Make WordPress Core

Changeset 4656


Ignore:
Timestamp:
12/21/2006 10:10:04 AM (18 years ago)
Author:
markjaquith
Message:

new function for escaping within attributes: attribute_escape()

Files:
70 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/admin-functions.php

    r4640 r4656  
    290290        $text       = wp_specialchars(stripslashes(urldecode($_REQUEST['text'])));
    291291        $text       = funky_javascript_fix($text);
    292         $popupurl   = wp_specialchars($_REQUEST['popupurl']);
     292        $popupurl   = attribute_escape(stripslashes($_REQUEST['popupurl']));
    293293        $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
    294294    }
     
    338338function get_user_to_edit($user_id) {
    339339    $user = new WP_User($user_id);
    340     $user->user_login = wp_specialchars($user->user_login, 1);
    341     $user->user_email = wp_specialchars($user->user_email, 1);
    342     $user->user_url = wp_specialchars($user->user_url, 1);
    343     $user->first_name = wp_specialchars($user->first_name, 1);
    344     $user->last_name = wp_specialchars($user->last_name, 1);
    345     $user->display_name = wp_specialchars($user->display_name, 1);
    346     $user->nickname = wp_specialchars($user->nickname, 1);
    347     $user->aim = wp_specialchars($user->aim, 1);
    348     $user->yim = wp_specialchars($user->yim, 1);
    349     $user->jabber = wp_specialchars($user->jabber, 1);
     340    $user->user_login = attribute_escape($user->user_login);
     341    $user->user_email = attribute_escape($user->user_email);
     342    $user->user_url = attribute_escape($user->user_url);
     343    $user->first_name = attribute_escape($user->first_name);
     344    $user->last_name = attribute_escape($user->last_name);
     345    $user->display_name = attribute_escape($user->display_name);
     346    $user->nickname = attribute_escape($user->nickname);
     347    $user->aim = attribute_escape($user->aim);
     348    $user->yim = attribute_escape($user->yim);
     349    $user->jabber = attribute_escape($user->jabber);
    350350    $user->description = wp_specialchars($user->description);
    351351
     
    468468    $link = get_link($link_id);
    469469
    470     $link->link_url = wp_specialchars($link->link_url, 1);
    471     $link->link_name = wp_specialchars($link->link_name, 1);
    472     $link->link_image = wp_specialchars($link->link_image, 1);
    473     $link->link_description = wp_specialchars($link->link_description, 1);
     470    $link->link_url = attribute_escape($link->link_url);
     471    $link->link_name = attribute_escape($link->link_name);
     472    $link->link_image = attribute_escape($link->link_image);
     473    $link->link_description = attribute_escape($link->link_description);
    474474    $link->link_notes = wp_specialchars($link->link_notes);
    475     $link->link_rss = wp_specialchars($link->link_rss, 1);
    476     $link->link_rel = wp_specialchars($link->link_rel, 1);
     475    $link->link_rss = attribute_escape($link->link_rss);
     476    $link->link_rel = attribute_escape($link->link_rel);
    477477    $link->post_category = $link->link_category;
    478478
     
    482482function get_default_link_to_edit() {
    483483    if ( isset($_GET['linkurl']) )
    484         $link->link_url = wp_specialchars($_GET['linkurl'], 1);
     484        $link->link_url = attribute_escape($_GET['linkurl']);
    485485    else
    486486        $link->link_url = '';
    487487   
    488488    if ( isset($_GET['name']) )
    489         $link->link_name = wp_specialchars($_GET['name'], 1);
     489        $link->link_name = attribute_escape($_GET['name']);
    490490    else
    491491        $link->link_name = '';
     
    861861        }
    862862
    863         $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
    864         $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
     863        $entry['meta_key'] = attribute_escape( $entry['meta_key']);
     864        $entry['meta_value'] = attribute_escape( $entry['meta_value']);
    865865        echo "
    866866            <tr class='$style'>
     
    913913
    914914    foreach ($keys as $key) {
    915         $key = wp_specialchars($key, 1);
     915        $key = attribute_escape($key);
    916916        echo "\n\t<option value='$key'>$key</option>";
    917917    }
  • branches/2.0/wp-admin/bookmarklet.php

    r2972 r4656  
    3838 
    3939$content  = wp_specialchars($_REQUEST['content']);
    40 $popupurl = wp_specialchars($_REQUEST['popupurl']);
     40$popupurl = attribute_escape(stripslashes($_REQUEST['popupurl']));
    4141    if ( !empty($content) ) {
    4242        $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
  • branches/2.0/wp-admin/categories.php

    r4470 r4656  
    7070        <tr>
    7171          <th width="33%" scope="row"><?php _e('Category name:') ?></th>
    72           <td width="67%"><input name="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
     72          <td width="67%"><input name="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
    7373<input type="hidden" name="cat_ID" value="<?php echo $category->cat_ID ?>" /></td>
    7474        </tr>
    7575        <tr>
    7676            <th scope="row"><?php _e('Category slug:') ?></th>
    77             <td><input name="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
     77            <td><input name="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
    7878        </tr>
    7979        <tr>
     
    8787        <tr>
    8888            <th scope="row"><?php _e('Description:') ?></th>
    89             <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
     89            <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
    9090        </tr>
    9191        </table>
  • branches/2.0/wp-admin/edit-comments.php

    r3945 r4656  
    88require_once('admin-header.php');
    99if (empty($_GET['mode'])) $mode = 'view';
    10 else $mode = wp_specialchars($_GET['mode'], 1);
     10else $mode = attribute_escape($_GET['mode']);
    1111?>
    1212
     
    3131  <fieldset>
    3232  <legend><?php _e('Show Comments That Contain...') ?></legend>
    33   <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
     33  <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
    3434  <input type="submit" name="submit" value="<?php _e('Search') ?>"  /> 
    3535  <input type="hidden" name="mode" value="<?php echo $mode; ?>" />
  • branches/2.0/wp-admin/edit-form-advanced.php

    r4632 r4656  
    212212<input name="referredby" type="hidden" id="referredby" value="<?php
    213213if ( !empty($_REQUEST['popupurl']) )
    214     echo wp_specialchars($_REQUEST['popupurl']);
    215 else if ( url_to_postid(wp_get_referer()) == $post_ID )
     214    echo attribute_escape(stripslashes($_REQUEST['popupurl']));
     215else if ( url_to_postid(stripslashes(wp_get_referer())) == $post_ID )
    216216    echo 'redo';
    217217else
    218     echo wp_specialchars(wp_get_referer());
     218    echo attribute_escape(stripslashes(wp_get_referer()));
    219219?>" /></p>
    220220
  • branches/2.0/wp-admin/edit-link-form.php

    r3977 r4656  
    231231          <input type="hidden" name="action" value="editlink" />
    232232          <input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
    233           <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
     233          <input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
    234234          <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
    235235<?php else: ?>
  • branches/2.0/wp-admin/edit-page-form.php

    r4242 r4656  
    1515}
    1616
    17 $sendto = wp_get_referer();
     17$sendto = attribute_escape(wp_get_referer());
    1818
    1919if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
    2020    $sendto = 'redo';
    21 $sendto = wp_specialchars( $sendto );
    2221
    2322?>
  • branches/2.0/wp-admin/edit-pages.php

    r3906 r4656  
    1414  <fieldset>
    1515  <legend><?php _e('Search Pages&hellip;') ?></legend>
    16   <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
     16  <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
    1717  <input type="submit" name="submit" value="<?php _e('Search') ?>"  />
    1818  </fieldset>
  • branches/2.0/wp-admin/edit.php

    r3805 r4656  
    8080  <fieldset>
    8181  <legend><?php _e('Search Posts&hellip;') ?></legend>
    82   <input type="text" name="s" value="<?php if (isset($s)) echo wp_specialchars($s, 1); ?>" size="17" />
     82  <input type="text" name="s" value="<?php if (isset($s)) echo attribute_escape($s); ?>" size="17" />
    8383  <input type="submit" name="submit" value="<?php _e('Search') ?>"  />
    8484  </fieldset>
  • branches/2.0/wp-admin/inline-uploading.php

    r4416 r4656  
    241241            $ypadding = (96 - $image['uheight']) / 2;
    242242            $style .= "#target{$ID} img { padding: {$ypadding}px {$xpadding}px; }\n";
    243             $title = wp_specialchars($image['post_title'], ENT_QUOTES);
     243            $title = attribute_escape($image['post_title']);
    244244            $script .= "aa[{$ID}] = '<a id=\"p{$ID}\" rel=\"attachment\" class=\"imagelink\" href=\"$href\" onclick=\"doPopup({$ID});return false;\" title=\"{$title}\">';
    245245ab[{$ID}] = '<a class=\"imagelink\" href=\"{$image['guid']}\" onclick=\"doPopup({$ID});return false;\" title=\"{$title}\">';
     
