Changeset 37811

Timestamp:

06/21/2016 02:53:01 PM (7 years ago)

Author:

nbachiyski

Message:

Admin: escape URL-encoded permalinks

Merge of [37801] to the 4.3 branch.

File:

• branches/4.3/src/wp-admin/includes/post.php (modified) (3 diffs)

branches/4.3/src/wp-admin/includes/post.php

@@ -1314 +1314 @@
         }
 
-        $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . $post_name_abridged . '</span>';
-        $display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, urldecode( $permalink ) );
+        $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . esc_html( $post_name_abridged ) . '</span>';
+        $display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, esc_html( urldecode( $permalink ) ) );
         $pretty_permalink = str_replace( array( '%pagename%', '%postname%' ), $post_name, urldecode( $permalink ) );
 
@@ -1322 +1322 @@
         $return .= '&lrm;'; // Fix bi-directional text display defect in RTL languages.
         $return .= '<span id="edit-slug-buttons"><a href="#post_name" class="edit-slug button button-small hide-if-no-js" onclick="editPermalink(' . $id . '); return false;">' . __( 'Edit' ) . "</a></span>\n";
-        $return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
+        $return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
     }
 
@@ -1336 +1336 @@
             }
 
-            $return .= "<span id='view-post-btn'><a href='" . $pretty_permalink . "' class='button button-small'>$view_post</a></span>\n";
+            $return .= "<span id='view-post-btn'><a href='" . esc_url( $pretty_permalink ) . "' class='button button-small'>$view_post</a></span>\n";
         }
     }