Make WordPress Core


Ignore:
Timestamp:
07/14/2015 05:55:07 PM (9 years ago)
Author:
wonderboymusic
Message:

After [33148]:
Don't nest esc_attr() and htmlspecialchars() when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r33225 r33271  
    753753    }
    754754
    755     // Handle double encoding ourselves
    756     if ( $double_encode ) {
    757         $string = @htmlspecialchars( $string, $quote_style, $charset );
    758     } else {
    759         // Decode & into &
    760         $string = wp_specialchars_decode( $string, $_quote_style );
    761 
    762         // Guarantee every &entity; is valid or re-encode the &
     755    if ( ! $double_encode ) {
     756        // Guarantee every &entity; is valid, convert &garbage; into &garbage;
     757        // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
    763758        $string = wp_kses_normalize_entities( $string );
    764 
    765         // Now re-encode everything except &entity;
    766         $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
    767 
    768         for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
    769             $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
    770         }
    771         $string = implode( '', $string );
    772     }
     759    }
     760
     761    $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
    773762
    774763    // Backwards compatibility
Note: See TracChangeset for help on using the changeset viewer.