Make WordPress Core


Ignore:
Timestamp:
07/11/2014 06:55:48 PM (10 years ago)
Author:
SergeyBiryukov
Message:

Escape taxonomy name when used in attributes in post_categories_meta_box().

props pbearne.
fixes #28836.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/meta-boxes.php

    r28979 r29099  
    405405    }
    406406    $r = wp_parse_args( $args, $defaults );
    407     $tax = $r['taxonomy'];
    408     $tax_name = esc_attr( $tax );
    409     $taxonomy = get_taxonomy( $tax );
     407    $tax_name = esc_attr( $r['taxonomy'] );
     408    $taxonomy = get_taxonomy( $r['taxonomy'] );
    410409    $user_can_assign_terms = current_user_can( $taxonomy->cap->assign_terms );
    411410    $comma = _x( ',', 'tag delimiter' );
     
    463462    }
    464463    $r = wp_parse_args( $args, $defaults );
    465     $taxonomy = $r['taxonomy'];
    466     $tax = get_taxonomy( $taxonomy );
     464    $tax_name = esc_attr( $r['taxonomy'] );
     465    $taxonomy = get_taxonomy( $r['taxonomy'] );
    467466    ?>
    468     <div id="taxonomy-<?php echo $taxonomy; ?>" class="categorydiv">
    469         <ul id="<?php echo $taxonomy; ?>-tabs" class="category-tabs">
    470             <li class="tabs"><a href="#<?php echo $taxonomy; ?>-all"><?php echo $tax->labels->all_items; ?></a></li>
    471             <li class="hide-if-no-js"><a href="#<?php echo $taxonomy; ?>-pop"><?php _e( 'Most Used' ); ?></a></li>
     467    <div id="taxonomy-<?php echo $tax_name; ?>" class="categorydiv">
     468        <ul id="<?php echo $tax_name; ?>-tabs" class="category-tabs">
     469            <li class="tabs"><a href="#<?php echo $tax_name; ?>-all"><?php echo $taxonomy->labels->all_items; ?></a></li>
     470            <li class="hide-if-no-js"><a href="#<?php echo $tax_name; ?>-pop"><?php _e( 'Most Used' ); ?></a></li>
    472471        </ul>
    473472
    474         <div id="<?php echo $taxonomy; ?>-pop" class="tabs-panel" style="display: none;">
    475             <ul id="<?php echo $taxonomy; ?>checklist-pop" class="categorychecklist form-no-clear" >
    476                 <?php $popular_ids = wp_popular_terms_checklist($taxonomy); ?>
     473        <div id="<?php echo $tax_name; ?>-pop" class="tabs-panel" style="display: none;">
     474            <ul id="<?php echo $tax_name; ?>checklist-pop" class="categorychecklist form-no-clear" >
     475                <?php $popular_ids = wp_popular_terms_checklist( $tax_name ); ?>
    477476            </ul>
    478477        </div>
    479478
    480         <div id="<?php echo $taxonomy; ?>-all" class="tabs-panel">
     479        <div id="<?php echo $tax_name; ?>-all" class="tabs-panel">
    481480            <?php
    482             $name = ( $taxonomy == 'category' ) ? 'post_category' : 'tax_input[' . $taxonomy . ']';
     481            $name = ( $tax_name == 'category' ) ? 'post_category' : 'tax_input[' . $tax_name . ']';
    483482            echo "<input type='hidden' name='{$name}[]' value='0' />"; // Allows for an empty term set to be sent. 0 is an invalid Term ID and will be ignored by empty() checks.
    484483            ?>
    485             <ul id="<?php echo $taxonomy; ?>checklist" data-wp-lists="list:<?php echo $taxonomy?>" class="categorychecklist form-no-clear">
    486                 <?php wp_terms_checklist($post->ID, array( 'taxonomy' => $taxonomy, 'popular_cats' => $popular_ids ) ) ?>
     484            <ul id="<?php echo $tax_name; ?>checklist" data-wp-lists="list:<?php echo $tax_name; ?>" class="categorychecklist form-no-clear">
     485                <?php wp_terms_checklist( $post->ID, array( 'taxonomy' => $tax_name, 'popular_cats' => $popular_ids ) ); ?>
    487486            </ul>
    488487        </div>
    489     <?php if ( current_user_can($tax->cap->edit_terms) ) : ?>
    490             <div id="<?php echo $taxonomy; ?>-adder" class="wp-hidden-children">
