Changeset 5056

Timestamp:

03/17/2007 08:46:59 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

Location:

trunk

Files:

• wp-admin/admin-functions.php (modified) (5 diffs)
• wp-admin/bookmarklet.php (modified) (1 diff)
• wp-admin/edit-comments.php (modified) (6 diffs)
• wp-admin/edit-form-advanced.php (modified) (1 diff)
• wp-admin/edit-page-form.php (modified) (1 diff)
• wp-admin/link-manager.php (modified) (1 diff)
• wp-admin/page.php (modified) (1 diff)
• wp-admin/post.php (modified) (1 diff)
• wp-admin/upgrade.php (modified) (2 diffs)
• wp-admin/upload-functions.php (modified) (2 diffs)
• wp-admin/upload.php (modified) (1 diff)
• wp-admin/user-edit.php (modified) (1 diff)
• wp-includes/bookmark-template.php (modified) (2 diffs)
• wp-includes/comment.php (modified) (1 diff)
• wp-includes/functions.php (modified) (2 diffs)
• wp-includes/general-template.php (modified) (4 diffs)
• wp-includes/link-template.php (modified) (2 diffs)
• wp-includes/script-loader.php (modified) (1 diff)

trunk/wp-admin/admin-functions.php

@@ -371 +371 @@
         $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
         $text       = funky_javascript_fix( $text);
-        $popupurl   = attribute_escape($_REQUEST['popupurl']);
+        $popupurl   = clean_url($_REQUEST['popupurl']);
         $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
     }
@@ -430 +430 @@
     $user->user_login   = attribute_escape($user->user_login);
     $user->user_email   = attribute_escape($user->user_email);
-    $user->user_url     = attribute_escape($user->user_url);
+    $user->user_url     = clean_url($user->user_url);
     $user->first_name   = attribute_escape($user->first_name);
     $user->last_name    = attribute_escape($user->last_name);
@@ -575 +575 @@
     $link = get_link( $link_id );
 
-    $link->link_url         = attribute_escape($link->link_url);
+    $link->link_url         = clean_url($link->link_url);
     $link->link_name        = attribute_escape($link->link_name);
     $link->link_image       = attribute_escape($link->link_image);
     $link->link_description = attribute_escape($link->link_description);
-    $link->link_rss         = attribute_escape($link->link_rss);
+    $link->link_rss         = clean_url($link->link_rss);
     $link->link_rel         = attribute_escape($link->link_rel);
     $link->link_notes       =  wp_specialchars($link->link_notes);
@@ -589 +589 @@
 function get_default_link_to_edit() {
     if ( isset( $_GET['linkurl'] ) )
-        $link->link_url = attribute_escape( $_GET['linkurl']);
+        $link->link_url = clean_url( $_GET['linkurl']);
     else
         $link->link_url = '';
@@ -880 +880 @@
     $r .= "</td>\n\t\t<td>";
     if ( current_user_can( 'edit_user', $user_object->ID ) ) {
-        $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
+        $edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
         $r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
     }

trunk/wp-admin/bookmarklet.php

@@ -38 +38 @@
 
 $content  = wp_specialchars($_REQUEST['content']);
-$popupurl = attribute_escape($_REQUEST['popupurl']);
+$popupurl = clean_url($_REQUEST['popupurl']);
 if ( !empty($content) ) {
     $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );

trunk/wp-admin/edit-comments.php

@@ -102 +102 @@
 if ( 1 < $page ) {
     $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-    $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+    $r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
@@ -112 +112 @@
             if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
                 $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
+                $r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
                 $in = true;
             elseif ( $in == true ) :
@@ -123 +123 @@
 if ( ( $page ) * 20 < $total || -1 == $total ) {
     $args['apage'] = $page + 1;
-    $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+    $r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";
@@ -249 +249 @@
 if ( 1 < $page ) {
     $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-    $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+    $r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
@@ -259 +259 @@
             if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
                 $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
+                $r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
                 $in = true;
             elseif ( $in == true ) :
@@ -270 +270 @@
 if ( ( $page ) * 20 < $total || -1 == $total ) {
     $args['apage'] = $page + 1;
-    $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+    $r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";

trunk/wp-admin/edit-form-advanced.php

@@ -169 +169 @@
 <input name="referredby" type="hidden" id="referredby" value="<?php 
 if ( !empty($_REQUEST['popupurl']) )
-    echo attribute_escape(stripslashes($_REQUEST['popupurl']));
+    echo clean_url(stripslashes($_REQUEST['popupurl']));
 else if ( url_to_postid(wp_get_referer()) == $post_ID )
     echo 'redo';
 else
-    echo attribute_escape(stripslashes(wp_get_referer()));
+    echo clean_url(stripslashes(wp_get_referer()));
 ?>" /></p>
 

trunk/wp-admin/edit-page-form.php

@@ -14 +14 @@
 }
 
-$sendto = attribute_escape(stripslashes(wp_get_referer()));
+$sendto = clean_url(stripslashes(wp_get_referer()));
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )

trunk/wp-admin/link-manager.php

@@ -134 +134 @@
         $link->link_name = attribute_escape(apply_filters('link_title', $link->link_name));
         $link->link_description = wp_specialchars(apply_filters('link_description', $link->link_description));
-        $link->link_url = attribute_escape($link->link_url);
+        $link->link_url = clean_url($link->link_url);
         $link->link_category = wp_get_link_cats($link->link_id);
         $short_url = str_replace('http://', '', $link->link_url);