    261261";
    262262        } else {
    263             $title = wp_specialchars($attachment['post_title'], ENT_QUOTES);
     263            $title = attribute_escape($attachment['post_title']);
    264264            $filename = basename($attachment['guid']);
    265265            $icon = get_attachment_icon($ID);
  • branches/2.0/wp-admin/link-categories.php

    r4341 r4656  
    125125<tr>
    126126    <th width="33%" scope="row"><?php _e('Name:') ?></th>
    127     <td width="67%"><input name="cat_name" type="text" value="<?php echo wp_specialchars($row->cat_name)?>" size="30" /></td>
     127    <td width="67%"><input name="cat_name" type="text" value="<?php echo attribute_escape($row->cat_name)?>" size="30" /></td>
    128128</tr>
    129129<tr>
  • branches/2.0/wp-admin/link-manager.php

    r4470 r4656  
    328328    <input type="hidden" name="link_id" value="" />
    329329    <input type="hidden" name="action" value="" />
    330     <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
     330    <input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
    331331    <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
    332332  <table id="the-list-x" width="100%" cellpadding="3" cellspacing="3">
     
    358358    if ($links) {
    359359        foreach ($links as $link) {
    360             $link->link_name = wp_specialchars($link->link_name);
     360            $link->link_name = attribute_escape($link->link_name);
    361361            $link->link_category = wp_specialchars($link->link_category);
    362362            $link->link_description = wp_specialchars($link->link_description);
    363             $link->link_url = wp_specialchars($link->link_url);
     363            $link->link_url = attribute_escape($link->link_url);
    364364            $short_url = str_replace('http://', '', $link->link_url);
    365365            $short_url = str_replace('www.', '', $short_url);
  • branches/2.0/wp-admin/options-misc.php

    r4229 r4656  
    1818<tr valign="top">
    1919<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
    20 <td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_settings('upload_path')), 1); ?>" size="40" />
     20<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_settings('upload_path'))); ?>" size="40" />
    2121<br />
    2222<?php _e('Default is <code>wp-content/uploads</code>'); ?>
  • branches/2.0/wp-admin/options-permalink.php

    r4229 r4656  
    149149<br />
    150150</p>
    151 <p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
     151<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo attribute_escape($permalink_structure); ?>" size="50" /></p>
    152152
    153153<h3><?php _e('Optional'); ?></h3>
     
    158158<?php endif; ?>
    159159    <p>
    160   <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
     160  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo attribute_escape($category_base); ?>" size="30" />
    161161     </p>
    162162    <p class="submit">
  • branches/2.0/wp-admin/options.php

    r4384 r4656  
    183183  </table>
    184184<?php $options_to_update = implode(',', $options_to_update); ?>
    185 <p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
     185<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
    186186  </form>
    187187</div>
  • branches/2.0/wp-admin/post.php

    r4470 r4656  
    8282    <div id='preview' class='wrap'>
    8383    <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?> <small class="quickjump"><a href="#write-post"><?php _e('edit &uarr;'); ?></a></small></h2>
    84         <iframe src="<?php echo wp_specialchars(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     84        <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    8585    </div>
    8686    <?php
  • branches/2.0/wp-admin/templates.php

    r4416 r4656  
    112112echo '<ol>';
    113113foreach ($recents as $recent) :
    114     echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>";
     114    echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . get_file_description(basename($recent)) . "</a></li>";
    115115endforeach;
    116116echo '</ol>';
  • branches/2.0/wp-admin/theme-editor.php

    r4269 r4656  
    102102        if ($theme_name == $theme) $selected = " selected='selected'";
    103103        else $selected = '';
    104         $theme_name = wp_specialchars($theme_name, true);
     104        $theme_name = attribute_escape($theme_name);
    105105        echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
    106106    }
  • branches/2.0/wp-admin/upgrade.php

    r3923 r4656  
    6868
    6969    case 0:
    70     $goback = wp_specialchars(wp_get_referer());
     70    $goback = attribute_escape(stripslashes(wp_get_referer()));
    7171?>
    7272<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
     
    8787        $backto = __get_option('home');
    8888    else
    89         $backto = wp_specialchars( $_GET['backto'] , 1 );
     89        $backto = attribute_escape(stripslashes($_GET['backto']));
    9090?>
    9191<h2><?php _e('Step 1'); ?></h2>
  • branches/2.0/wp-content/themes/classic/comments-popup.php

    r3903 r4656  
    6161       <label for="author"><?php _e("Name"); ?></label>
    6262    <input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
    63     <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
     63    <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
    6464    </p>
    6565
  • branches/2.0/wp-content/themes/default/comments-popup.php

    r3925 r4656  
    6161       <label for="author">Name</label>
    6262    <input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
    63     <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
     63    <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
    6464    </p>
    6565
  • branches/2.0/wp-content/themes/default/searchform.php

    r3134 r4656  
    11<form method="get" id="searchform" action="<?php bloginfo('home'); ?>/">
    2 <div><input type="text" value="<?php echo wp_specialchars($s, 1); ?>" name="s" id="s" />
     2<div><input type="text" value="<?php echo attribute_escape($s); ?>" name="s" id="s" />
    33<input type="submit" id="searchsubmit" value="Search" />
    44</div>
  • branches/2.0/wp-includes/comment-functions.php

    r4300 r4656  
    316316            echo ' class="'.$CSSclass.'"';
    317317        }
    318         $title = wp_specialchars(apply_filters('the_title', get_the_title()), true);
     318        $title = attribute_escape(apply_filters('the_title', get_the_title()));
    319319        echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">';
    320320        comments_number($zero, $one, $more, $number);
     
    898898        $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
    899899        $comment_author = stripslashes($comment_author);
    900         $comment_author = wp_specialchars($comment_author, true);
     900        $comment_author = attribute_escape($comment_author);
    901901        $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
    902902    }
     
    905905        $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
    906906        $comment_author_email = stripslashes($comment_author_email);
    907         $comment_author_email = wp_specialchars($comment_author_email, true);   
     907        $comment_author_email = attribute_escape($comment_author_email);   
    908908        $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
    909909    }
     
    912912        $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
    913913        $comment_author_url = stripslashes($comment_author_url);
    914         $comment_author_url = wp_specialchars($comment_author_url, true);
     914        $comment_author_url = attribute_escape($comment_author_url);
    915915        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
    916916    }
  • branches/2.0/wp-includes/functions-formatting.php

    r4387 r4656  
    10511051    return preg_replace("/\r?\n/", "\\n", addslashes($text));
    10521052}
     1053
     1054// Escaping for HTML attributes like
     1055function attribute_escape($text) {
     1056    return wp_specialchars($text, true);
     1057}
     1058
    10531059?>
  • branches/2.0/wp-includes/functions.php

    r4581 r4656  
    350350
    351351function form_option($option) {
    352     echo wp_specialchars( get_option($option), 1 );
     352    echo attribute_escape( get_option($option));
    353353}
    354354
     
