Changeset 37815 for branches/4.1/src/wp-admin/includes/post.php

Timestamp:

06/21/2016 02:55:12 PM (7 years ago)

Author:

nbachiyski

Message:

Admin: escape URL-encoded permalinks

Merge of [37801] to the 4.1 branch.

File:

• branches/4.1/src/wp-admin/includes/post.php (modified) (4 diffs)

branches/4.1/src/wp-admin/includes/post.php

@@ -1217 +1217 @@
 
     if ( false === strpos( $permalink, '%postname%' ) && false === strpos( $permalink, '%pagename%' ) ) {
-        $return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . $permalink . "</span>\n";
+        $return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . esc_html( $permalink ) . "</span>\n";
         if ( '' == get_option( 'permalink_structure' ) && current_user_can( 'manage_options' ) && !( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') ) ) {
             $return .= '<span id="change-permalinks"><a href="options-permalink.php" class="button button-small" target="_blank">' . __('Change Permalinks') . "</a></span>\n";
@@ -1236 +1236 @@
         }
 
-        $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . $post_name_abridged . '</span>';
-        $display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, urldecode( $permalink ) );
+        $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . esc_html( $post_name_abridged ) . '</span>';
+        $display_link = str_replace( array( '%pagename%', '%postname%' ), $post_name_html, esc_html( urldecode( $permalink ) ) );
 
         $return =  '<strong>' . __( 'Permalink:' ) . "</strong>\n";
@@ -1243 +1243 @@
         $return .= '&lrm;'; // Fix bi-directional text display defect in RTL languages.
         $return .= '<span id="edit-slug-buttons"><a href="#post_name" class="edit-slug button button-small hide-if-no-js" onclick="editPermalink(' . $id . '); return false;">' . __( 'Edit' ) . "</a></span>\n";
-        $return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
+        $return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
     }
 
@@ -1253 +1253 @@
             $return .= "<span id='view-post-btn'><a href='" . esc_url( $preview_link ) . "' class='button button-small' target='wp-preview-{$post->ID}'>$view_post</a></span>\n";
         } else {
-            $return .= "<span id='view-post-btn'><a href='" . get_permalink( $post ) . "' class='button button-small'>$view_post</a></span>\n";
+            $return .= "<span id='view-post-btn'><a href='" . esc_url( get_permalink( $post ) ) . "' class='button button-small'>$view_post</a></span>\n";
         }
     }