Make WordPress Core

Changeset 33814


Ignore:
Timestamp:
08/30/2015 05:37:53 AM (9 years ago)
Author:
wonderboymusic
Message:

Improve/update escaping in default widgets:

  • wrap some variables in esc_attr() before echoing
  • replace some strip_tags() calls with sanitize_text_field()
  • call esc_url() when wrapping some URLs

Props welcher.
See #23012.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/default-widgets.php

    r33813 r33814  
    291291        $instance = $old_instance;
    292292        $new_instance = wp_parse_args((array) $new_instance, array( 'title' => ''));
    293         $instance['title'] = strip_tags($new_instance['title']);
     293        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    294294        return $instance;
    295295    }
     
    403403        $instance = $old_instance;
    404404        $new_instance = wp_parse_args( (array) $new_instance, array( 'title' => '', 'count' => 0, 'dropdown' => '') );
    405         $instance['title'] = strip_tags($new_instance['title']);
     405        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    406406        $instance['count'] = $new_instance['count'] ? 1 : 0;
    407407        $instance['dropdown'] = $new_instance['dropdown'] ? 1 : 0;
     
    415415    public function form( $instance ) {
    416416        $instance = wp_parse_args( (array) $instance, array( 'title' => '', 'count' => 0, 'dropdown' => '') );
    417         $title = strip_tags($instance['title']);
    418         $count = $instance['count'] ? 'checked="checked"' : '';
    419         $dropdown = $instance['dropdown'] ? 'checked="checked"' : '';
     417        $title = sanitize_text_field( $instance['title'] );
    420418?>
    421419        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr($title); ?>" /></p>
    422420        <p>
    423             <input class="checkbox" type="checkbox" <?php echo $dropdown; ?> id="<?php echo $this->get_field_id('dropdown'); ?>" name="<?php echo $this->get_field_name('dropdown'); ?>" /> <label for="<?php echo $this->get_field_id('dropdown'); ?>"><?php _e('Display as dropdown'); ?></label>
     421            <input class="checkbox" type="checkbox" <?php checked( $instance['dropdown'] ); ?> id="<?php echo $this->get_field_id('dropdown'); ?>" name="<?php echo $this->get_field_name('dropdown'); ?>" /> <label for="<?php echo $this->get_field_id('dropdown'); ?>"><?php _e('Display as dropdown'); ?></label>
    424422            <br/>
    425             <input class="checkbox" type="checkbox" <?php echo $count; ?> id="<?php echo $this->get_field_id('count'); ?>" name="<?php echo $this->get_field_name('count'); ?>" /> <label for="<?php echo $this->get_field_id('count'); ?>"><?php _e('Show post counts'); ?></label>
     423            <input class="checkbox" type="checkbox" <?php checked( $instance['count'] ); ?> id="<?php echo $this->get_field_id('count'); ?>" name="<?php echo $this->get_field_name('count'); ?>" /> <label for="<?php echo $this->get_field_id('count'); ?>"><?php _e('Show post counts'); ?></label>
    426424        </p>
    427425<?php
     
    459457            <?php wp_register(); ?>
    460458            <li><?php wp_loginout(); ?></li>
    461             <li><a href="<?php bloginfo('rss2_url'); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
    462             <li><a href="<?php bloginfo('comments_rss2_url'); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
     459            <li><a href="<?php echo esc_url( get_bloginfo( 'rss2_url' ) ); ?>"><?php _e('Entries <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
     460            <li><a href="<?php echo esc_url( get_bloginfo( 'comments_rss2_url' ) ); ?>"><?php _e('Comments <abbr title="Really Simple Syndication">RSS</abbr>'); ?></a></li>
    463461<?php
    464462            /**
     
    489487    public function update( $new_instance, $old_instance ) {
    490488        $instance = $old_instance;
    491         $instance['title'] = strip_tags($new_instance['title']);
     489        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    492490
    493491        return $instance;
     
    499497    public function form( $instance ) {
    500498        $instance = wp_parse_args( (array) $instance, array( 'title' => '' ) );
    501         $title = strip_tags($instance['title']);
     499        $title = sanitize_text_field( $instance['title'] );
    502500?>
    503501            <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr($title); ?>" /></p>
     
    543541    public function update( $new_instance, $old_instance ) {
    544542        $instance = $old_instance;
    545         $instance['title'] = strip_tags($new_instance['title']);
     543        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    546544
    547545        return $instance;
     
    553551    public function form( $instance ) {
    554552        $instance = wp_parse_args( (array) $instance, array( 'title' => '' ) );
    555         $title = strip_tags($instance['title']);
     553        $title = sanitize_text_field( $instance['title'] );
    556554?>
    557555        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label>
     