    23632363
    23642364function wp_referer_field() {
    2365     $ref = wp_specialchars($_SERVER['REQUEST_URI']);
     2365    $ref = attribute_escape(stripslashes($_SERVER['REQUEST_URI']));
    23662366    echo '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';
    23672367    if ( wp_get_original_referer() ) {
    2368         $original_ref = wp_specialchars(stripslashes(wp_get_original_referer()));
     2368        $original_ref = attribute_escape(stripslashes(wp_get_original_referer()));
    23692369        echo '<input type="hidden" name="_wp_original_http_referer" value="'. $original_ref . '" />';
    23702370    }
     
    23722372
    23732373function wp_original_referer_field() {
    2374     echo '<input type="hidden" name="_wp_original_http_referer" value="' . wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
     2374    echo '<input type="hidden" name="_wp_original_http_referer" value="' . attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
    23752375}
    23762376
     
    24572457    $adminurl = get_settings('siteurl') . '/wp-admin';
    24582458    if ( wp_get_referer() )
    2459         $adminurl = wp_get_referer();
     2459        $adminurl = attribute_escape(stripslashes(wp_get_referer()));
    24602460
    24612461    $title = __('WordPress Confirmation');
     
    24692469            $v = substr(strstr($a, '='), 1);
    24702470            $k = substr($a, 0, -(strlen($v)+1));
    2471             $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
     2471            $html .= "\t\t<input type='hidden' name='" . attribute_escape( urldecode($k)) . "' value='" . attribute_escape( urldecode($v)) . "' />\n";
    24722472        }
    24732473        $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
    24742474        $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_explain_nonce($action) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
    24752475    } else {
    2476         $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_explain_nonce($action) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     2476        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_explain_nonce($action) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg('_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'])) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
    24772477    }
    24782478    $html .= "</body>\n</html>";
  • branches/2.0/wp-includes/links.php

    r3762 r4656  
    213213        $the_link = '#';
    214214        if (!empty($row->link_url))
    215             $the_link = wp_specialchars($row->link_url);
     215            $the_link = attribute_escape($row->link_url);
    216216
    217217        $rel = $row->link_rel;
     
    220220        }
    221221
    222         $desc = wp_specialchars($row->link_description, ENT_QUOTES);
    223         $name = wp_specialchars($row->link_name, ENT_QUOTES);
     222        $desc = attribute_escape($row->link_description);
     223        $name = attribute_escape($row->link_name);
    224224        $title = $desc;
    225225
  • branches/2.0/wp-includes/template-functions-author.php

    r4496 r4656  
    132132    global $authordata;
    133133
    134     echo '<a href="' . get_author_link(0, $authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars(get_the_author())) . '">' . get_the_author() . '</a>';
     134    echo '<a href="' . get_author_link(0, $authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape(get_the_author())) . '">' . get_the_author() . '</a>';
    135135}
    136136
     
    198198                $link = $name;
    199199        } else {
    200             $link = '<a href="' . get_author_link(0, $author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars($author->display_name)) . '">' . $name . '</a>';
     200            $link = '<a href="' . get_author_link(0, $author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape($author->display_name)) . '">' . $name . '</a>';
    201201
    202202            if ( (! empty($feed_image)) || (! empty($feed)) ) {
  • branches/2.0/wp-includes/template-functions-category.php

    r4280 r4656  
    324324            $link = '<a href="'.get_category_link($category->cat_ID).'" ';
    325325            if ( $use_desc_for_title == 0 || empty($category->category_description) )
    326                 $link .= 'title="'. sprintf(__("View all posts filed under %s"), wp_specialchars($category->cat_name)) . '"';
     326                $link .= 'title="'. sprintf(__("View all posts filed under %s"), attribute_escape($category->cat_name)) . '"';
    327327            else
    328                 $link .= 'title="' . wp_specialchars(apply_filters('category_description',$category->category_description,$category)) . '"';
     328                $link .= 'title="' . attribute_escape(apply_filters('category_description',$category->category_description,$category)) . '"';
    329329            $link .= '>';
    330330            $link .= apply_filters('list_cats', $category->cat_name, $category).'</a>';
  • branches/2.0/wp-includes/template-functions-general.php

    r4641 r4656  
    264264function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
    265265    $text = wptexturize($text);
    266     $title_text = wp_specialchars($text, 1);
     266    $title_text = attribute_escape($text);
    267267
    268268    if ('link' == $format)
  • branches/2.0/wp-includes/template-functions-post.php

    r4604 r4656  
    419419    foreach ( $page_tree[$parent]['children'] as $page_id ) {
    420420        $cur_page = $page_tree[$page_id];
    421         $title = wp_specialchars($cur_page['title']);
     421        $title = attribute_escape($cur_page['title']);
    422422
    423423        $css_class = 'page_item';
  • branches/2.0/wp-links-opml.php

    r3470 r4656  
    4545             } // end if not first time
    4646?>
    47         <outline type="category" title="<?php echo wp_specialchars($result->cat_name); ?>">
     47        <outline type="category" title="<?php echo attribute_escape($result->cat_name); ?>">
    4848<?php
    4949             $prev_cat_id = $result->link_category;
    5050        } // end if new category
    5151?>
    52             <outline text="<?php echo wp_specialchars($result->link_name); ?>" type="link" xmlUrl="<?php echo wp_specialchars($result->link_rss); ?>" htmlUrl="<?php echo wp_specialchars($result->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $result->link_updated) echo $result->link_updated; ?>" />
     52            <outline text="<?php echo attribute_escape($result->link_name); ?>" type="link" xmlUrl="<?php echo attribute_escape($result->link_rss); ?>" htmlUrl="<?php echo attribute_escape($result->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $result->link_updated) echo $result->link_updated; ?>" />
    5353<?php
    5454        } // end foreach
  • branches/2.0/wp-login.php

    r4581 r4656  
    232232
    233233<form name="loginform" id="loginform" action="wp-login.php" method="post">
    234 <p><label><?php _e('Username:') ?><br /><input type="text" name="log" id="log" value="<?php echo wp_specialchars(stripslashes($user_login), 1); ?>" size="20" tabindex="1" /></label></p>
     234<p><label><?php _e('Username:') ?><br /><input type="text" name="log" id="log" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="1" /></label></p>
    235235<p><label><?php _e('Password:') ?><br /> <input type="password" name="pwd" id="pwd" value="" size="20" tabindex="2" /></label></p>
    236236<p>
     
    239239<p class="submit">
    240240    <input type="submit" name="submit" id="submit" value="<?php _e('Login'); ?> &raquo;" tabindex="4" />
    241     <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($redirect_to); ?>" />
     241    <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" />
    242242</p>
    243243</form>
  • branches/2.0/wp-register.php

    r3630 r4656  
    114114<form method="post" action="wp-register.php" id="registerform">
    115115    <p><input type="hidden" name="action" value="register" />
    116     <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo wp_specialchars($user_login); ?>" /><br /></p>
    117     <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo wp_specialchars($user_email); ?>" /></p>
     116    <label for="user_login"><?php _e('Username:') ?></label><br /> <input type="text" name="user_login" id="user_login" size="20" maxlength="20" value="<?php echo attribute_escape($user_login); ?>" /><br /></p>
     117    <p><label for="user_email"><?php _e('E-mail:') ?></label><br /> <input type="text" name="user_email" id="user_email" size="25" maxlength="100" value="<?php echo attribute_escape($user_email); ?>" /></p>
    118118    <p><?php _e('A password will be emailed to you.') ?></p>
    119119    <p class="submit"><input type="submit" value="<?php _e('Register') ?> &raquo;" id="submit" name="submit" /></p>
  • trunk/wp-admin/admin-ajax.php

    r4583 r4656  
    1414
    1515function wp_ajax_meta_row( $pid, $mid, $key, $value ) {
    16     $value = wp_specialchars($value, true);
     16    $value = attribute_escape($value);
    1717    $key_js = addslashes(wp_specialchars($key, 'double'));
    18     $key = wp_specialchars($key, true);
     18    $key = attribute_escape($key);
    1919    $r .= "<tr id='meta-$mid'><td valign='top'>";
    2020    $r .= "<input name='meta[$mid][key]' tabindex='6' onkeypress='return killSubmit(\"theList.ajaxUpdater(&#039;meta&#039;,&#039;meta-$mid&#039;);\",event);' type='text' size='20' value='$key' />";
     
