75        echo '<textarea name="errors" id="errors" rows="20" cols="60">' . esc_textarea( implode("\n", $problem_output) ) . '</textarea>'; 
    7676    } else { 
    7777        echo '<p>'.__('Repairs complete.  Please remove the following line from wp-config.php to prevent this page from being used by unauthorized users.')."</p><code>define('WP_ALLOW_REPAIR', true);</code>"; 
  • trunk/wp-admin/network.php

    r16094 r16431  
    369369    <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $num_keys_salts; ?>"><?php 
    370370    foreach ( $keys_salts as $c => $v ) { 
    371         echo "\ndefine( '$c', '" . wp_htmledit_pre( $v ) . "' );"; 
     371        echo "\ndefine( '$c', '" . esc_textarea( $v ) . "' );"; 
    372372    } 
    373373?></textarea> 
     
    457457        <li><p><?php printf( __( 'Add the following to your <code>web.config</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p> 
    458458        <textarea class="code" readonly="readonly" cols="100" rows="20"> 
    459         <?php echo wp_htmledit_pre( $web_config_file ); ?> 
     459        <?php echo esc_textarea( $web_config_file ); ?> 
    460460        </textarea></li> 
    461461        </ol> 
     
    486486        <li><p><?php printf( __( 'Add the following to your <code>.htaccess</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p> 
    487487        <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $subdomain_install ? 11 : 16; ?>"> 
    488 <?php echo wp_htmledit_pre( $htaccess_file ); ?></textarea></li> 
     488<?php echo esc_textarea( $htaccess_file ); ?></textarea></li> 
    489489        </ol> 
    490490 
  • trunk/wp-admin/network/settings.php

    r16406 r16431  
    122122                    $limited_email_domains = str_replace( ' ', "\n", $limited_email_domains ); ?> 
    123123                    <textarea name="limited_email_domains" id="limited_email_domains" cols="45" rows="5"> 
    124 <?php echo wp_htmledit_pre( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea> 
     124<?php echo esc_textarea( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea> 
    125125                    <br /> 
    126126                    <?php _e( 'If you want to limit site registrations to certain domains. One domain per line.' ) ?> 
     
    132132                <td> 
    133133                    <textarea name="banned_email_domains" id="banned_email_domains" cols="45" rows="5"> 
    134 <?php echo wp_htmledit_pre( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea> 
     134<?php echo esc_textarea( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea> 
    135135                    <br /> 
    136136                    <?php _e( 'If you want to ban domains from site registrations. One domain per line.' ) ?> 
     
    146146                <td> 
    147147                    <textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text"> 
    148 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea> 
     148<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea> 
    149149                    <br /> 
    150150                    <?php _e( 'The welcome email sent to new site owners.' ) ?> 
     
    155155                <td> 
    156156                    <textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text"> 
    157 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea> 
     157<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea> 
    158158                    <br /> 
    159159                    <?php _e( 'The welcome email sent to new users.' ) ?> 
     
    164164                <td> 
    165165                    <textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text"> 
    166 <?php echo wp_htmledit_pre( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea> 
     166<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea> 
    167167                    <br /> 
    168168                    <?php _e( 'The first post on a new site.' ) ?> 
     
    173173                <td> 
    174174                    <textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text"> 
    175 <?php echo wp_htmledit_pre( stripslashes( get_site_option('first_page') ) ) ?></textarea> 
     175<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea> 
    176176                    <br /> 
    177177                    <?php _e( 'The first page on a new site.' ) ?> 
     
    182182                <td> 
    183183                    <textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text"> 
    184 <?php echo wp_htmledit_pre( stripslashes( get_site_option('first_comment') ) ) ?></textarea> 
     184<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea> 
    185185                    <br /> 
    186186                    <?php _e( 'The first comment on a new site.' ) ?> 
  • trunk/wp-admin/network/site-options.php

    r16272 r16431  
    107107                <tr class="form-field"> 
    108108                    <th scope="row"><?php echo ucwords( str_replace( "_", " ", $option->option_name ) ) ?></th> 
    109                     <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo wp_htmledit_pre( $option->option_value ) ?></textarea></td> 
     109                    <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo esc_textarea( $option->option_value ) ?></textarea></td> 
    110110                </tr> 
    111111            <?php 
  • trunk/wp-admin/options-discussion.php

    r15810 r16431  
    142142<p><label for="moderation_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be held in the <a href="edit-comments.php?comment_status=moderated">moderation queue</a>. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p> 
    143143<p> 
    144 <textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php form_option('moderation_keys'); ?></textarea> 
     144<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php esc_textarea( get_option( 'moderation_keys' ) ); ?></textarea> 
    145145</p> 
    146146</fieldset></td> 
     