     488    <?php if ( current_user_can( $taxonomy->cap->edit_terms ) ) : ?>
     489            <div id="<?php echo $tax_name; ?>-adder" class="wp-hidden-children">
    491490                <h4>
    492                     <a id="<?php echo $taxonomy; ?>-add-toggle" href="#<?php echo $taxonomy; ?>-add" class="hide-if-no-js">
     491                    <a id="<?php echo $tax_name; ?>-add-toggle" href="#<?php echo $tax_name; ?>-add" class="hide-if-no-js">
    493492                        <?php
    494493                            /* translators: %s: add new taxonomy label */
    495                             printf( __( '+ %s' ), $tax->labels->add_new_item );
     494                            printf( __( '+ %s' ), $taxonomy->labels->add_new_item );
    496495                        ?>
    497496                    </a>
    498497                </h4>
    499                 <p id="<?php echo $taxonomy; ?>-add" class="category-add wp-hidden-child">
    500                     <label class="screen-reader-text" for="new<?php echo $taxonomy; ?>"><?php echo $tax->labels->add_new_item; ?></label>
    501                     <input type="text" name="new<?php echo $taxonomy; ?>" id="new<?php echo $taxonomy; ?>" class="form-required form-input-tip" value="<?php echo esc_attr( $tax->labels->new_item_name ); ?>" aria-required="true"/>
    502                     <label class="screen-reader-text" for="new<?php echo $taxonomy; ?>_parent">
    503                         <?php echo $tax->labels->parent_item_colon; ?>
     498                <p id="<?php echo $tax_name; ?>-add" class="category-add wp-hidden-child">
     499                    <label class="screen-reader-text" for="new<?php echo $tax_name; ?>"><?php echo $taxonomy->labels->add_new_item; ?></label>
     500                    <input type="text" name="new<?php echo $tax_name; ?>" id="new<?php echo $tax_name; ?>" class="form-required form-input-tip" value="<?php echo esc_attr( $taxonomy->labels->new_item_name ); ?>" aria-required="true"/>
     501                    <label class="screen-reader-text" for="new<?php echo $tax_name; ?>_parent">
     502                        <?php echo $taxonomy->labels->parent_item_colon; ?>
    504503                    </label>
    505                     <?php wp_dropdown_categories( array( 'taxonomy' => $taxonomy, 'hide_empty' => 0, 'name' => 'new'.$taxonomy.'_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $tax->labels->parent_item . ' &mdash;' ) ); ?>
    506                     <input type="button" id="<?php echo $taxonomy; ?>-add-submit" data-wp-lists="add:<?php echo $taxonomy ?>checklist:<?php echo $taxonomy ?>-add" class="button category-add-submit" value="<?php echo esc_attr( $tax->labels->add_new_item ); ?>" />
    507                     <?php wp_nonce_field( 'add-'.$taxonomy, '_ajax_nonce-add-'.$taxonomy, false ); ?>
    508                     <span id="<?php echo $taxonomy; ?>-ajax-response"></span>
     504                    <?php wp_dropdown_categories( array( 'taxonomy' => $tax_name, 'hide_empty' => 0, 'name' => 'new' . $tax_name . '_parent', 'orderby' => 'name', 'hierarchical' => 1, 'show_option_none' => '&mdash; ' . $taxonomy->labels->parent_item . ' &mdash;' ) ); ?>
     505                    <input type="button" id="<?php echo $tax_name; ?>-add-submit" data-wp-lists="add:<?php echo $tax_name; ?>checklist:<?php echo $tax_name; ?>-add" class="button category-add-submit" value="<?php echo esc_attr( $taxonomy->labels->add_new_item ); ?>" />
     506                    <?php wp_nonce_field( 'add-' . $tax_name, '_ajax_nonce-add-' . $tax_name, false ); ?>
     507                    <span id="<?php echo $tax_name; ?>-ajax-response"></span>
    509508                </p>
    510509            </div>
Note: See TracChangeset for help on using the changeset viewer.