    142142        $level++;
    143143    }
    144     $cat_full_name = wp_specialchars( $cat_full_name, 1 );
     144    $cat_full_name = attribute_escape( $cat_full_name);
    145145
    146146    $x = new WP_Ajax_Response( array(
  • trunk/wp-admin/admin-functions.php

    r4651 r4656  
    324324        $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
    325325        $text       = funky_javascript_fix( $text);
    326         $popupurl   = wp_specialchars( $_REQUEST['popupurl'] );
     326        $popupurl   = attribute_escape($_REQUEST['popupurl']);
    327327        $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
    328328    }
     
    381381function get_user_to_edit( $user_id ) {
    382382    $user = new WP_User( $user_id );
    383     $user->user_login = wp_specialchars( $user->user_login, 1 );
    384     $user->user_email = wp_specialchars( $user->user_email, 1 );
    385     $user->user_url = wp_specialchars( $user->user_url, 1 );
    386     $user->first_name = wp_specialchars( $user->first_name, 1 );
    387     $user->last_name = wp_specialchars( $user->last_name, 1 );
    388     $user->display_name = wp_specialchars( $user->display_name, 1 );
    389     $user->nickname = wp_specialchars( $user->nickname, 1 );
    390     $user->aim = wp_specialchars( $user->aim, 1 );
    391     $user->yim = wp_specialchars( $user->yim, 1 );
    392     $user->jabber = wp_specialchars( $user->jabber, 1 );
     383    $user->user_login = attribute_escape( $user->user_login);
     384    $user->user_email = attribute_escape( $user->user_email);
     385    $user->user_url = attribute_escape( $user->user_url);
     386    $user->first_name = attribute_escape( $user->first_name);
     387    $user->last_name = attribute_escape( $user->last_name);
     388    $user->display_name = attribute_escape( $user->display_name);
     389    $user->nickname = attribute_escape( $user->nickname);
     390    $user->aim = attribute_escape( $user->aim);
     391    $user->yim = attribute_escape( $user->yim);
     392    $user->jabber = attribute_escape( $user->jabber);
    393393    $user->description = wp_specialchars( $user->description );
    394394
     
    528528    $link = get_link( $link_id );
    529529
    530     $link->link_url = wp_specialchars( $link->link_url, 1 );
    531     $link->link_name = wp_specialchars( $link->link_name, 1 );
    532     $link->link_image = wp_specialchars( $link->link_image, 1 );
    533     $link->link_description = wp_specialchars( $link->link_description, 1 );
     530    $link->link_url = attribute_escape( $link->link_url);
     531    $link->link_name = attribute_escape( $link->link_name);
     532    $link->link_image = attribute_escape( $link->link_image);
     533    $link->link_description = attribute_escape( $link->link_description);
    534534    $link->link_notes = wp_specialchars( $link->link_notes );
    535     $link->link_rss = wp_specialchars( $link->link_rss, 1 );
    536     $link->link_rel = wp_specialchars( $link->link_rel, 1 );
     535    $link->link_rss = attribute_escape( $link->link_rss);
     536    $link->link_rel = attribute_escape( $link->link_rel);
    537537    $link->post_category = $link->link_category;
    538538
     
    542542function get_default_link_to_edit() {
    543543    if ( isset( $_GET['linkurl'] ) )
    544         $link->link_url = wp_specialchars( $_GET['linkurl'], 1 );
     544        $link->link_url = attribute_escape( $_GET['linkurl']);
    545545    else
    546546        $link->link_url = '';
    547547
    548548    if ( isset( $_GET['name'] ) )
    549         $link->link_name = wp_specialchars( $_GET['name'], 1 );
     549        $link->link_name = attribute_escape( $_GET['name']);
    550550    else
    551551        $link->link_name = '';
     
    832832    $r .= "</td>\n\t\t<td>";
    833833    if ( current_user_can( 'edit_user', $user_object->ID ) ) {
    834         $edit_link = wp_specialchars( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ) );
     834        $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
    835835        $r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
    836836    }
     
    912912
    913913        $key_js = js_escape( $entry['meta_key'] );
    914         $entry['meta_key'] = wp_specialchars( $entry['meta_key'], true );
    915         $entry['meta_value'] = wp_specialchars( $entry['meta_value'], true );
     914        $entry['meta_key'] = attribute_escape( $entry['meta_key']);
     915        $entry['meta_value'] = attribute_escape( $entry['meta_value']);
    916916        $r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
    917917        $r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
     
    966966
    967967    foreach ( $keys as $key ) {
    968         $key = wp_specialchars( $key, 1 );
     968        $key = attribute_escape( $key);
    969969        echo "\n\t<option value='$key'>$key</option>";
    970970    }
     
    19931993function wp_remember_old_slug() {
    19941994    global $post;
    1995     $name = wp_specialchars($post->post_name); // just in case
     1995    $name = attribute_escape($post->post_name); // just in case
    19961996    if ( strlen($name) )
    19971997        echo '<input type="hidden" id="wp-old-slug" name="wp-old-slug" value="' . $name . '" />';
  • trunk/wp-admin/bookmarklet.php

    r4495 r4656  
    3838
    3939$content  = wp_specialchars($_REQUEST['content']);
    40 $popupurl = wp_specialchars($_REQUEST['popupurl']);
     40$popupurl = attribute_escape($_REQUEST['popupurl']);
    4141if ( !empty($content) ) {
    4242    $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
  • trunk/wp-admin/edit-category-form.php

    r4595 r4656  
    2727        <tr>
    2828            <th width="33%" scope="row" valign="top"><label for="cat_name"><?php _e('Category name:') ?></label></th>
    29             <td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /></td>
     29            <td width="67%"><input name="cat_name" id="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /></td>
    3030        </tr>
    3131        <tr>
    3232            <th scope="row" valign="top"><label for="category_nicename"><?php _e('Category slug:') ?></label></th>
    33             <td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
     33            <td><input name="category_nicename" id="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
    3434        </tr>
    3535        <tr>
     
    4141        <tr>
    4242            <th scope="row" valign="top"><label for="category_description"><?php _e('Description: (optional)') ?></label></th>
    43             <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
     43            <td><textarea name="category_description" id="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
    4444        </tr>
    4545    </table>
  • trunk/wp-admin/edit-comments.php

    r4655 r4656  
    88require_once('admin-header.php');
    99if (empty($_GET['mode'])) $mode = 'view';
    10 else $mode = wp_specialchars($_GET['mode'], 1);
     10else $mode = attribute_escape($_GET['mode']);
    1111?>
    1212
     
    4343  <fieldset>
    4444  <legend><?php _e('Show Comments That Contain...') ?></legend>
    45   <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
     45  <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
    4646  <input type="submit" name="submit" value="<?php _e('Search') ?>"  /> 
    4747  <input type="hidden" name="mode" value="<?php echo $mode; ?>" />
  • trunk/wp-admin/edit-form-advanced.php

    r4621 r4656  
    169169<input name="referredby" type="hidden" id="referredby" value="<?php
    170170if ( !empty($_REQUEST['popupurl']) )
    171     echo wp_specialchars($_REQUEST['popupurl']);
     171    echo attribute_escape(stripslashes($_REQUEST['popupurl']));
    172172else if ( url_to_postid(wp_get_referer()) == $post_ID )
    173173    echo 'redo';
    174174else
    175     echo wp_specialchars(wp_get_referer());
     175    echo attribute_escape(stripslashes(wp_get_referer()));
    176176?>" /></p>
    177177
  • trunk/wp-admin/edit-link-form.php

    r4495 r4656  
    248248<input type="hidden" name="action" value="save" />
    249249<input type="hidden" name="link_id" value="<?php echo (int) $link_id; ?>" />
    250 <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
     250<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
    251251<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
    252252<?php else: ?>
  • trunk/wp-admin/edit-page-form.php

