WordPress.org
Get WordPress

Make WordPress Core

Changeset 20656


Ignore:
Timestamp:
04/30/2012 09:36:43 PM (13 years ago)
Author:
ryan
Message:

Escape term links output in category-template.php functions. Props SergeyBiryukov, solarissmoke, alex-ye. fixes #20106

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/wp-includes/category-template.php

    r20622 r20656  
    5757
    5858    if ( $link )
    59         $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->name ) ) . '">'.$name.'</a>' . $separator;
     59        $chain .= '<a href="' . esc_url( get_category_link( $parent->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->name ) ) . '">'.$name.'</a>' . $separator;
    6060    else
    6161        $chain .= $name.$separator;
     
    172172                    if ( $category->parent )
    173173                        $thelist .= get_category_parents( $category->parent, true, $separator );
    174                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
     174                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
    175175                    break;
    176176                case 'single':
    177                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
     177                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
    178178                    if ( $category->parent )
    179179                        $thelist .= get_category_parents( $category->parent, false, $separator );
     
    182182                case '':
    183183                default:
    184                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
     184                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
    185185            }
    186186        }
     
    195195                    if ( $category->parent )
    196196                        $thelist .= get_category_parents( $category->parent, true, $separator );
    197                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
     197                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
    198198                    break;
    199199                case 'single':
    200                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
     200                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
    201201                    if ( $category->parent )
    202202                        $thelist .= get_category_parents( $category->parent, false, $separator );
     
    205205                case '':
    206206                default:
    207                     $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
     207                    $thelist .= '<a href="' . esc_url( get_category_link( $category->term_id ) ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
    208208            }
    209209            ++$i;
     
    826826        $cat_name = esc_attr( $category->name );
    827827        $cat_name = apply_filters( 'list_cats', $cat_name, $category );
    828         $link = '<a href="' . esc_attr( get_term_link($category) ) . '" ';
     828        $link = '<a href="' . esc_url( get_term_link($category) ) . '" ';
    829829        if ( $use_desc_for_title == 0 || empty($category->description) )
    830830            $link .= 'title="' . esc_attr( sprintf(__( 'View all posts filed under %s' ), $cat_name) ) . '"';
     
    840840                $link .= '(';
    841841
    842             $link .= '<a href="' . get_term_feed_link( $category->term_id, $category->taxonomy, $feed_type ) . '"';
     842            $link .= '<a href="' . esc_url( get_term_feed_link( $category->term_id, $category->taxonomy, $feed_type ) ) . '"';
    843843
    844844            if ( empty($feed) ) {
     
    11101110        if ( is_wp_error( $link ) )
    11111111            return $link;
    1112         $term_links[] = '<a href="' . $link . '" rel="tag">' . $term->name . '</a>';
     1112        $term_links[] = '<a href="' . esc_url( $link ) . '" rel="tag">' . $term->name . '</a>';
    11131113    }
    11141114
Note: See TracChangeset for help on using the changeset viewer.