WordPress.org
Get WordPress

Make WordPress Core

Changeset 37821


Ignore:
Timestamp:
06/21/2016 02:58:29 PM (8 years ago)
Author:
nbachiyski
Message:

Admin: escape URL-encoded permalinks

Merge of [37801] to the 3.8 branch.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/3.8/src/wp-admin/includes/post.php

    r37787 r37821  
    11551155
    11561156    if ( false === strpos($permalink, '%postname%') && false === strpos($permalink, '%pagename%') ) {
    1157         $return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . $permalink . "</span>\n";
     1157        $return = '<strong>' . __('Permalink:') . "</strong>\n" . '<span id="sample-permalink" tabindex="-1">' . esc_html( $permalink ) . "</span>\n";
    11581158        if ( '' == get_option( 'permalink_structure' ) && current_user_can( 'manage_options' ) && !( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') ) )
    11591159            $return .= '<span id="change-permalinks"><a href="options-permalink.php" class="button button-small" target="_blank">' . __('Change Permalinks') . "</a></span>\n";
    11601160        if ( isset( $view_post ) )
    1161             $return .= "<span id='view-post-btn'><a href='$permalink' class='button button-small'>$view_post</a></span>\n";
     1161            $return .= "<span id='view-post-btn'><a href='" . esc_url( $permalink ) . "' class='button button-small'>$view_post</a></span>\n";
    11621162
    11631163        $return = apply_filters('get_sample_permalink_html', $return, $id, $new_title, $new_slug);
     
    11801180    }
    11811181
    1182     $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . $post_name_abridged . '</span>';
    1183     $display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, $permalink);
     1182    $post_name_html = '<span id="editable-post-name" title="' . $title . '">' . esc_html( $post_name_abridged ) . '</span>';
     1183    $display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, esc_html( $permalink ) );
    11841184    $view_link = str_replace(array('%pagename%','%postname%'), $post_name, $permalink);
    11851185    $return =  '<strong>' . __('Permalink:') . "</strong>\n";
     
    11871187    $return .= '&lrm;'; // Fix bi-directional text display defect in RTL languages.
    11881188    $return .= '<span id="edit-slug-buttons"><a href="#post_name" class="edit-slug button button-small hide-if-no-js" onclick="editPermalink(' . $id . '); return false;">' . __('Edit') . "</a></span>\n";
    1189     $return .= '<span id="editable-post-name-full">' . $post_name . "</span>\n";
     1189    $return .= '<span id="editable-post-name-full">' . esc_html( $post_name ) . "</span>\n";
    11901190    if ( isset($view_post) )
    1191         $return .= "<span id='view-post-btn'><a href='$view_link' class='button button-small'>$view_post</a></span>\n";
     1191        $return .= "<span id='view-post-btn'><a href='" . esc_url( $view_link ) . "' class='button button-small'>$view_post</a></span>\n";
    11921192
    11931193    $return = apply_filters('get_sample_permalink_html', $return, $id, $new_title, $new_slug);
Note: See TracChangeset for help on using the changeset viewer.