    r4655 r4656  
    1414}
    1515
    16 $sendto = wp_get_referer();
     16$sendto = attribute_escape(stripslashes(wp_get_referer()));
    1717
    1818if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
    1919    $sendto = 'redo';
    20 $sendto = wp_specialchars( $sendto );
    21 
    2220?>
    2321
  • trunk/wp-admin/edit-pages.php

    r4495 r4656  
    1414    <fieldset>
    1515    <legend><?php _e('Search Pages&hellip;') ?></legend>
    16     <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo wp_specialchars($_GET['s'], 1); ?>" size="17" />
     16    <input type="text" name="s" value="<?php if (isset($_GET['s'])) echo attribute_escape($_GET['s']); ?>" size="17" />
    1717    <input type="submit" name="submit" value="<?php _e('Search') ?>"  />
    1818    </fieldset>
  • trunk/wp-admin/edit.php

    r4615 r4656  
    7777  <fieldset>
    7878  <legend><?php _e('Search Posts&hellip;') ?></legend>
    79   <input type="text" name="s" value="<?php if (isset($s)) echo wp_specialchars($s, 1); ?>" size="17" />
     79  <input type="text" name="s" value="<?php if (isset($s)) echo attribute_escape($s); ?>" size="17" />
    8080  <input type="submit" name="submit" value="<?php _e('Search') ?>" class="button" />
    8181  </fieldset>
  • trunk/wp-admin/link-manager.php

    r4617 r4656  
    117117<input type="hidden" name="link_id" value="" />
    118118<input type="hidden" name="action" value="" />
    119 <input type="hidden" name="order_by" value="<?php echo wp_specialchars($order_by, 1); ?>" />
     119<input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
    120120<input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
    121121<table class="widefat">
     
    131131<?php
    132132    foreach ($links as $link) {
    133         $link->link_name = wp_specialchars($link->link_name);
     133        $link->link_name = attribute_escape($link->link_name);
    134134        $link->link_description = wp_specialchars($link->link_description);
    135         $link->link_url = wp_specialchars($link->link_url);
     135        $link->link_url = attribute_escape($link->link_url);
    136136        $link->link_category = wp_get_link_cats($link->link_id);
    137137        $short_url = str_replace('http://', '', $link->link_url);
  • trunk/wp-admin/options-misc.php

    r4495 r4656  
    1919<tr valign="top">
    2020<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
    21 <td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo wp_specialchars(str_replace(ABSPATH, '', get_option('upload_path')), 1); ?>" size="40" />
     21<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_option('upload_path'))); ?>" size="40" />
    2222<br />
    2323<?php _e('Default is <code>wp-content/uploads</code>'); ?>
  • trunk/wp-admin/options-permalink.php

    r4495 r4656  
    150150<br />
    151151</p>
    152 <p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo wp_specialchars($permalink_structure, 1); ?>" size="50" /></p>
     152<p id="customstructure"><?php _e('Custom structure'); ?>: <input name="permalink_structure" id="permalink_structure" type="text" class="code" style="width: 60%;" value="<?php echo attribute_escape($permalink_structure); ?>" size="50" /></p>
    153153
    154154<h3><?php _e('Optional'); ?></h3>
     
    159159<?php endif; ?>
    160160    <p>
    161   <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo wp_specialchars($category_base, 1); ?>" size="30" />
     161  <?php _e('Category base'); ?>: <input name="category_base" type="text" class="code"  value="<?php echo attribute_escape($category_base); ?>" size="30" />
    162162     </p>
    163163    <p class="submit">
  • trunk/wp-admin/options.php

    r4480 r4656  
    159159  </table>
    160160<?php $options_to_update = implode(',', $options_to_update); ?>
    161 <p class="submit"><input type="hidden" name="page_options" value="<?php echo wp_specialchars($options_to_update, true); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
     161<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
    162162  </form>
    163163</div>
  • trunk/wp-admin/page.php

    r4612 r4656  
    5858    <div id='preview' class='wrap'>
    5959    <h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
    60         <iframe src="<?php echo wp_specialchars(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     60        <iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    6161    </div>
    6262    <?php
  • trunk/wp-admin/post.php

    r4612 r4656  
    6464    <div id='preview' class='wrap'>
    6565    <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
    66         <iframe src="<?php echo wp_specialchars(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     66        <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    6767    </div>
    6868    <?php
  • trunk/wp-admin/templates.php

    r4495 r4656  
    9999echo '<ol>';
    100100foreach ($recents as $recent) :
    101     echo "<li><a href='templates.php?file=" . wp_specialchars($recent, true) . "'>" . get_file_description(basename($recent)) . "</a></li>";
     101    echo "<li><a href='templates.php?file=" . attribute_escape($recent) . "'>" . get_file_description(basename($recent)) . "</a></li>";
    102102endforeach;
    103103echo '</ol>';
  • trunk/wp-admin/theme-editor.php

    r4495 r4656  
    8989        if ($theme_name == $theme) $selected = " selected='selected'";
    9090        else $selected = '';
    91         $theme_name = wp_specialchars($theme_name, true);
     91        $theme_name = attribute_escape($theme_name);
    9292        echo "\n\t<option value=\"$theme_name\" $selected>$theme_name</option>";
    9393    }
  • trunk/wp-admin/upgrade.php

    r4495 r4656  
    2929switch($step) {
    3030    case 0:
    31         $goback = wp_specialchars(wp_get_referer());
     31        $goback = attribute_escape(stripslashes(wp_get_referer()));
    3232?>
    3333<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
     
    4141            $backto = __get_option('home');
    4242        else
    43             $backto = wp_specialchars( $_GET['backto'] , 1 );
     43            $backto = attribute_escape(stripslashes($_GET['backto']));
    4444?>
    4545<h2><?php _e('Step 1'); ?></h2>
  • trunk/wp-admin/upload-functions.php

    r4628 r4656  
    88    ob_start();
    99        the_title();
    10         $post_title = wp_specialchars( ob_get_contents(), 1 );
     10        $post_title = attribute_escape( ob_get_contents());
    1111    ob_end_clean();
    1212    $post_content = apply_filters( 'content_edit_pre', $post->post_content );
     
    7272                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    7373                echo '&nbsp;|&nbsp;';
    74                     echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'edit' ), 1 ) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
     74                    echo '<a href="' . attribute_escape( add_query_arg( 'action', 'edit' )) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
    7575                echo '&nbsp;|&nbsp;';
    76                 echo '<a href="' . wp_specialchars( remove_query_arg( array('action', 'ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     76                echo '<a href="' . attribute_escape( remove_query_arg( array('action', 'ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    7777                echo '&nbsp;]'; ?></span>
    7878        </div>
     
    112112                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    113113                echo '&nbsp;|&nbsp;';
    114                     echo '<a href="' . wp_specialchars( add_query_arg( 'action', 'view' ), 1 ) . '">' . __('links') . '</a>';
     114                    echo '<a href="' . attribute_escape( add_query_arg( 'action', 'view' )) . '">' . __('links') . '</a>';
    115115                echo '&nbsp;|&nbsp;';
    116                 echo '<a href="' . wp_specialchars( remove_query_arg( array('action','ID') ), 1 ) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     116                echo '<a href="' . attribute_escape( remove_query_arg( array('action','ID') )) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    117117                echo '&nbsp;]'; ?></span>
    118118        </div>
  • trunk/wp-admin/upload-js.php

    r4613 r4656  
    7373                params.ID = '';
    7474                params.action = '';
    75                 h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('&laquo; Back'), 1); ?></a>";
    76             } else {
    77                 h += "<a href='#' onclick='return theFileList.cancelView();'  title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('&laquo; Back'), 1) ?></a>";
     75                h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "' title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('&laquo; Back')); ?></a>";
     76            } else {
     77                h += "<a href='#' onclick='return theFileList.cancelView();'  title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('&laquo; Back')) ?></a>";
    7878            }
    7979            h += "<div id='file-title'>"
    8080            if ( !this.currentImage.isImage )
    81                 h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>" + this.currentImage.title + "</a></h2>";
     81                h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>" + this.currentImage.title + "</a></h2>";
    8282            else
    8383                h += "<h2>" + this.currentImage.title + "</h2>";
    8484            h += " &#8212; <span>";
    85             h += "<a href='#' onclick='return theFileList.editView(" + id + ");'><?php echo wp_specialchars(__('Edit'), 1); ?></a>"
     85            h += "<a href='#' onclick='return theFileList.editView(" + id + ");'><?php echo attribute_escape(__('Edit')); ?></a>"
    8686            h += "</span>";
    8787            h += '</div>'
    8888            h += "<div id='upload-file-view' class='alignleft'>";
    8989            if ( this.currentImage.isImage ) {
    90                 h += "<a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>";
     90                h += "<a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>";
    9191                h += "<img src='" + ( this.currentImage.thumb ? this.currentImage.thumb : this.currentImage.src ) + "' alt='" + this.currentImage.title + "' width='" + this.currentImage.width + "' height='" + this.currentImage.height + "' />";
    9292                h += "</a>";
     
