Changeset 5550 for branches/2.0/wp-admin/edit-form-advanced.php

Timestamp:

05/25/2007 10:33:48 PM (16 years ago)

Author:

markjaquith

Message:

attribute_escape()s and int casts for 2.0.x: see #4333

File:

• branches/2.0/wp-admin/edit-form-advanced.php (modified) (10 diffs)

branches/2.0/wp-admin/edit-form-advanced.php

@@ -1 +1 @@
 <?php
+if ( isset($_GET['message']) )
+    $_GET['message'] = (int) $_GET['message'];
 $messages[1] = __('Post updated');
 $messages[2] = __('Custom field updated');
@@ -5 +7 @@
 ?>
 <?php if (isset($_GET['message'])) : ?>
-<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
+<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
 <?php endif; ?>
 
@@ -25 +27 @@
     wp_nonce_field('add-post');
 } else {
+    $post_ID = (int) $post_ID;
     $form_action = 'editpost';
     $form_extra = "<input type='hidden' name='post_ID' value='$post_ID' />";
@@ -30 +33 @@
 }
 
-$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
-
-$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
-
-$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
+$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />'; 
+
+$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />'; 
+
+$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
 
 if ('' != $post->pinged) {
@@ -45 +48 @@
 }
 
-$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
+$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape(__('Save and Continue Editing')) . '" />';
 
 if (empty($post->post_status)) $post->post_status = 'draft';
@@ -51 +54 @@
 ?>
 
-<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
+<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
 <input type="hidden" name="action" value="<?php echo $form_action ?>" />
-<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
+<input type="hidden" name="post_author" value="<?php echo attribute_escape($post->post_author) ?>" />
 
 <?php echo $form_extra ?>
@@ -83 +86 @@
 <fieldset id="passworddiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3> 
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password) ?>" /></div>
 </fieldset>
 
 <fieldset id="slugdiv" class="dbx-box">
 <h3 class="dbx-handle"><?php _e('Post slug') ?></h3> 
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name) ?>" /></div>
 </fieldset>
 
@@ -124 +127 @@
 if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
 else $selected = '';
-echo "<option value='$o->ID' $selected>$o->display_name</option>";
+echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars($o->display_name) . "</option>";
 endforeach;
 ?>
@@ -139 +142 @@
 <fieldset id="titlediv">
   <legend><?php _e('Title') ?></legend> 
-  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
 </fieldset>
 
@@ -222 +225 @@
 <?php
 if (current_user_can('upload_files')) {
-    $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
+    $uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
     $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading');
     $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);