WordPress.org

Make WordPress Core

Changeset 5550


Ignore:
Timestamp:
05/25/07 22:33:48 (7 years ago)
Author:
markjaquith
Message:

attribute_escape()s and int casts for 2.0.x: see #4333

Location:
branches/2.0/wp-admin
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/admin-functions.php

    r5406 r5550  
    320320    $comment = get_comment($id); 
    321321 
     322    $comment->comment_ID = (int) $comment->comment_ID; 
     323    $comment->comment_post_ID = (int) $comment->comment_post_ID; 
     324 
    322325    $comment->comment_content = format_to_edit($comment->comment_content, $richedit); 
    323326    $comment->comment_content = apply_filters('comment_edit_pre', $comment->comment_content); 
     327    $comment->comment_content = apply_filters( 'comment_text', $comment->comment_content ); 
    324328 
    325329    $comment->comment_author = format_to_edit($comment->comment_author); 
    326330    $comment->comment_author_email = format_to_edit($comment->comment_author_email); 
     331    $comment->comment_author_url = clean_url($comment->comment_author_url); 
    327332    $comment->comment_author_url = format_to_edit($comment->comment_author_url); 
    328333 
     
    863868        $entry['meta_key'] = attribute_escape( $entry['meta_key']); 
    864869        $entry['meta_value'] = attribute_escape( $entry['meta_value']); 
     870        $entry['meta_id'] = (int) $entry['meta_id']; 
    865871        echo " 
    866872            <tr class='$style'> 
  • branches/2.0/wp-admin/edit-form-advanced.php

    r4843 r5550  
    11<?php 
     2if ( isset($_GET['message']) ) 
     3    $_GET['message'] = (int) $_GET['message']; 
    24$messages[1] = __('Post updated'); 
    35$messages[2] = __('Custom field updated'); 
     
    57?> 
    68<?php if (isset($_GET['message'])) : ?> 
    7 <div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div> 
     9<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div> 
    810<?php endif; ?> 
    911 
     
    2527    wp_nonce_field('add-post'); 
    2628} else { 
     29    $post_ID = (int) $post_ID; 
    2730    $form_action = 'editpost'; 
    2831    $form_extra = "<input type='hidden' name='post_ID' value='$post_ID' />"; 
     
    3033} 
    3134 
    32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />'; 
    33  
    34 $form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />'; 
    35  
    36 $form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />'; 
     35$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';  
     36 
     37$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';  
     38 
     39$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />'; 
    3740 
    3841if ('' != $post->pinged) { 
     
    4548} 
    4649 
    47 $saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />'; 
     50$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape(__('Save and Continue Editing')) . '" />'; 
    4851 
    4952if (empty($post->post_status)) $post->post_status = 'draft'; 
     
    5154?> 
    5255 
    53 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" /> 
     56<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" /> 
    5457<input type="hidden" name="action" value="<?php echo $form_action ?>" /> 
    55 <input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" /> 
     58<input type="hidden" name="post_author" value="<?php echo attribute_escape($post->post_author) ?>" /> 
    5659 
    5760<?php echo $form_extra ?> 
     
    8386<fieldset id="passworddiv" class="dbx-box"> 
    8487<h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3>  
    85 <div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div> 
     88<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password) ?>" /></div> 
    8689</fieldset> 
    8790 
    8891<fieldset id="slugdiv" class="dbx-box"> 
    8992<h3 class="dbx-handle"><?php _e('Post slug') ?></h3>  
    90 <div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div> 
     93<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name) ?>" /></div> 
    9194</fieldset> 
    9295 
     
    124127if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"'; 
    125128else $selected = ''; 
    126 echo "<option value='$o->ID' $selected>$o->display_name</option>"; 
     129echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars($o->display_name) . "</option>"; 
    127130endforeach; 
    128131?> 
     
    139142<fieldset id="titlediv"> 
    140143  <legend><?php _e('Title') ?></legend>  
    141   <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div> 
     144  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div> 
    142145</fieldset> 
    143146 
     
    222225<?php 
    223226if (current_user_can('upload_files')) { 
    224     $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 
     227    $uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID); 
    225228    $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading'); 
    226229    $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src); 
  • branches/2.0/wp-admin/edit-form-comment.php

    r3923 r5550  
    99<?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?> 
    1010<div class="wrap"> 
    11 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" /> 
     11<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" /> 
    1212<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' /> 
    1313 
     
    2121    <legend><?php _e('Name:') ?></legend> 
    2222    <div> 
    23       <input type="text" name="newcomment_author" size="22" value="<?php echo $comment->comment_author ?>" tabindex="1" id="name" /> 
     23      <input type="text" name="newcomment_author" size="22" value="<?php echo attribute_escape($comment->comment_author); ?>" tabindex="1" id="name" /> 
    2424    </div> 
    2525</fieldset> 
     