    9898            h += "<table>";
    9999            if ( this.currentImage.thumb ) {
    100                 h += "<tr><th style='padding-bottom:.5em'><?php echo wp_specialchars(__('Show:'), 1); ?></th><td style='padding-bottom:.5em'>";
    101                 h += "<label for='display-thumb'><input type='radio' name='display' id='display-thumb' value='thumb' checked='checked' /> <?php echo wp_specialchars(__('Thumbnail'), 1); ?></label><br />";
    102                 h += "<label for='display-full'><input type='radio' name='display' id='display-full' value='full' /> <?php echo wp_specialchars(__('Full size'), 1); ?></label>";
     100                h += "<tr><th style='padding-bottom:.5em'><?php echo attribute_escape(__('Show:')); ?></th><td style='padding-bottom:.5em'>";
     101                h += "<label for='display-thumb'><input type='radio' name='display' id='display-thumb' value='thumb' checked='checked' /> <?php echo attribute_escape(__('Thumbnail')); ?></label><br />";
     102                h += "<label for='display-full'><input type='radio' name='display' id='display-full' value='full' /> <?php echo attribute_escape(__('Full size')); ?></label>";
    103103                h += "</td></tr>";
    104104            }
    105105
    106             h += "<tr><th><?php echo wp_specialchars(__('Link to:'), 1); ?></th><td>";
    107             h += "<label for='link-file'><input type='radio' name='link' id='link-file' value='file' checked='checked'/> <?php echo wp_specialchars(__('File'), 1); ?></label><br />";
    108             h += "<label for='link-page'><input type='radio' name='link' id='link-page' value='page' /> <?php echo wp_specialchars(__('Page'), 1); ?></label><br />";
    109             h += "<label for='link-none'><input type='radio' name='link' id='link-none' value='none' /> <?php echo wp_specialchars(__('None'), 1); ?></label>";
     106            h += "<tr><th><?php echo attribute_escape(__('Link to:')); ?></th><td>";
     107            h += "<label for='link-file'><input type='radio' name='link' id='link-file' value='file' checked='checked'/> <?php echo attribute_escape(__('File')); ?></label><br />";
     108            h += "<label for='link-page'><input type='radio' name='link' id='link-page' value='page' /> <?php echo attribute_escape(__('Page')); ?></label><br />";
     109            h += "<label for='link-none'><input type='radio' name='link' id='link-none' value='none' /> <?php echo attribute_escape(__('None')); ?></label>";
    110110            h += "</td></tr>";
    111111
    112112            h += "<tr><td colspan='2'><p class='submit'>";
    113             h += "<input type='button' class='button' name='send' onclick='theFileList.sendToEditor(" + id + ")' value='<?php echo wp_specialchars(__('Send to editor &raquo;'), 1); ?>' />";
     113            h += "<input type='button' class='button' name='send' onclick='theFileList.sendToEditor(" + id + ")' value='<?php echo attribute_escape(__('Send to editor &raquo;')); ?>' />";
    114114            h += "</p></td></tr></table>";
    115115            h += "</form>";
     
    135135                params.ID = '';
    136136                params.action = '';
    137                 h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "'  title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('&laquo; Back'), 1); ?></a>";
    138             } else {
    139                 h += "<a href='#' onclick='return theFileList.cancelView();'  title='<?php echo wp_specialchars(__('Browse your files'), 1); ?>' class='back'><?php echo wp_specialchars(__('&laquo; Back'), 1); ?></a>";
     137                h += "<a href='" + this.urlData[0] + '?' + params.toQueryString() + "'  title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('&laquo; Back')); ?></a>";
     138            } else {
     139                h += "<a href='#' onclick='return theFileList.cancelView();'  title='<?php echo attribute_escape(__('Browse your files')); ?>' class='back'><?php echo attribute_escape(__('&laquo; Back')); ?></a>";
    140140            }
    141141            h += "<div id='file-title'>"
    142142            if ( !this.currentImage.isImage )
    143                 h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo wp_specialchars(__('Direct link to file'), 1); ?>'>" + this.currentImage.title + "</a></h2>";
     143                h += "<h2><a href='" + this.currentImage.srcBase + this.currentImage.src + "' onclick='return false;' title='<?php echo attribute_escape(__('Direct link to file')); ?>'>" + this.currentImage.title + "</a></h2>";
    144144            else
    145145                h += "<h2>" + this.currentImage.title + "</h2>";
    146146            h += " &#8212; <span>";
    147             h += "<a href='#' onclick='return theFileList.imageView(" + id + ");'><?php wp_specialchars(__('Insert'), 1); ?></a>"
     147            h += "<a href='#' onclick='return theFileList.imageView(" + id + ");'><?php attribute_escape(__('Insert')); ?></a>"
    148148            h += "</span>";
    149149            h += '</div>'
     
    159159
    160160            h += "<table><col /><col class='widefat' /><tr>"
    161             h += "<th scope='row'><label for='url'><?php echo wp_specialchars(__('URL'), 1); ?></label></th>";
     161            h += "<th scope='row'><label for='url'><?php echo attribute_escape(__('URL')); ?></label></th>";
    162162            h += "<td><input type='text' id='url' class='readonly' value='" + this.currentImage.srcBase + this.currentImage.src + "' readonly='readonly' /></td>";
    163163            h += "</tr><tr>";
    164             h += "<th scope='row'><label for='post_title'><?php echo wp_specialchars(__('Title'), 1); ?></label></th>";
     164            h += "<th scope='row'><label for='post_title'><?php echo attribute_escape(__('Title')); ?></label></th>";
    165165            h += "<td><input type='text' id='post_title' name='post_title' value='" + this.currentImage.title + "' /></td>";
    166166            h += "</tr><tr>";
    167             h += "<th scope='row'><label for='post_content'><?php echo wp_specialchars(__('Description'), 1); ?></label></th>";
     167            h += "<th scope='row'><label for='post_content'><?php echo attribute_escape(__('Description')); ?></label></th>";
    168168            h += "<td><textarea name='post_content' id='post_content'>" + this.currentImage.description + "</textarea></td>";
    169             h += "</tr><tr id='buttons' class='submit'><td colspan='2'><input type='button' id='delete' name='delete' class='delete alignleft' value='<?php echo wp_specialchars(__('Delete File'), 1); ?>' onclick='theFileList.deleteFile(" + id + ");' />";
     169            h += "</tr><tr id='buttons' class='submit'><td colspan='2'><input type='button' id='delete' name='delete' class='delete alignleft' value='<?php echo attribute_escape(__('Delete File')); ?>' onclick='theFileList.deleteFile(" + id + ");' />";
    170170            h += "<input type='hidden' name='from_tab' value='" + this.tab + "' />";
    171171            h += "<input type='hidden' name='action' id='action-value' value='save' />";
    172172            h += "<input type='hidden' name='ID' value='" + id + "' />";
    173173            h += "<input type='hidden' name='_wpnonce' value='" + this.nonce + "' />";
    174             h += "<div class='submit'><input type='submit' value='<?php echo wp_specialchars(__('Save &raquo;'), 1); ?>' /></div>";
     174            h += "<div class='submit'><input type='submit' value='<?php echo attribute_escape(__('Save &raquo;')); ?>' /></div>";
    175175            h += "</td></tr></table></form>";
    176176
  • trunk/wp-admin/upload.php

