Context Navigation

← Previous Change
Next Change →

media.php

Timestamp:

02/24/2012 01:58:18 AM (14 years ago)

Author:

azaozz

Message:

HTML in image captions, first run, see #18311

File:

: 1 edited

trunk/wp-admin/includes/media.php (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/wp-admin/includes/media.php

-                      r19871
+                      r19982
     $width = $matches[1];
+    $caption = str_replace( array( '>',    '<',    '"',      "'" ),
+                            array( '&gt;', '&lt;', '&quot;', '&#039;' ),
+                            $caption
+                          );
+    $caption = preg_replace_callback( '/<[a-zA-Z][^<>]+>/', '_cleanup_image_add_caption', $caption );
+    $caption = str_replace( '"', '&quot;', $caption );
     $html = preg_replace( '/(class=["\'][^\'"]*)align(none|left|right|center)\s?/', '$1', $html );
 …
     $shcode = '[caption id="' . $id . '" align="align' . $align
     . '" width="' . $width . '" caption="' . addslashes($caption) . '"]' . $html . '[/caption]';
+    . '" width="' . $width . '" caption="' . $caption . '"]' . $html . '[/caption]';
     return apply_filters( 'image_add_caption_shortcode', $shcode, $html );
+}
 add_filter( 'image_send_to_editor', 'image_add_caption', 20, 8 );
+// Private, preg_replace callback used in image_add_caption()
+function _cleanup_image_add_caption($str) {
+    if ( isset($str[0]) )
+        return str_replace( '"', "'", $str[0] );
+    return '';
+}
 /**
 …
     return "
     <input type='text' class='text urlfield' name='attachments[$post->ID][url]' value='" . esc_attr($url) . "' /><br />
     <button type='button' class='button urlnone' title=''>" . __('None') . "</button>
     <button type='button' class='button urlfile' title='" . esc_attr($file) . "'>" . __('File URL') . "</button>
     <button type='button' class='button urlpost' title='" . esc_attr($link) . "'>" . __('Attachment Post URL') . "</button>
+    <button type='button' class='button urlnone' data-link-url=''>" . __('None') . "</button>
+    <button type='button' class='button urlfile' data-link-url='" . esc_attr($file) . "'>" . __('File URL') . "</button>
+    <button type='button' class='button urlpost' data-link-url='" . esc_attr($link) . "'>" . __('Attachment Post URL') . "</button>
 ";
+}
+function wp_caption_input_textarea($edit_post) {
+    // post data is already escaped
+    $name = "attachments[{$edit_post->ID}][post_excerpt]";
+    return '
+    <textarea class="code" name="' . $name . '" id="' . $name . '">' . $edit_post->post_excerpt . '</textarea>
+    <div class="edit-caption-controls hide-if-no-js">
+    <input type="button" class="button caption-insert-link" value="' . esc_attr__('Insert Link') . '" />
+    <div class="caption-insert-link-wrap hidden">
+    <label><span>' . __('Link URL') . '</span>
+    <input type="text" value="" class="caption-insert-link-url" /></label>
+    <label><span>' . __('Linked text') . '</span>
+    <input type="text" value="" class="caption-insert-link-text" /></label>
+    <div class="caption-insert-link-buttons">
+    <input type="button" class="button caption-cancel" value="' . esc_attr__('Cancel') . '" />
+    <input type="button" class="button-primary caption-save" value="' . esc_attr__('Insert') . '" />
+    <br class="clear" />
+    </div></div></div>
+    ';
+}
 …
         'image_alt'   => array(),
         'post_excerpt' => array(
+            'label'      => __('Caption'),
+            'value'      => $edit_post->post_excerpt
+            'label'      => __('Default Caption'),
+            'input'      => 'html',
+            'html'       => wp_caption_input_textarea($edit_post)
         ),
         'post_content' => array(
 …
             $item .= $field[ $field['input'] ];
         elseif ( $field['input'] == 'textarea' ) {
+            if ( user_can_richedit() ) { // textarea_escaped when user_can_richedit() = false
+                $field['value'] = esc_textarea( $field['value'] );
+            if ( 'post_content' == $id && user_can_richedit() ) {
+                // sanitize_post() skips the post_content when user_can_richedit
+                $field['value'] = htmlspecialchars( $field['value'], ENT_QUOTES );
+            }
+            // post_excerpt is already escaped by sanitize_post() in get_attachment_fields_to_edit()
             $item .= "<textarea id='$name' name='$name' $aria_required>" . $field['value'] . '</textarea>';
         } else {
 …
 <?php if ( ! apply_filters( 'disable_captions', '' ) ) { ?>
+        if ( f.caption.value )
+            caption = f.caption.value.replace(/'/g, '&#039;').replace(/"/g, '&quot;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+        if ( f.caption.value ) {
+            caption = f.caption.value.replace(/<[a-z][^<>]+>/g, function(a){
+                return a.replace(/"/g, "'");
+            });
+            caption = caption.replace(/"/g, '&quot;');
+        }
 <?php } ?>

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 19982 for trunk/wp-admin/includes/media.php

Legend:

trunk/wp-admin/includes/media.php

Download in other formats: