Make WordPress Core


Ignore:
Timestamp:
09/19/2015 06:52:27 PM (9 years ago)
Author:
wonderboymusic
Message:

Export: Add late-escaping to the contents of several nodes to avoid creating invalid XML and XML parse errors.

Props westonruter.
Fixes #33732.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/export.php

    r34329 r34333  
    284284        foreach ( $authors as $author ) {
    285285            echo "\t<wp:author>";
    286             echo '<wp:author_id>' . $author->ID . '</wp:author_id>';
    287             echo '<wp:author_login>' . $author->user_login . '</wp:author_login>';
    288             echo '<wp:author_email>' . $author->user_email . '</wp:author_email>';
     286            echo '<wp:author_id>' . intval( $author->ID ) . '</wp:author_id>';
     287            echo '<wp:author_login>' . wxr_cdata( $author->user_login ) . '</wp:author_login>';
     288            echo '<wp:author_email>' . wxr_cdata( $author->user_email ) . '</wp:author_email>';
    289289            echo '<wp:author_display_name>' . wxr_cdata( $author->display_name ) . '</wp:author_display_name>';
    290290            echo '<wp:author_first_name>' . wxr_cdata( $author->first_name ) . '</wp:author_first_name>';
     
    305305
    306306        foreach ( $nav_menus as $menu ) {
    307             echo "\t<wp:term><wp:term_id>{$menu->term_id}</wp:term_id><wp:term_taxonomy>nav_menu</wp:term_taxonomy><wp:term_slug>{$menu->slug}</wp:term_slug>";
     307            echo "\t<wp:term>";
     308            echo '<wp:term_id>' . intval( $menu->term_id ) . '</wp:term_id>';
     309            echo '<wp:term_taxonomy>nav_menu</wp:term_taxonomy>';
     310            echo '<wp:term_slug>' . wxr_cdata( $menu->slug ) . '</wp:term_slug>';
    308311            wxr_term_name( $menu );
    309312            echo "</wp:term>\n";
     
    384387
    385388<?php foreach ( $cats as $c ) : ?>
    386     <wp:category><wp:term_id><?php echo $c->term_id ?></wp:term_id><wp:category_nicename><?php echo $c->slug; ?></wp:category_nicename><wp:category_parent><?php echo $c->parent ? $cats[$c->parent]->slug : ''; ?></wp:category_parent><?php wxr_cat_name( $c ); ?><?php wxr_category_description( $c ); ?></wp:category>
     389    <wp:category><wp:term_id><?php echo intval( $c->term_id ); ?></wp:term_id><wp:category_nicename><?php echo wxr_cdata( $c->slug ); ?></wp:category_nicename><wp:category_parent><?php echo wxr_cdata( $c->parent ? $cats[$c->parent]->slug : '' ); ?></wp:category_parent><?php wxr_cat_name( $c ); ?><?php wxr_category_description( $c ); ?></wp:category>
    387390<?php endforeach; ?>
    388391<?php foreach ( $tags as $t ) : ?>
    389     <wp:tag><wp:term_id><?php echo $t->term_id ?></wp:term_id><wp:tag_slug><?php echo $t->slug; ?></wp:tag_slug><?php wxr_tag_name( $t ); ?><?php wxr_tag_description( $t ); ?></wp:tag>
     392    <wp:tag><wp:term_id><?php echo intval( $t->term_id ); ?></wp:term_id><wp:tag_slug><?php echo wxr_cdata( $t->slug ); ?></wp:tag_slug><?php wxr_tag_name( $t ); ?><?php wxr_tag_description( $t ); ?></wp:tag>
    390393<?php endforeach; ?>
    391394<?php foreach ( $terms as $t ) : ?>
    392     <wp:term><wp:term_id><?php echo $t->term_id ?></wp:term_id><wp:term_taxonomy><?php echo $t->taxonomy; ?></wp:term_taxonomy><wp:term_slug><?php echo $t->slug; ?></wp:term_slug><wp:term_parent><?php echo $t->parent ? $terms[$t->parent]->slug : ''; ?></wp:term_parent><?php wxr_term_name( $t ); ?><?php wxr_term_description( $t ); ?></wp:term>
     395    <wp:term><wp:term_id><?php echo wxr_cdata( $t->term_id ); ?></wp:term_id><wp:term_taxonomy><?php echo wxr_cdata( $t->taxonomy ); ?></wp:term_taxonomy><wp:term_slug><?php echo wxr_cdata( $t->slug ); ?></wp:term_slug><wp:term_parent><?php echo wxr_cdata( $t->parent ? $terms[$t->parent]->slug : '' ); ?></wp:term_parent><?php wxr_term_name( $t ); ?><?php wxr_term_description( $t ); ?></wp:term>
    393396<?php endforeach; ?>
    394397<?php if ( 'all' == $args['content'] ) wxr_nav_menu_terms(); ?>
     