    r4600 r4656  
    8888    if ( isset($tab_array[4]) && is_array($tab_array[4]) )
    8989        add_query_arg( $tab_array[4], $href );
    90     $_href = wp_specialchars( $href, 1 );
     90    $_href = attribute_escape( $href);
    9191    $page_links = '';
    9292    $class = 'upload-tab alignleft';
  • trunk/wp-admin/user-edit.php

    r4495 r4656  
    5656    <p><strong><?php _e('User updated.') ?></strong></p>
    5757    <?php if ( $wp_http_referer ) : ?>
    58     <p><a href="<?php echo wp_specialchars($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
     58    <p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
    5959    <?php endif; ?>
    6060</div>
  • trunk/wp-admin/users.php

    r4583 r4656  
    1313
    1414if ( empty($_POST) ) {
    15     $referer = '<input type="hidden" name="wp_http_referer" value="'. wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
     15    $referer = '<input type="hidden" name="wp_http_referer" value="'. attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
    1616} elseif ( isset($_POST['wp_http_referer']) ) {
    1717    $redirect = remove_query_arg(array('wp_http_referer', 'updated', 'delete_count'), stripslashes($_POST['wp_http_referer']));
    18     $referer = '<input type="hidden" name="wp_http_referer" value="' . wp_specialchars($redirect) . '" />';
     18    $referer = '<input type="hidden" name="wp_http_referer" value="' . attribute_escape($redirect) . '" />';
    1919} else {
    2020    $redirect = 'users.php';
     
    339339
    340340    <form action="" method="get" name="search" id="search">
    341         <p><input type="text" name="usersearch" id="usersearch" value="<?php echo wp_specialchars($wp_user_search->search_term, 1); ?>" /> <input type="submit" value="<?php _e('Search     users &raquo;'); ?>" class="button" /></p>
     341        <p><input type="text" name="usersearch" id="usersearch" value="<?php echo attribute_escape($wp_user_search->search_term); ?>" /> <input type="submit" value="<?php _e('Search   users &raquo;'); ?>" class="button" /></p>
    342342    </form>
    343343
     
    430430        foreach ( array('user_login' => 'user_login', 'first_name' => 'user_firstname', 'last_name' => 'user_lastname', 'email' => 'user_email', 'url' => 'user_uri', 'role' => 'user_role') as $formpost => $var ) {
    431431            $var = 'new_' . $var;
    432             $$var = wp_specialchars(stripslashes($_POST[$formpost]));
     432            $$var = attribute_escape(stripslashes($_POST[$formpost]));
    433433        }
    434434        unset($name);
  • trunk/wp-content/themes/classic/comments-popup.php

    r4495 r4656  
    6161       <label for="author"><?php _e("Name"); ?></label>
    6262    <input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
    63     <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
     63    <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
    6464    </p>
    6565
  • trunk/wp-content/themes/default/comments-popup.php

    r4495 r4656  
    6161       <label for="author">Name</label>
    6262    <input type="hidden" name="comment_post_ID" value="<?php echo $id; ?>" />
    63     <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($_SERVER["REQUEST_URI"]); ?>" />
     63    <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($_SERVER["REQUEST_URI"]); ?>" />
    6464    </p>
    6565
  • trunk/wp-includes/author-template.php

    r4497 r4656  
    140140    global $authordata;
    141141
    142     echo '<a href="' . get_author_posts_url($authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars(get_the_author())) . '">' . get_the_author() . '</a>';
     142    echo '<a href="' . get_author_posts_url($authordata->ID, $authordata->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape(get_the_author())) . '">' . get_the_author() . '</a>';
    143143}
    144144
     
    203203                $link = $name;
    204204        } else {
    205             $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), wp_specialchars($author->display_name)) . '">' . $name . '</a>';
     205            $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), attribute_escape($author->display_name)) . '">' . $name . '</a>';
    206206
    207207            if ( (! empty($feed_image)) || (! empty($feed)) ) {
  • trunk/wp-includes/bookmark-template.php

    r4535 r4656  
    102102            $rel = ' rel="' . $rel . '"';
    103103
    104         $desc = wp_specialchars($row->link_description, ENT_QUOTES);
    105         $name = wp_specialchars($row->link_name, ENT_QUOTES);
     104        $desc = attribute_escape($row->link_description);
     105        $name = attribute_escape($row->link_name);
    106106        $title = $desc;
    107107
     
    267267            $rel = ' rel="' . $rel . '"';
    268268
    269         $desc = wp_specialchars($bookmark->link_description, ENT_QUOTES);
    270         $name = wp_specialchars($bookmark->link_name, ENT_QUOTES);
     269        $desc = attribute_escape($bookmark->link_description);
     270        $name = attribute_escape($bookmark->link_name);
    271271        $title = $desc;
    272272
  • trunk/wp-includes/classes.php

    r4598 r4656  
    510510            $css_class .= ' current_page_parent';
    511511
    512         $output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . wp_specialchars($page->post_title, 1) . '">' . $page->post_title . '</a>';
     512        $output .= $indent . '<li class="' . $css_class . '"><a href="' . get_page_link($page->ID) . '" title="' . attribute_escape($page->post_title) . '">' . $page->post_title . '</a>';
    513513   
    514514        if ( !empty($show_date) ) {
     
    576576        extract($args);
    577577
    578         $cat_name = wp_specialchars( $category->cat_name, 1 );
     578        $cat_name = attribute_escape( $category->cat_name);
    579579        $link = '<a href="' . get_category_link( $category->cat_ID ) . '" ';
    580580        if ( $use_desc_for_title == 0 || empty($category->category_description) )
    581581            $link .= 'title="' . sprintf(__( 'View all posts filed under %s' ), $cat_name) . '"';
    582582        else
    583             $link .= 'title="' . wp_specialchars( apply_filters( 'category_description', $category->category_description, $category ), 1 ) . '"';
     583            $link .= 'title="' . attribute_escape( apply_filters( 'category_description', $category->category_description, $category )) . '"';
    584584        $link .= '>';
    585585        $link .= apply_filters( 'list_cats', $category->cat_name, $category ).'</a>';
  • trunk/wp-includes/comment-template.php

    r4568 r4656  
    354354        echo ' class="'.$CSSclass.'"';
    355355    }
    356     $title = wp_specialchars(apply_filters('the_title', get_the_title()), true);
     356    $title = attribute_escape(apply_filters('the_title', get_the_title()));
    357357    echo ' title="' . sprintf( __('Comment on %s'), $title ) .'">';
    358358    comments_number($zero, $one, $more, $number);
  • trunk/wp-includes/comment.php

    r4631 r4656  
    156156        $comment_author = apply_filters('pre_comment_author_name', $_COOKIE['comment_author_'.COOKIEHASH]);
    157157        $comment_author = stripslashes($comment_author);
    158         $comment_author = wp_specialchars($comment_author, true);
     158        $comment_author = attribute_escape($comment_author);
    159159        $_COOKIE['comment_author_'.COOKIEHASH] = $comment_author;
    160160    }
     
    163163        $comment_author_email = apply_filters('pre_comment_author_email', $_COOKIE['comment_author_email_'.COOKIEHASH]);
    164164        $comment_author_email = stripslashes($comment_author_email);
    165         $comment_author_email = wp_specialchars($comment_author_email, true);
     165        $comment_author_email = attribute_escape($comment_author_email);
    166166        $_COOKIE['comment_author_email_'.COOKIEHASH] = $comment_author_email;
    167167    }
     
