Make WordPress Core


Ignore:
Timestamp:
05/25/2007 10:33:48 PM (17 years ago)
Author:
markjaquith
Message:

attribute_escape()s and int casts for 2.0.x: see #4333

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/edit-form-advanced.php

    r4843 r5550  
    11<?php
     2if ( isset($_GET['message']) )
     3    $_GET['message'] = (int) $_GET['message'];
    24$messages[1] = __('Post updated');
    35$messages[2] = __('Custom field updated');
     
    57?>
    68<?php if (isset($_GET['message'])) : ?>
    7 <div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
     9<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
    810<?php endif; ?>
    911
     
    2527    wp_nonce_field('add-post');
    2628} else {
     29    $post_ID = (int) $post_ID;
    2730    $form_action = 'editpost';
    2831    $form_extra = "<input type='hidden' name='post_ID' value='$post_ID' />";
     
    3033}
    3134
    32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
    33 
    34 $form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
    35 
    36 $form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
     35$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';
     36
     37$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';
     38
     39$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
    3740
    3841if ('' != $post->pinged) {
     
    4548}
    4649
    47 $saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
     50$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape(__('Save and Continue Editing')) . '" />';
    4851
    4952if (empty($post->post_status)) $post->post_status = 'draft';
     
    5154?>
    5255
    53 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
     56<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
    5457<input type="hidden" name="action" value="<?php echo $form_action ?>" />
    55 <input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
     58<input type="hidden" name="post_author" value="<?php echo attribute_escape($post->post_author) ?>" />
    5659
    5760<?php echo $form_extra ?>
     
    8386<fieldset id="passworddiv" class="dbx-box">
    8487<h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3>
    85 <div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
     88<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password) ?>" /></div>
    8689</fieldset>
    8790
    8891<fieldset id="slugdiv" class="dbx-box">
    8992<h3 class="dbx-handle"><?php _e('Post slug') ?></h3>
    90 <div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
     93<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name) ?>" /></div>
    9194</fieldset>
    9295
     
    124127if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
    125128else $selected = '';
    126 echo "<option value='$o->ID' $selected>$o->display_name</option>";
     129echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars($o->display_name) . "</option>";
    127130endforeach;
    128131?>
     
    139142<fieldset id="titlediv">
    140143  <legend><?php _e('Title') ?></legend>
    141   <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
     144  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
    142145</fieldset>
    143146
     
    222225<?php
    223226if (current_user_can('upload_files')) {
    224     $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
     227    $uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
    225228    $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading');
    226229    $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
Note: See TracChangeset for help on using the changeset viewer.