Make WordPress Core


Ignore:
Timestamp:
08/30/2015 04:47:00 AM (9 years ago)
Author:
wonderboymusic
Message:

Improve/update escaping in WP_Widget_Pages.

Props welcher.
See #23012.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/default-widgets.php

    r33488 r33813  
    7979    public function update( $new_instance, $old_instance ) {
    8080        $instance = $old_instance;
    81         $instance['title'] = strip_tags($new_instance['title']);
     81        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    8282        if ( in_array( $new_instance['sortby'], array( 'post_title', 'menu_order', 'ID' ) ) ) {
    8383            $instance['sortby'] = $new_instance['sortby'];
     
    8686        }
    8787
    88         $instance['exclude'] = strip_tags( $new_instance['exclude'] );
     88        $instance['exclude'] = sanitize_text_field( $new_instance['exclude'] );
    8989
    9090        return $instance;
     
    9797        //Defaults
    9898        $instance = wp_parse_args( (array) $instance, array( 'sortby' => 'post_title', 'title' => '', 'exclude' => '') );
    99         $title = esc_attr( $instance['title'] );
    100         $exclude = esc_attr( $instance['exclude'] );
    10199    ?>
    102         <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo $title; ?>" /></p>
    103100        <p>
    104             <label for="<?php echo $this->get_field_id('sortby'); ?>"><?php _e( 'Sort by:' ); ?></label>
    105             <select name="<?php echo $this->get_field_name('sortby'); ?>" id="<?php echo $this->get_field_id('sortby'); ?>" class="widefat">
     101            <label for="<?php echo esc_attr( $this->get_field_id( 'title' ) ); ?>"><?php _e( 'Title:' ); ?></label>
     102            <input class="widefat" id="<?php echo esc_attr( $this->get_field_id('title') ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'title' ) ); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>" />
     103        </p>
     104        <p>
     105            <label for="<?php echo esc_attr( $this->get_field_id( 'sortby' ) ); ?>"><?php _e( 'Sort by:' ); ?></label>
     106            <select name="<?php echo esc_attr( $this->get_field_name( 'sortby' ) ); ?>" id="<?php echo esc_attr( $this->get_field_id( 'sortby' ) ); ?>" class="widefat">
    106107                <option value="post_title"<?php selected( $instance['sortby'], 'post_title' ); ?>><?php _e('Page title'); ?></option>
    107108                <option value="menu_order"<?php selected( $instance['sortby'], 'menu_order' ); ?>><?php _e('Page order'); ?></option>
     
    110111        </p>
    111112        <p>
    112             <label for="<?php echo $this->get_field_id('exclude'); ?>"><?php _e( 'Exclude:' ); ?></label> <input type="text" value="<?php echo $exclude; ?>" name="<?php echo $this->get_field_name('exclude'); ?>" id="<?php echo $this->get_field_id('exclude'); ?>" class="widefat" />
     113            <label for="<?php echo esc_attr( $this->get_field_id( 'exclude' ) ); ?>"><?php _e( 'Exclude:' ); ?></label>
     114            <input type="text" value="<?php echo esc_attr( $instance['exclude'] ); ?>" name="<?php echo esc_attr( $this->get_field_name( 'exclude' ) ); ?>" id="<?php echo esc_attr( $this->get_field_id( 'exclude' ) ); ?>" class="widefat" />
    113115            <br />
    114116            <small><?php _e( 'Page IDs, separated by commas.' ); ?></small>
Note: See TracChangeset for help on using the changeset viewer.