trunk/wp-admin/page.php

@@ -65 +65 @@
     <div id='preview' class='wrap'>
     <h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
-        <iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+        <iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     </div>
     <?php

trunk/wp-admin/post.php

@@ -70 +70 @@
     <div id='preview' class='wrap'>
     <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
-        <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+        <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     </div>
     <?php

trunk/wp-admin/upgrade.php

@@ -36 +36 @@
 switch($step) :
     case 0:
-        $goback = attribute_escape(stripslashes(wp_get_referer()));
+        $goback = clean_url(stripslashes(wp_get_referer()));
 ?>
 <h2><?php _e('Database Upgrade Required'); ?></h2>
@@ -50 +50 @@
             $backto = __get_option('home') . '/';
         else
-            $backto = attribute_escape(stripslashes($_GET['backto']));
+            $backto = clean_url(stripslashes($_GET['backto']));
 ?> 
 <h2><?php _e('Upgrade Complete'); ?></h2>

trunk/wp-admin/upload-functions.php

@@ -84 +84 @@
                 echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
                 echo '&nbsp;|&nbsp;';
-                    echo '<a href="' . attribute_escape(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
+                    echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
                 echo '&nbsp;|&nbsp;';
-                echo '<a href="' . attribute_escape(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+                echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
                 echo '&nbsp;]'; ?></span>
         </div>
@@ -124 +124 @@
                 echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
                 echo '&nbsp;|&nbsp;';
-                    echo '<a href="' . attribute_escape(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
+                    echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
                 echo '&nbsp;|&nbsp;';
-                echo '<a href="' . attribute_escape(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
+                echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
                 echo '&nbsp;]'; ?></span>
         </div>

trunk/wp-admin/upload.php

@@ -91 +91 @@
     if ( isset($tab_array[4]) && is_array($tab_array[4]) )
         add_query_arg( $tab_array[4], $href );
-    $_href = attribute_escape( $href);
+    $_href = clean_url( $href);
     $page_links = '';
     $class = 'upload-tab alignleft';

trunk/wp-admin/user-edit.php

@@ -56 +56 @@
     <p><strong><?php _e('User updated.') ?></strong></p>
     <?php if ( $wp_http_referer ) : ?>
-    <p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
+    <p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
     <?php endif; ?>
 </div>

trunk/wp-includes/bookmark-template.php

@@ -97 +97 @@
         $the_link = '#';
         if ( !empty($row->link_url) )
-            $the_link = wp_specialchars($row->link_url);
+            $the_link = clean_url($row->link_url);
         $rel = $row->link_rel;
         if ( '' != $rel )
@@ -261 +261 @@
         $the_link = '#';
         if ( !empty($bookmark->link_url) )
-            $the_link = wp_specialchars($bookmark->link_url);
+            $the_link = clean_url($bookmark->link_url);
 
         $rel = $bookmark->link_rel;

trunk/wp-includes/comment.php

@@ -170 +170 @@
         $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
         $comment_author_url = stripslashes($comment_author_url);
-        $comment_author_url = attribute_escape($comment_author_url);
+        $comment_author_url = clean_url($comment_author_url);
         $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
     }

trunk/wp-includes/functions.php

@@ -1273 +1273 @@
     $adminurl = get_option('siteurl') . '/wp-admin';
     if ( wp_get_referer() )
-        $adminurl = attribute_escape(wp_get_referer());
+        $adminurl = clean_url(wp_get_referer());
 
     $title = __('WordPress Confirmation');
@@ -1290 +1290 @@
         $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
     } else {
-        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
+        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     }
     $html .= "</body>\n</html>";

trunk/wp-includes/general-template.php

@@ -298 +298 @@
     $text = wptexturize($text);
     $title_text = attribute_escape($text);
+    $url = clean_url($url);
 
     if ('link' == $format)
@@ -986 +987 @@
         if ( $add_args )
             $link = add_query_arg( $add_args, $link );
-        $page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
+        $page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
     endif;
     for ( $n = 1; $n <= $total; $n++ ) :
@@ -998 +999 @@
                 if ( $add_args )
                     $link = add_query_arg( $add_args, $link );
-                $page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
+                $page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
                 $dots = true;
             elseif ( $dots && !$show_all ) :
@@ -1011 +1012 @@
         if ( $add_args )
             $link = add_query_arg( $add_args, $link );
-        $page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
+        $page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
     endif;
     switch ( $type ) :

trunk/wp-includes/link-template.php

@@ -504 +504 @@
 
 function next_posts($max_page = 0) {
-    echo attribute_escape(get_next_posts_page_link($max_page));
+    echo clean_url(get_next_posts_page_link($max_page));
 }
 
@@ -534 +534 @@
 
 function previous_posts() {
-    echo attribute_escape(get_previous_posts_page_link());
+    echo clean_url(get_previous_posts_page_link());
 }
 

trunk/wp-includes/script-loader.php

@@ -151 +151 @@
                     $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
                     $src = add_query_arg('ver', $ver, $src);
-                    $src = attribute_escape(apply_filters( 'script_loader_src', $src ));
+                    $src = clean_url(apply_filters( 'script_loader_src', $src ));
                     echo "<script type='text/javascript' src='$src'></script>\n";
                     $this->print_scripts_l10n( $handle );