    2727        <legend><?php _e('E-mail:') ?></legend> 
    2828        <div> 
    29           <input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email ?>" tabindex="2" id="email" /> 
     29          <input type="text" name="newcomment_author_email" size="30" value="<?php echo attribute_escape($comment->comment_author_email); ?>" tabindex="2" id="email" /> 
    3030    </div> 
    3131</fieldset> 
     
    3333        <legend><?php _e('URI:') ?></legend> 
    3434        <div> 
    35           <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo $comment->comment_author_url ?>" tabindex="3" id="URL" /> 
     35          <input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo attribute_escape($comment->comment_author_url); ?>" tabindex="3" id="URL" /> 
    3636    </div> 
    3737</fieldset> 
  • branches/2.0/wp-admin/edit-form.php

    r3943 r5550  
    77<input type="hidden" name="mode" value="bookmarklet" /> 
    88<?php endif; ?> 
    9 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" /> 
     9<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" /> 
    1010<input type="hidden" name="action" value='post' /> 
    1111 
     
    2222    <fieldset id="titlediv"> 
    2323      <legend><a href="http://wordpress.org/docs/reference/post/#title" title="<?php _e('Help on titles') ?>"><?php _e('Title') ?></a></legend>  
    24       <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div> 
     24      <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div> 
    2525    </fieldset> 
    2626 
     
    5050</script> 
    5151 
    52 <input type="hidden" name="post_pingback" value="<?php echo get_option('default_pingback_flag') ?>" id="post_pingback" /> 
     52<input type="hidden" name="post_pingback" value="<?php echo (int) get_option('default_pingback_flag') ?>" id="post_pingback" /> 
    5353 
    5454<p><label for="trackback"> <?php printf(__('<a href="%s" title="Help on trackbacks"><strong>TrackBack</strong> a <abbr title="Universal Resource Identifier">URI</abbr></a>:</label> (Separate multiple <abbr title="Universal Resource Identifier">URI</abbr>s with spaces.)<br />'), 'http://wordpress.org/docs/reference/post/#trackback') ?> 
     
    6565      echo '<input name="advanced" type="submit" id="advancededit" tabindex="7" value="' .  __('Advanced Editing &raquo;') . '" />'; 
    6666  } ?> 
    67   <input name="referredby" type="hidden" id="referredby" value="<?php if ( wp_get_referer() ) echo urlencode(wp_get_referer()); ?>" /> 
     67  <input name="referredby" type="hidden" id="referredby" value="<?php if ( $refby = wp_get_referer() ) echo urlencode($refby); ?>" /> 
    6868</p> 
    6969 
  • branches/2.0/wp-admin/edit-page-form.php

    r4656 r5550  
    1010    $form_extra = "<input type='hidden' name='temp_ID' value='$temp_ID' />"; 
    1111} else { 
     12    $post_ID = (int) $post_ID; 
    1213    $form_action = 'editpost'; 
    1314    $nonce_action = 'update-post_' . $post_ID; 
    1415    $form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />"; 
    1516} 
     17 
     18$temp_ID = (int) $temp_ID; 
     19$user_ID = (int) $user_ID; 
    1620 
    1721$sendto = attribute_escape(wp_get_referer()); 
     
    6165<fieldset id="passworddiv" class="dbx-box"> 
    6266<h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3>  
    63 <div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div> 
     67<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password); ?>" /></div> 
    6468</fieldset> 
    6569 
     
    8690<fieldset id="slugdiv" class="dbx-box"> 
    8791<h3 class="dbx-handle"><?php _e('Post slug') ?></h3>  
    88 <div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div> 
     92<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name); ?>" /></div> 
    8993</fieldset> 
    9094 
     
    99103if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"'; 
    100104else $selected = ''; 
     105$o->ID = (int) $o->ID; 
     106$o->display_name = wp_specialchars( $o->display_name ); 
    101107echo "<option value='$o->ID' $selected>$o->display_name</option>"; 
    102108endforeach; 
     
    119125<fieldset id="titlediv"> 
    120126  <legend><?php _e('Page Title') ?></legend>  
    121   <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div> 
     127  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div> 
    122128</fieldset> 
    123129 
  • branches/2.0/wp-admin/post.php

    r5058 r5550  
    195195    $p = (int) $_GET['p']; 
    196196 
    197     if ( ! $comment = get_comment($comment) ) 
     197    if ( ! $comment = get_comment_to_edit($comment) ) 
    198198        die(sprintf(__('Oops, no comment with this ID. <a href="%s">Go back</a>!'), 'edit.php')); 
    199199 
Note: See TracChangeset for help on using the changeset viewer.