    151151<p><label for="blacklist_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be marked as spam. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p> 
    152152<p> 
    153 <textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php form_option('blacklist_keys'); ?></textarea> 
     153<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php esc_textarea( get_option( 'blacklist_keys' ) ); ?></textarea> 
    154154</p> 
    155155</fieldset></td> 
  • trunk/wp-admin/options-permalink.php

    r15810 r16431  
    231231<form action="options-permalink.php" method="post"> 
    232232<?php wp_nonce_field('update-permalink') ?> 
    233     <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p> 
     233    <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules() ); ?></textarea></p> 
    234234</form> 
    235235<p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.')  ?></p> 
     
    238238<form action="options-permalink.php" method="post"> 
    239239<?php wp_nonce_field('update-permalink') ?> 
    240     <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules(true)); ?></textarea></p> 
     240    <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules(true) ); ?></textarea></p> 
    241241</form> 
    242242<p><?php _e('If you temporarily make your site&#8217;s root directory writable for us to generate the <code>web.config</code> file automatically, do not forget to revert the permissions after the file has been created.')  ?></p> 
     
    248248<form action="options-permalink.php" method="post"> 
    249249<?php wp_nonce_field('update-permalink') ?> 
    250     <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p> 
     250    <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->mod_rewrite_rules() ); ?></textarea></p> 
    251251</form> 
    252252    <?php endif; ?> 
  • trunk/wp-admin/options-writing.php

    r15810 r16431  
    138138<p><label for="ping_sites"><?php _e('When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see <a href="http://codex.wordpress.org/Update_Services">Update Services</a> on the Codex. Separate multiple service <abbr title="Universal Resource Locator">URL</abbr>s with line breaks.') ?></label></p> 
    139139 
    140 <textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php form_option('ping_sites'); ?></textarea> 
     140<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php esc_textarea( get_option('ping_sites') ); ?></textarea> 
    141141 
    142142<?php else : ?> 
  • trunk/wp-admin/options.php

    r16061 r16431  
    202202<td>"; 
    203203    if ( strpos( $value, "\n" ) !== false ) 
    204         echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>"; 
     204        echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . esc_textarea( $value ) . "</textarea>"; 
    205205    else 
    206206        echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'" . disabled( $disabled, true, false ) . " />"; 
  • trunk/wp-admin/plugin-editor.php

    r16061 r16431  
    137137    } 
    138138 
    139     $content = htmlspecialchars( $content ); 
     139    $content = esc_textarea( $content ); 
    140140    ?> 
    141141<?php if (isset($_GET['a'])) : ?> 
  • trunk/wp-admin/press-this.php

    r16221 r16431  
    114114                <h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2> 
    115115                <div class="inside"> 
    116                     <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea> 
     116                    <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo esc_textarea( $selection ); ?></textarea> 
    117117                    <p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p> 
    118118                </div> 
  • trunk/wp-admin/theme-editor.php

    r16061 r16431  
    117117        } 
    118118 
    119         $content = htmlspecialchars( $content ); 
     119        $content = esc_textarea( $content ); 
    120120    } 
    121121 
  • trunk/wp-admin/user-edit.php

    r16210 r16431  
    341341<tr> 
    342342    <th><label for="description"><?php _e('Biographical Info'); ?></label></th> 
    343     <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br /> 
     343    <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_textarea( $profileuser->description ); ?></textarea><br /> 
    344344    <span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td> 
    345345</tr> 
  • trunk/wp-includes/default-widgets.php

    r16013 r16431  
    400400        $instance = wp_parse_args( (array) $instance, array( 'title' => '', 'text' => '' ) ); 
    401401        $title = strip_tags($instance['title']); 
    402         $text = format_to_edit($instance['text']); 
     402        $text = esc_textarea($instance['text']); 
    403403?> 
    404404        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label> 
  • trunk/wp-includes/formatting.php

    r16409 r16431  
    23542354 
    23552355/** 
     2356 * Escaping for textarea values. 
     2357 * 
     2358 * @since 3.1 
     2359 * 
     2360 * @param string $text 
     2361 * @return string 
     2362 */ 
     2363function esc_textarea( $text ) { 
     2364    $safe_text = htmlspecialchars( $text ); 
     2365    return apply_filters( 'esc_textarea', $safe_text, $text ); 
     2366} 
     2367 
     2368/** 
    23562369 * Escape a HTML tag name. 
    23572370 * 
  • trunk/wp-includes/post.php

    r16422 r16431  
    51245124            'output' => '<h4 id="%s-content-label"><label for="content">'. __('Content') .'</label></h4> 
    51255125        <div class="textarea-wrap"> 
    5126             <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. $post->post_content.'</textarea> 
     5126            <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. esc_textarea( $post->post_content ) .'</textarea> 
    51275127        </div> 
    51285128            '."     <script type='text/javascript'>edCanvas = document.getElementById('content');edInsertContent = null;</script> 
Note: See TracChangeset for help on using the changeset viewer.