    170170        $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
    171171        $comment_author_url = stripslashes($comment_author_url);
    172         $comment_author_url = wp_specialchars($comment_author_url, true);
     172        $comment_author_url = attribute_escape($comment_author_url);
    173173        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
    174174    }
  • trunk/wp-includes/formatting.php

    r4593 r4656  
    10821082}
    10831083
     1084// Escaping for HTML attributes like
     1085function attribute_escape($text) {
     1086    return wp_specialchars($text, true);
     1087}
     1088
    10841089function wp_make_link_relative( $link ) {
    10851090    return preg_replace('|https?://[^/]+(/.*)|i', '$1', $link );
  • trunk/wp-includes/functions.php

    r4643 r4656  
    232232
    233233function form_option($option) {
    234     echo wp_specialchars( get_option($option), 1 );
     234    echo attribute_escape( get_option($option));
    235235}
    236236
     
    915915
    916916function wp_referer_field() {
    917     $ref = wp_specialchars($_SERVER['REQUEST_URI']);
     917    $ref = attribute_escape($_SERVER['REQUEST_URI']);
    918918    echo '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';
    919919    if ( wp_get_original_referer() ) {
    920         $original_ref = wp_specialchars(stripslashes(wp_get_original_referer()));
     920        $original_ref = attribute_escape(stripslashes(wp_get_original_referer()));
    921921        echo '<input type="hidden" name="_wp_original_http_referer" value="'. $original_ref . '" />';
    922922    }
     
    924924
    925925function wp_original_referer_field() {
    926     echo '<input type="hidden" name="_wp_original_http_referer" value="' . wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
     926    echo '<input type="hidden" name="_wp_original_http_referer" value="' . attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
    927927}
    928928
     
    11911191            $v = substr(strstr($a, '='), 1);
    11921192            $k = substr($a, 0, -(strlen($v)+1));
    1193             $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
     1193            $html .= "\t\t<input type='hidden' name='" . attribute_escape( urldecode($k)) . "' value='" . attribute_escape( urldecode($v)) . "' />\n";
    11941194        }
    11951195        $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
  • trunk/wp-includes/general-template.php

    r4636 r4656  
    280280function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
    281281    $text = wptexturize($text);
    282     $title_text = wp_specialchars($text, 1);
     282    $title_text = attribute_escape($text);
    283283
    284284    if ('link' == $format)
     
    902902function the_search_query() {
    903903    global $s;
    904     echo wp_specialchars( stripslashes($s), 1 );
     904    echo attribute_escape( stripslashes($s));
    905905}
    906906
     
    957957        if ( $add_args )
    958958            $link = add_query_arg( $add_args, $link );
    959         $page_links[] = "<a class='prev page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$prev_text</a>";
     959        $page_links[] = "<a class='prev page-numbers' href='" . attribute_escape( $link) . "'>$prev_text</a>";
    960960    endif;
    961961    for ( $n = 1; $n <= $total; $n++ ) :
     
    969969                if ( $add_args )
    970970                    $link = add_query_arg( $add_args, $link );
    971                 $page_links[] = "<a class='page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$n</a>";
     971                $page_links[] = "<a class='page-numbers' href='" . attribute_escape( $link) . "'>$n</a>";
    972972                $dots = true;
    973973            elseif ( $dots && !$show_all ) :
     
    982982        if ( $add_args )
    983983            $link = add_query_arg( $add_args, $link );
    984         $page_links[] = "<a class='next page-numbers' href='" . wp_specialchars( $link, 1 ) . "'>$next_text</a>";
     984        $page_links[] = "<a class='next page-numbers' href='" . attribute_escape( $link) . "'>$next_text</a>";
    985985    endif;
    986986    switch ( $type ) :
  • trunk/wp-includes/post-template.php

    r4612 r4656  
    335335        return __('Missing Attachment');
    336336
    337     $post_title = wp_specialchars( $_post->post_title, 1 );
     337    $post_title = attribute_escape( $_post->post_title);
    338338
    339339    if (! empty($_post->guid) ) {
     
    421421    }
    422422
    423     $post_title = wp_specialchars( $post->post_title, 1 );
     423    $post_title = attribute_escape( $post->post_title);
    424424
    425425    $icon = "<img src='$src' title='$post_title' alt='$post_title' $constraint/>";
     
    436436    $post = & get_post($id);
    437437
    438     $innerHTML = wp_specialchars( $post->post_title, 1 );
     438    $innerHTML = attribute_escape( $post->post_title);
    439439
    440440    return apply_filters('attachment_innerHTML', $innerHTML, $post->ID);
  • trunk/wp-links-opml.php

    r4495 r4656  
    3131foreach ((array) $cats as $cat) {
    3232?>
    33 <outline type="category" title="<?php echo wp_specialchars($cat->cat_name); ?>">
     33<outline type="category" title="<?php echo attribute_escape($cat->cat_name); ?>">
    3434<?php
    3535
     
    3737    foreach ((array) $bookmarks as $bookmark) {
    3838?>
    39     <outline text="<?php echo wp_specialchars($bookmark->link_name); ?>" type="link" xmlUrl="<?php echo wp_specialchars($bookmark->link_rss); ?>" htmlUrl="<?php echo wp_specialchars($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
     39    <outline text="<?php echo attribute_escape($bookmark->link_name); ?>" type="link" xmlUrl="<?php echo attribute_escape($bookmark->link_rss); ?>" htmlUrl="<?php echo attribute_escape($bookmark->link_url); ?>" updated="<?php if ('0000-00-00 00:00:00' != $bookmark->link_updated) echo $bookmark->link_updated; ?>" />
    4040<?php
    4141
  • trunk/wp-login.php

    r4652 r4656  
    139139    <p>
    140140        <label><?php _e('Username:') ?><br />
    141         <input type="text" name="user_login" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($_POST['user_login']), 1); ?>" size="20" tabindex="10" /></label>
     141        <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_login'])); ?>" size="20" tabindex="10" /></label>
    142142    </p>
    143143    <p>
    144144        <label><?php _e('E-mail:') ?><br />
    145         <input type="text" name="user_email" id="user_email" class="input" value="<?php echo wp_specialchars(stripslashes($_POST['user_email']), 1); ?>" size="25" tabindex="20" /></label>
     145        <input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($_POST['user_email'])); ?>" size="25" tabindex="20" /></label>
    146146    </p>
    147147<?php do_action('lostpassword_form'); ?>
     
    258258    <p>
    259259        <label><?php _e('Username:') ?><br />
    260         <input type="text" name="user_login" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($user_login), 1); ?>" size="20" tabindex="10" /></label>
     260        <input type="text" name="user_login" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
    261261    </p>
    262262    <p>
    263263        <label><?php _e('E-mail:') ?><br />
    264         <input type="text" name="user_email" id="user_email" class="input" value="<?php echo wp_specialchars(stripslashes($user_email), 1); ?>" size="25" tabindex="20" /></label>
     264        <input type="text" name="user_email" id="user_email" class="input" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="25" tabindex="20" /></label>
    265265    </p>
    266266<?php do_action('register_form'); ?>
     
    345345    <p>
    346346        <label><?php _e('Username:') ?><br />
    347         <input type="text" name="log" id="user_login" class="input" value="<?php echo wp_specialchars(stripslashes($user_login), 1); ?>" size="20" tabindex="10" /></label>
     347        <input type="text" name="log" id="user_login" class="input" value="<?php echo attribute_escape(stripslashes($user_login)); ?>" size="20" tabindex="10" /></label>
    348348    </p>
    349349    <p>
     
    355355    <p class="submit">
    356356        <input type="submit" name="submit" id="submit" value="<?php _e('Login'); ?> &raquo;" tabindex="100" />
    357         <input type="hidden" name="redirect_to" value="<?php echo wp_specialchars($redirect_to); ?>" />
     357        <input type="hidden" name="redirect_to" value="<?php echo attribute_escape($redirect_to); ?>" />
    358358    </p>
    359359</form>
Note: See TracChangeset for help on using the changeset viewer.