Make WordPress Core

Changeset 5057


Ignore:
Timestamp:
03/17/2007 08:47:29 AM (18 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

Location:
branches/2.1
Files:
18 edited

Legend:

Unmodified
Added
Removed
  • branches/2.1/wp-admin/admin-functions.php

    r5007 r5057  
    359359        $text       = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
    360360        $text       = funky_javascript_fix( $text);
    361         $popupurl   = attribute_escape($_REQUEST['popupurl']);
     361        $popupurl   = clean_url($_REQUEST['popupurl']);
    362362        $post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
    363363    }
     
    418418    $user->user_login   = attribute_escape($user->user_login);
    419419    $user->user_email   = attribute_escape($user->user_email);
    420     $user->user_url     = attribute_escape($user->user_url);
     420    $user->user_url     = clean_url($user->user_url);
    421421    $user->first_name   = attribute_escape($user->first_name);
    422422    $user->last_name    = attribute_escape($user->last_name);
     
    563563    $link = get_link( $link_id );
    564564
    565     $link->link_url         = attribute_escape($link->link_url);
     565    $link->link_url         = clean_url($link->link_url);
    566566    $link->link_name        = attribute_escape($link->link_name);
    567567    $link->link_image       = attribute_escape($link->link_image);
    568568    $link->link_description = attribute_escape($link->link_description);
    569     $link->link_rss         = attribute_escape($link->link_rss);
     569    $link->link_rss         = clean_url($link->link_rss);
    570570    $link->link_rel         = attribute_escape($link->link_rel);
    571571    $link->link_notes       =  wp_specialchars($link->link_notes);
     
    577577function get_default_link_to_edit() {
    578578    if ( isset( $_GET['linkurl'] ) )
    579         $link->link_url = attribute_escape( $_GET['linkurl']);
     579        $link->link_url = clean_url( $_GET['linkurl']);
    580580    else
    581581        $link->link_url = '';
     
    868868    $r .= "</td>\n\t\t<td>";
    869869    if ( current_user_can( 'edit_user', $user_object->ID ) ) {
    870         $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
     870        $edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
    871871        $r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
    872872    }
  • branches/2.1/wp-admin/bookmarklet.php

    r4656 r5057  
    3838
    3939$content  = wp_specialchars($_REQUEST['content']);
    40 $popupurl = attribute_escape($_REQUEST['popupurl']);
     40$popupurl = clean_url($_REQUEST['popupurl']);
    4141if ( !empty($content) ) {
    4242    $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
  • branches/2.1/wp-admin/edit-comments.php

    r5007 r5057  
    102102if ( 1 < $page ) {
    103103    $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
    104     $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
     104    $r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
    105105}
    106106if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
     
    112112            if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
    113113                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
    114                 $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
     114                $r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
    115115                $in = true;
    116116            elseif ( $in == true ) :
     
    123123if ( ( $page ) * 20 < $total || -1 == $total ) {
    124124    $args['apage'] = $page + 1;
    125     $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
     125    $r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
    126126}
    127127echo "<p class='pagenav'>$r</p>";
     
    249249if ( 1 < $page ) {
    250250    $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
    251     $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
     251    $r .=  '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
    252252}
    253253if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
     
    259259            if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
    260260                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
    261                 $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
     261                $r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
    262262                $in = true;
    263263            elseif ( $in == true ) :
     
    270270if ( ( $page ) * 20 < $total || -1 == $total ) {
    271271    $args['apage'] = $page + 1;
    272     $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
     272    $r .=  '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
    273273}
    274274echo "<p class='pagenav'>$r</p>";
  • branches/2.1/wp-admin/edit-form-advanced.php

    r4760 r5057  
    169169<input name="referredby" type="hidden" id="referredby" value="<?php
    170170if ( !empty($_REQUEST['popupurl']) )
    171     echo attribute_escape(stripslashes($_REQUEST['popupurl']));
     171    echo clean_url(stripslashes($_REQUEST['popupurl']));
    172172else if ( url_to_postid(wp_get_referer()) == $post_ID )
    173173    echo 'redo';
    174174else
    175     echo attribute_escape(stripslashes(wp_get_referer()));
     175    echo clean_url(stripslashes(wp_get_referer()));
    176176?>" /></p>
    177177
  • branches/2.1/wp-admin/edit-page-form.php

    r4760 r5057  
    1414}
    1515
    16 $sendto = attribute_escape(stripslashes(wp_get_referer()));
     16$sendto = clean_url(stripslashes(wp_get_referer()));
    1717
    1818if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
  • branches/2.1/wp-admin/link-manager.php

    r4700 r5057  
    134134        $link->link_name = attribute_escape($link->link_name);
    135135        $link->link_description = wp_specialchars($link->link_description);
    136         $link->link_url = attribute_escape($link->link_url);
     136        $link->link_url = clean_url($link->link_url);
    137137        $link->link_category = wp_get_link_cats($link->link_id);
    138138        $short_url = str_replace('http://', '', $link->link_url);
  • branches/2.1/wp-admin/page.php

    r4780 r5057  
    6464    <div id='preview' class='wrap'>
    6565    <h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
    66         <iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     66        <iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    6767    </div>
    6868    <?php
  • branches/2.1/wp-admin/post.php

    r4780 r5057  
    7070    <div id='preview' class='wrap'>
    7171    <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
    72         <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     72        <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    7373    </div>
    7474    <?php
  • branches/2.1/wp-admin/upgrade.php

    r4656 r5057  
    2929switch($step) {
    3030    case 0:
    31         $goback = attribute_escape(stripslashes(wp_get_referer()));
     31        $goback = clean_url(stripslashes(wp_get_referer()));
    3232?>
    3333<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
     