    607605    public function update( $new_instance, $old_instance ) {
    608606        $instance = $old_instance;
    609         $instance['title'] = strip_tags($new_instance['title']);
     607        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    610608        if ( current_user_can('unfiltered_html') )
    611609            $instance['text'] =  $new_instance['text'];
    612610        else
    613             $instance['text'] = stripslashes( wp_filter_post_kses( addslashes($new_instance['text']) ) ); // wp_filter_post_kses() expects slashed
     611            $instance['text'] = wp_kses_post( stripslashes( $new_instance['text'] ) );
    614612        $instance['filter'] = ! empty( $new_instance['filter'] );
    615613        return $instance;
     
    621619    public function form( $instance ) {
    622620        $instance = wp_parse_args( (array) $instance, array( 'title' => '', 'text' => '' ) );
    623         $title = strip_tags($instance['title']);
    624         $text = esc_textarea($instance['text']);
    625 ?>
     621        $filter = isset( $instance['filter'] ) ? $instance['filter'] : 0;
     622        $title = sanitize_text_field( $instance['title'] );
     623        ?>
    626624        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label>
    627625        <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr($title); ?>" /></p>
    628626
    629627        <p><label for="<?php echo $this->get_field_id( 'text' ); ?>"><?php _e( 'Content:' ); ?></label>
    630         <textarea class="widefat" rows="16" cols="20" id="<?php echo $this->get_field_id('text'); ?>" name="<?php echo $this->get_field_name('text'); ?>"><?php echo $text; ?></textarea></p>
    631 
    632         <p><input id="<?php echo $this->get_field_id('filter'); ?>" name="<?php echo $this->get_field_name('filter'); ?>" type="checkbox" <?php checked(isset($instance['filter']) ? $instance['filter'] : 0); ?> />&nbsp;<label for="<?php echo $this->get_field_id('filter'); ?>"><?php _e('Automatically add paragraphs'); ?></label></p>
     628        <textarea class="widefat" rows="16" cols="20" id="<?php echo $this->get_field_id('text'); ?>" name="<?php echo $this->get_field_name('text'); ?>"><?php echo esc_textarea( $instance['text'] ); ?></textarea></p>
     629
     630        <p><input id="<?php echo $this->get_field_id('filter'); ?>" name="<?php echo $this->get_field_name('filter'); ?>" type="checkbox" <?php checked( $filter ); ?> />&nbsp;<label for="<?php echo $this->get_field_id('filter'); ?>"><?php _e('Automatically add paragraphs'); ?></label></p>
    633631<?php
    634632    }
     
    739737    public function update( $new_instance, $old_instance ) {
    740738        $instance = $old_instance;
    741         $instance['title'] = strip_tags($new_instance['title']);
     739        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    742740        $instance['count'] = !empty($new_instance['count']) ? 1 : 0;
    743741        $instance['hierarchical'] = !empty($new_instance['hierarchical']) ? 1 : 0;
     
    753751        //Defaults
    754752        $instance = wp_parse_args( (array) $instance, array( 'title' => '') );
    755         $title = esc_attr( $instance['title'] );
     753        $title = sanitize_text_field( $instance['title'] );
    756754        $count = isset($instance['count']) ? (bool) $instance['count'] :false;
    757755        $hierarchical = isset( $instance['hierarchical'] ) ? (bool) $instance['hierarchical'] : false;
     
    759757?>
    760758        <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e( 'Title:' ); ?></label>
    761         <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo $title; ?>" /></p>
     759        <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
    762760
    763761        <p><input type="checkbox" class="checkbox" id="<?php echo $this->get_field_id('dropdown'); ?>" name="<?php echo $this->get_field_name('dropdown'); ?>"<?php checked( $dropdown ); ?> />
     
    880878    public function update( $new_instance, $old_instance ) {
    881879        $instance = $old_instance;
    882         $instance['title'] = strip_tags($new_instance['title']);
     880        $instance['title'] = santize_text_field( $new_instance['title'] );
    883881        $instance['number'] = (int) $new_instance['number'];
    884882        $instance['show_date'] = isset( $new_instance['show_date'] ) ? (bool) $new_instance['show_date'] : false;
     
    10571055    public function update( $new_instance, $old_instance ) {
    10581056        $instance = $old_instance;
    1059         $instance['title'] = strip_tags($new_instance['title']);
     1057        $instance['title'] = sanitize_text_field( $new_instance['title'] );
    10601058        $instance['number'] = absint( $new_instance['number'] );
    10611059        $this->flush_widget_cache();
     
    10721070     */
    10731071    public function form( $instance ) {
    1074         $title  = isset( $instance['title'] ) ? esc_attr( $instance['title'] ) : '';
     1072        $title = isset( $instance['title'] ) ? $instance['title'] : '';
    10751073        $number = isset( $instance['number'] ) ? absint( $instance['number'] ) : 5;
    10761074?>
    10771075        <p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label>
    1078         <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo $title; ?>" /></p>
     1076        <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
    10791077
    10801078        <p><label for="<?php echo $this->get_field_id( 'number' ); ?>"><?php _e( 'Number of comments to show:' ); ?></label>
     
    11241122            $desc = esc_attr(strip_tags(@html_entity_decode($rss->get_description(), ENT_QUOTES, get_option('blog_charset'))));
    11251123            if ( empty($title) )
    1126                 $title = esc_html(strip_tags($rss->get_title()));
    1127             $link = esc_url(strip_tags($rss->get_permalink()));
     1124                $title = strip_tags( $rss->get_title() );
     1125            $link = strip_tags( $rss->get_permalink() );
    11281126            while ( stristr($link, 'http') != $link )
    11291127                $link = substr($link, 1);
     
    11361134        $title = apply_filters( 'widget_title', $title, $instance, $this->id_base );
    11371135
    1138         $url = esc_url(strip_tags($url));
    1139         $icon = includes_url('images/rss.png');
     1136        $url = strip_tags( $url );
     1137        $icon = includes_url( 'images/rss.png' );
    11401138        if ( $title )
    1141             $title = "<a class='rsswidget' href='$url'><img style='border:0' width='14' height='14' src='$icon' alt='RSS' /></a> <a class='rsswidget' href='$link'>$title</a>";
     1139            $title = '<a class="rsswidget" href="' . esc_url( $url ) . '"><img style="border:0" width="14" height="14" src="' . esc_url( $icon ) . '" alt="RSS" /></a> <a class="rsswidget" href="' . esc_url( $link ) . '">"'. esc_html( $title ) .'"</a>';
    11421140
    11431141        echo $args['before_widget'];
     
    12921290    $inputs = wp_parse_args( $inputs, $default_inputs );
    12931291
    1294     $args['number'] = esc_attr( $args['number'] );
    1295     $args['title'] = isset( $args['title'] ) ? esc_attr( $args['title'] ) : '';
    1296     $args['url'] = isset( $args['url'] ) ? esc_url( $args['url'] ) : '';
     1292    $args['title'] = isset( $args['title'] ) ? $args['title'] : '';
     1293    $args['url'] = isset( $args['url'] ) ? $args['url'] : '';
    12971294    $args['items'] = isset( $args['items'] ) ? (int) $args['items'] : 0;
    12981295
     
    13091306    }
    13101307
     1308    $esc_number = esc_attr( $args['number'] );
    13111309    if ( $inputs['url'] ) :
    13121310?>
    1313     <p><label for="rss-url-<?php echo $args['number']; ?>"><?php _e( 'Enter the RSS feed URL here:' ); ?></label>
    1314     <input class="widefat" id="rss-url-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][url]" type="text" value="<?php echo $args['url']; ?>" /></p>
     1311    <p><label for="rss-url-<?php echo $esc_number; ?>"><?php _e( 'Enter the RSS feed URL here:' ); ?></label>
     1312    <input class="widefat" id="rss-url-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][url]" type="text" value="<?php echo esc_url( $args['url'] ); ?>" /></p>
    13151313<?php endif; if ( $inputs['title'] ) : ?>
    1316     <p><label for="rss-title-<?php echo $args['number']; ?>"><?php _e( 'Give the feed a title (optional):' ); ?></label>
    1317     <input class="widefat" id="rss-title-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][title]" type="text" value="<?php echo $args['title']; ?>" /></p>
     1314    <p><label for="rss-title-<?php echo $esc_number; ?>"><?php _e( 'Give the feed a title (optional):' ); ?></label>
     1315    <input class="widefat" id="rss-title-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][title]" type="text" value="<?php echo esc_attr( $args['title'] ); ?>" /></p>
    13181316<?php endif; if ( $inputs['items'] ) : ?>
    1319     <p><label for="rss-items-<?php echo $args['number']; ?>"><?php _e( 'How many items would you like to display?' ); ?></label>
    1320     <select id="rss-items-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][items]">
    1321 <?php
    1322         for ( $i = 1; $i <= 20; ++$i ) {
    1323             echo "<option value='$i' " . selected( $args['items'], $i, false ) . ">$i</option>";
    1324         }
    1325 ?>
     1317    <p><label for="rss-items-<?php echo $esc_number; ?>"><?php _e( 'How many items would you like to display?' ); ?></label>
     1318    <select id="rss-items-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][items]">
     1319    <?php
     1320    for ( $i = 1; $i <= 20; ++$i ) {
     1321        echo "<option value='$i' " . selected( $args['items'], $i, false ) . ">$i</option>";
     1322    }
     1323    ?>
    13261324    </select></p>
    13271325<?php endif; if ( $inputs['show_summary'] ) : ?>
    1328     <p><input id="rss-show-summary-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][show_summary]" type="checkbox" value="1" <?php checked( $args['show_summary'] ); ?> />
    1329     <label for="rss-show-summary-<?php echo $args['number']; ?>"><?php _e( 'Display item content?' ); ?></label></p>
     1326    <p><input id="rss-show-summary-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][show_summary]" type="checkbox" value="1" <?php checked( $args['show_summary'] ); ?> />
     1327    <label for="rss-show-summary-<?php echo $esc_number; ?>"><?php _e( 'Display item content?' ); ?></label></p>
    13301328<?php endif; if ( $inputs['show_author'] ) : ?>
    1331     <p><input id="rss-show-author-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][show_author]" type="checkbox" value="1" <?php checked( $args['show_author'] ); ?> />
    1332     <label for="rss-show-author-<?php echo $args['number']; ?>"><?php _e( 'Display item author if available?' ); ?></label></p>
     1329    <p><input id="rss-show-author-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][show_author]" type="checkbox" value="1" <?php checked( $args['show_author'] ); ?> />
     1330    <label for="rss-show-author-<?php echo $esc_number; ?>"><?php _e( 'Display item author if available?' ); ?></label></p>
    13331331<?php endif; if ( $inputs['show_date'] ) : ?>
    1334     <p><input id="rss-show-date-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][show_date]" type="checkbox" value="1" <?php checked( $args['show_date'] ); ?>/>
    1335     <label for="rss-show-date-<?php echo $args['number']; ?>"><?php _e( 'Display item date?' ); ?></label></p>
     1332    <p><input id="rss-show-date-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][show_date]" type="checkbox" value="1" <?php checked( $args['show_date'] ); ?>/>
     1333    <label for="rss-show-date-<?php echo $esc_number; ?>"><?php _e( 'Display item date?' ); ?></label></p>
    13361334<?php
    13371335    endif;
     
    13401338            $id = str_replace( '_', '-', $input );
    13411339?>
    1342     <input type="hidden" id="rss-<?php echo $id; ?>-<?php echo $args['number']; ?>" name="widget-rss[<?php echo $args['number']; ?>][<?php echo $input; ?>]" value="<?php echo $args[ $input ]; ?>" />
     1340    <input type="hidden" id="rss-<?php echo esc_attr( $id ); ?>-<?php echo $esc_number; ?>" name="widget-rss[<?php echo $esc_number; ?>][<?php echo esc_attr( $input ); ?>]" value="<?php echo esc_attr( $args[ $input ] ); ?>" />
    13431341<?php
    13441342        endif;
     
    14541452    public function update( $new_instance, $old_instance ) {
    14551453        $instance = array();
    1456         $instance['title'] = strip_tags(stripslashes($new_instance['title']));
     1454        $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
    14571455        $instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
    14581456        return $instance;
     
    14641462    public function form( $instance ) {
    14651463        $current_taxonomy = $this->_get_current_taxonomy($instance);
     1464        $title = isset( $instance['title'] ) ? $instance['title'] : '';
    14661465?>
    14671466    <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:') ?></label>
    1468     <input type="text" class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" value="<?php if (isset ( $instance['title'])) {echo esc_attr( $instance['title'] );} ?>" /></p>
     1467    <input type="text" class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" value="<?php echo esc_attr( $title ); ?>" /></p>
    14691468    <p><label for="<?php echo $this->get_field_id('taxonomy'); ?>"><?php _e('Taxonomy:') ?></label>
    14701469    <select class="widefat" id="<?php echo $this->get_field_id('taxonomy'); ?>" name="<?php echo $this->get_field_name('taxonomy'); ?>">
    14711470    <?php foreach ( get_taxonomies() as $taxonomy ) :
    1472                 $tax = get_taxonomy($taxonomy);
    1473                 if ( !$tax->show_tagcloud || empty($tax->labels->name) )
    1474                     continue;
     1471        $tax = get_taxonomy($taxonomy);
     1472        if ( !$tax->show_tagcloud || empty($tax->labels->name) )
     1473            continue;
    14751474    ?>
    1476         <option value="<?php echo esc_attr($taxonomy) ?>" <?php selected($taxonomy, $current_taxonomy) ?>><?php echo $tax->labels->name; ?></option>
     1475        <option value="<?php echo esc_attr($taxonomy) ?>" <?php selected($taxonomy, $current_taxonomy) ?>><?php echo esc_attr( $tax->labels->name ); ?></option>
    14771476    <?php endforeach; ?>
    14781477    </select></p><?php
     
    15541553        $instance = array();
    15551554        if ( ! empty( $new_instance['title'] ) ) {
    1556             $instance['title'] = strip_tags( stripslashes($new_instance['title']) );
     1555            $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
    15571556        }
    15581557        if ( ! empty( $new_instance['nav_menu'] ) ) {
Note: See TracChangeset for help on using the changeset viewer.