Make WordPress Core

Changeset 5058


Ignore:
Timestamp:
03/17/2007 09:04:56 AM (18 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

Location:
branches/2.0
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/admin-functions.php

    r5007 r5058  
    468468    $link = get_link($link_id);
    469469
    470     $link->link_url         = attribute_escape($link->link_url);
     470    $link->link_url         =        clean_url($link->link_url);
    471471    $link->link_name        = attribute_escape($link->link_name);
    472472    $link->link_image       = attribute_escape($link->link_image);
    473473    $link->link_description = attribute_escape($link->link_description);
    474     $link->link_rss         = attribute_escape($link->link_rss);
     474    $link->link_rss         =        clean_url($link->link_rss);
    475475    $link->link_rel         = attribute_escape($link->link_rel);
    476476    $link->link_notes       =  wp_specialchars($link->link_notes);
     
    482482function get_default_link_to_edit() {
    483483    if ( isset($_GET['linkurl']) )
    484         $link->link_url = attribute_escape($_GET['linkurl']);
     484        $link->link_url = clean_url($_GET['linkurl']);
    485485    else
    486486        $link->link_url = '';
  • branches/2.0/wp-admin/bookmarklet.php

    r4656 r5058  
    3838 
    3939$content  = wp_specialchars($_REQUEST['content']);
    40 $popupurl = attribute_escape(stripslashes($_REQUEST['popupurl']));
     40$popupurl = clean_url(stripslashes($_REQUEST['popupurl']));
    4141    if ( !empty($content) ) {
    4242        $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );
  • branches/2.0/wp-admin/post.php

    r4709 r5058  
    8282    <div id='preview' class='wrap'>
    8383    <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?> <small class="quickjump"><a href="#write-post"><?php _e('edit &uarr;'); ?></a></small></h2>
    84         <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     84        <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    8585    </div>
    8686    <?php
  • branches/2.0/wp-admin/upgrade.php

    r4656 r5058  
    6868
    6969    case 0:
    70     $goback = attribute_escape(stripslashes(wp_get_referer()));
     70    $goback = clean_url(stripslashes(wp_get_referer()));
    7171?>
    7272<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
     
    8787        $backto = __get_option('home');
    8888    else
    89         $backto = attribute_escape(stripslashes($_GET['backto']));
     89        $backto = clean_url(stripslashes($_GET['backto']));
    9090?>
    9191<h2><?php _e('Step 1'); ?></h2>
  • branches/2.0/wp-includes/functions.php

    r5041 r5058  
    24922492        $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
    24932493    } else {
    2494         $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg('_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'])) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     2494        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg('_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'])) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
    24952495    }
    24962496    $html .= "</body>\n</html>";
  • branches/2.0/wp-includes/links.php

    r4656 r5058  
    213213        $the_link = '#';
    214214        if (!empty($row->link_url))
    215             $the_link = attribute_escape($row->link_url);
     215            $the_link = clean_url($row->link_url);
    216216
    217217        $rel = $row->link_rel;
  • branches/2.0/wp-includes/template-functions-links.php

    r5047 r5058  
    459459
    460460function next_posts($max_page = 0) {
    461     echo attribute_escape(get_next_posts_page_link($max_page));
     461    echo clean_url(get_next_posts_page_link($max_page));
    462462}
    463463
     
    496496
    497497function previous_posts() {
    498     echo attribute_escape(get_previous_posts_page_link());
     498    echo clean_url(get_previous_posts_page_link());
    499499}
    500500
Note: See TracChangeset for help on using the changeset viewer.