Changeset 4656 for branches/2.0/wp-includes/functions.php

Timestamp:

12/21/2006 10:10:04 AM (19 years ago)

Author:

markjaquith

Message:

new function for escaping within attributes: attribute_escape()

File:

• branches/2.0/wp-includes/functions.php (modified) (5 diffs)

branches/2.0/wp-includes/functions.php

@@ -350 +350 @@
 
 function form_option($option) {
-    echo wp_specialchars( get_option($option), 1 );
+    echo attribute_escape( get_option($option));
 }
 
@@ -2363 +2363 @@
 
 function wp_referer_field() {
-    $ref = wp_specialchars($_SERVER['REQUEST_URI']);
+    $ref = attribute_escape(stripslashes($_SERVER['REQUEST_URI']));
     echo '<input type="hidden" name="_wp_http_referer" value="'. $ref . '" />';
     if ( wp_get_original_referer() ) {
-        $original_ref = wp_specialchars(stripslashes(wp_get_original_referer()));
+        $original_ref = attribute_escape(stripslashes(wp_get_original_referer()));
         echo '<input type="hidden" name="_wp_original_http_referer" value="'. $original_ref . '" />';
     }
@@ -2372 +2372 @@
 
 function wp_original_referer_field() {
-    echo '<input type="hidden" name="_wp_original_http_referer" value="' . wp_specialchars(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
+    echo '<input type="hidden" name="_wp_original_http_referer" value="' . attribute_escape(stripslashes($_SERVER['REQUEST_URI'])) . '" />';
 }
 
@@ -2457 +2457 @@
     $adminurl = get_settings('siteurl') . '/wp-admin';
     if ( wp_get_referer() )
-        $adminurl = wp_get_referer();
+        $adminurl = attribute_escape(stripslashes(wp_get_referer()));
 
     $title = __('WordPress Confirmation');
@@ -2469 +2469 @@
             $v = substr(strstr($a, '='), 1);
             $k = substr($a, 0, -(strlen($v)+1));
-            $html .= "\t\t<input type='hidden' name='" . wp_specialchars( urldecode($k), 1 ) . "' value='" . wp_specialchars( urldecode($v), 1 ) . "' />\n";
+            $html .= "\t\t<input type='hidden' name='" . attribute_escape( urldecode($k)) . "' value='" . attribute_escape( urldecode($v)) . "' />\n";
         }
         $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
         $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_explain_nonce($action) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
     } else {
-        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_explain_nonce($action) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
+        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_explain_nonce($action) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg('_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'])) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     }
     $html .= "</body>\n</html>";