    448451            echo wxr_cdata( apply_filters( 'the_excerpt_export', $post->post_excerpt ) );
    449452        ?></excerpt:encoded>
    450         <wp:post_id><?php echo $post->ID; ?></wp:post_id>
    451         <wp:post_date><?php echo $post->post_date; ?></wp:post_date>
    452         <wp:post_date_gmt><?php echo $post->post_date_gmt; ?></wp:post_date_gmt>
    453         <wp:comment_status><?php echo $post->comment_status; ?></wp:comment_status>
    454         <wp:ping_status><?php echo $post->ping_status; ?></wp:ping_status>
    455         <wp:post_name><?php echo $post->post_name; ?></wp:post_name>
    456         <wp:status><?php echo $post->post_status; ?></wp:status>
    457         <wp:post_parent><?php echo $post->post_parent; ?></wp:post_parent>
    458         <wp:menu_order><?php echo $post->menu_order; ?></wp:menu_order>
    459         <wp:post_type><?php echo $post->post_type; ?></wp:post_type>
    460         <wp:post_password><?php echo $post->post_password; ?></wp:post_password>
    461         <wp:is_sticky><?php echo $is_sticky; ?></wp:is_sticky>
     453        <wp:post_id><?php echo intval( $post->ID ); ?></wp:post_id>
     454        <wp:post_date><?php echo wxr_cdata( $post->post_date ); ?></wp:post_date>
     455        <wp:post_date_gmt><?php echo wxr_cdata( $post->post_date_gmt ); ?></wp:post_date_gmt>
     456        <wp:comment_status><?php echo wxr_cdata( $post->comment_status ); ?></wp:comment_status>
     457        <wp:ping_status><?php echo wxr_cdata( $post->ping_status ); ?></wp:ping_status>
     458        <wp:post_name><?php echo wxr_cdata( $post->post_name ); ?></wp:post_name>
     459        <wp:status><?php echo wxr_cdata( $post->post_status ); ?></wp:status>
     460        <wp:post_parent><?php echo intval( $post->post_parent ); ?></wp:post_parent>
     461        <wp:menu_order><?php echo intval( $post->menu_order ); ?></wp:menu_order>
     462        <wp:post_type><?php echo wxr_cdata( $post->post_type ); ?></wp:post_type>
     463        <wp:post_password><?php echo wxr_cdata( $post->post_password ); ?></wp:post_password>
     464        <wp:is_sticky><?php echo intval( $is_sticky ); ?></wp:is_sticky>
    462465<?php   if ( $post->post_type == 'attachment' ) : ?>
    463         <wp:attachment_url><?php echo wp_get_attachment_url( $post->ID ); ?></wp:attachment_url>
     466        <wp:attachment_url><?php echo wxr_cdata( wp_get_attachment_url( $post->ID ) ); ?></wp:attachment_url>
    464467<?php   endif; ?>
    465468<?php   wxr_post_taxonomy(); ?>
     
    482485        ?>
    483486        <wp:postmeta>
    484             <wp:meta_key><?php echo $meta->meta_key; ?></wp:meta_key>
     487            <wp:meta_key><?php echo wxr_cdata( $meta->meta_key ); ?></wp:meta_key>
    485488            <wp:meta_value><?php echo wxr_cdata( $meta->meta_value ); ?></wp:meta_value>
    486489        </wp:postmeta>
     
    491494        foreach ( $comments as $c ) : ?>
    492495        <wp:comment>
    493             <wp:comment_id><?php echo $c->comment_ID; ?></wp:comment_id>
     496            <wp:comment_id><?php echo intval( $c->comment_ID ); ?></wp:comment_id>
    494497            <wp:comment_author><?php echo wxr_cdata( $c->comment_author ); ?></wp:comment_author>
    495             <wp:comment_author_email><?php echo $c->comment_author_email; ?></wp:comment_author_email>
     498            <wp:comment_author_email><?php echo wxr_cdata( $c->comment_author_email ); ?></wp:comment_author_email>
    496499            <wp:comment_author_url><?php echo esc_url_raw( $c->comment_author_url ); ?></wp:comment_author_url>
    497             <wp:comment_author_IP><?php echo $c->comment_author_IP; ?></wp:comment_author_IP>
    498             <wp:comment_date><?php echo $c->comment_date; ?></wp:comment_date>
    499             <wp:comment_date_gmt><?php echo $c->comment_date_gmt; ?></wp:comment_date_gmt>
     500            <wp:comment_author_IP><?php echo wxr_cdata( $c->comment_author_IP ); ?></wp:comment_author_IP>
     501            <wp:comment_date><?php echo wxr_cdata( $c->comment_date ); ?></wp:comment_date>
     502            <wp:comment_date_gmt><?php echo wxr_cdata( $c->comment_date_gmt ); ?></wp:comment_date_gmt>
    500503            <wp:comment_content><?php echo wxr_cdata( $c->comment_content ) ?></wp:comment_content>
    501             <wp:comment_approved><?php echo $c->comment_approved; ?></wp:comment_approved>
    502             <wp:comment_type><?php echo $c->comment_type; ?></wp:comment_type>
    503             <wp:comment_parent><?php echo $c->comment_parent; ?></wp:comment_parent>
    504             <wp:comment_user_id><?php echo $c->user_id; ?></wp:comment_user_id>
     504            <wp:comment_approved><?php echo wxr_cdata( $c->comment_approved ); ?></wp:comment_approved>
     505            <wp:comment_type><?php echo wxr_cdata( $c->comment_type ); ?></wp:comment_type>
     506            <wp:comment_parent><?php echo intval( $c->comment_parent ); ?></wp:comment_parent>
     507            <wp:comment_user_id><?php echo intval( $c->user_id ); ?></wp:comment_user_id>
    505508<?php       $c_meta = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM $wpdb->commentmeta WHERE comment_id = %d", $c->comment_ID ) );
    506509            foreach ( $c_meta as $meta ) :
     
    522525            ?>
    523526            <wp:commentmeta>
    524                 <wp:meta_key><?php echo $meta->meta_key; ?></wp:meta_key>
     527                <wp:meta_key><?php echo wxr_cdata( $meta->meta_key ); ?></wp:meta_key>
    525528                <wp:meta_value><?php echo wxr_cdata( $meta->meta_value ); ?></wp:meta_value>
    526529            </wp:commentmeta>
Note: See TracChangeset for help on using the changeset viewer.