    4141            $backto = __get_option('home');
    4242        else
    43             $backto = attribute_escape(stripslashes($_GET['backto']));
     43            $backto = clean_url(stripslashes($_GET['backto']));
    4444?>
    4545<h2><?php _e('Step 1'); ?></h2>
  • branches/2.1/wp-admin/upload-functions.php

    r5007 r5057  
    3636
    3737    if ( $href )
    38         $r .= "<a id='file-link-$id' href='" . attribute_escape($href) ."' title='$post_title' class='file-link $class'>\n";
     38        $r .= "<a id='file-link-$id' href='" . clean_url($href) ."' title='$post_title' class='file-link $class'>\n";
    3939    if ( $href || $image_src )
    4040        $r .= "\t\t\t$innerHTML";
     
    8484                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    8585                echo '&nbsp;|&nbsp;';
    86                     echo '<a href="' . attribute_escape(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
     86                    echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
    8787                echo '&nbsp;|&nbsp;';
    88                 echo '<a href="' . attribute_escape(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     88                echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    8989                echo '&nbsp;]'; ?></span>
    9090        </div>
     
    124124                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    125125                echo '&nbsp;|&nbsp;';
    126                     echo '<a href="' . attribute_escape(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
     126                    echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
    127127                echo '&nbsp;|&nbsp;';
    128                 echo '<a href="' . attribute_escape(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     128                echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    129129                echo '&nbsp;]'; ?></span>
    130130        </div>
  • branches/2.1/wp-admin/upload.php

    r4708 r5057  
    9191    if ( isset($tab_array[4]) && is_array($tab_array[4]) )
    9292        add_query_arg( $tab_array[4], $href );
    93     $_href = attribute_escape( $href);
     93    $_href = clean_url( $href);
    9494    $page_links = '';
    9595    $class = 'upload-tab alignleft';
  • branches/2.1/wp-admin/user-edit.php

    r4758 r5057  
    5656    <p><strong><?php _e('User updated.') ?></strong></p>
    5757    <?php if ( $wp_http_referer ) : ?>
    58     <p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
     58    <p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
    5959    <?php endif; ?>
    6060</div>
  • branches/2.1/wp-includes/bookmark-template.php

    r4800 r5057  
    9797        $the_link = '#';
    9898        if ( !empty($row->link_url) )
    99             $the_link = wp_specialchars($row->link_url);
     99            $the_link = clean_url($row->link_url);
    100100        $rel = $row->link_rel;
    101101        if ( '' != $rel )
     
    261261        $the_link = '#';
    262262        if ( !empty($bookmark->link_url) )
    263             $the_link = wp_specialchars($bookmark->link_url);
     263            $the_link = clean_url($bookmark->link_url);
    264264
    265265        $rel = $bookmark->link_rel;
  • branches/2.1/wp-includes/comment.php

    r4705 r5057  
    170170        $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
    171171        $comment_author_url = stripslashes($comment_author_url);
    172         $comment_author_url = attribute_escape($comment_author_url);
     172        $comment_author_url = clean_url($comment_author_url);
    173173        $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
    174174    }
  • branches/2.1/wp-includes/functions.php

    r5050 r5057  
    11931193    $adminurl = get_option('siteurl') . '/wp-admin';
    11941194    if ( wp_get_referer() )
    1195         $adminurl = attribute_escape(wp_get_referer());
     1195        $adminurl = clean_url(wp_get_referer());
    11961196
    11971197    $title = __('WordPress Confirmation');
     
    12101210        $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
    12111211    } else {
    1212         $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     1212        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
    12131213    }
    12141214    $html .= "</body>\n</html>";
  • branches/2.1/wp-includes/general-template.php

    r5027 r5057  
    290290    $text = wptexturize($text);
    291291    $title_text = attribute_escape($text);
     292    $url = clean_url($url);
    292293
    293294    if ('link' == $format)
     
    972973        if ( $add_args )
    973974            $link = add_query_arg( $add_args, $link );
    974         $page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
     975        $page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
    975976    endif;
    976977    for ( $n = 1; $n <= $total; $n++ ) :
     
    984985                if ( $add_args )
    985986                    $link = add_query_arg( $add_args, $link );
    986                 $page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
     987                $page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
    987988                $dots = true;
    988989            elseif ( $dots && !$show_all ) :
     
    997998        if ( $add_args )
    998999            $link = add_query_arg( $add_args, $link );
    999         $page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
     1000        $page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
    10001001    endif;
    10011002    switch ( $type ) :
  • branches/2.1/wp-includes/link-template.php

    r5046 r5057  
    460460
    461461function next_posts($max_page = 0) {
    462     echo attribute_escape(get_next_posts_page_link($max_page));
     462    echo clean_url(get_next_posts_page_link($max_page));
    463463}
    464464
     
    490490
    491491function previous_posts() {
    492     echo attribute_escape(get_previous_posts_page_link());
     492    echo clean_url(get_previous_posts_page_link());
    493493}
    494494
  • branches/2.1/wp-includes/script-loader.php

    r5007 r5057  
    7979                        $ver .= '&amp;' . $this->args[$handle];
    8080                    $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
    81                     $src = attribute_escape(add_query_arg('ver', $ver, $src));
     81                    $src = clean_url(add_query_arg('ver', $ver, $src));
    8282                    echo "<script type='text/javascript' src='$src'></script>\n";
    8383                }
Note: See TracChangeset for help on using the changeset viewer.