Make WordPress Core


Ignore:
Location:
branches/2.2
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-admin/admin-functions.php

    r5841 r5828  
    902902    global $wpdb;
    903903
    904     $start = abs( (int) $start );
     904    $start = (int) $start;
    905905    $num = (int) $num;
    906906
  • branches/2.2/wp-admin/edit-comments.php

    r5841 r5828  
    7777
    7878if ( isset( $_GET['apage'] ) )
    79     $page = abs( (int) $_GET['apage'] );
     79    $page = (int) $_GET['apage'];
    8080else
    8181    $page = 1;
  • branches/2.2/wp-admin/link-import.php

    r5841 r5828  
    7474<h2><?php _e('Importing...') ?></h2>
    7575<?php
    76         $cat_id = abs( (int) $_POST['cat_id'] );
    77         if ( $cat_id < 1 )
     76        $cat_id = $_POST['cat_id'];
     77        if ( $cat_id == '' || $cat_id == 0 )
    7878            $cat_id  = 1;
    7979
  • branches/2.2/wp-admin/options.php

    r5841 r5828  
    128128foreach ( (array) $options as $option) :
    129129    $disabled = '';
    130     $option->option_name = attribute_escape($option->option_name);
    131130    if ( is_serialized($option->option_value) ) {
    132131        if ( is_serialized_string($option->option_value) ) {
    133132            // this is a serialized string, so we should display it
    134             $value = maybe_unserialize($option->option_value);
     133            $value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
    135134            $options_to_update[] = $option->option_name;
    136135            $class = 'all-options';
     
    141140        }
    142141    } else {
    143         $value = $option->option_value;
     142        $value = wp_specialchars($option->option_value, 'single');
    144143        $options_to_update[] = $option->option_name;
    145144        $class = 'all-options';
     
    150149<td>";
    151150
    152     if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
    153     else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
     151    if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
     152    else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
    154153
    155154    echo "</td>
     
    160159  </table>
    161160<?php $options_to_update = implode(',', $options_to_update); ?>
    162 <p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
     161<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options &raquo;') ?>" /></p>
    163162  </form>
    164163</div>
  • branches/2.2/wp-admin/upload-functions.php

    r5841 r5828  
    108108    $post_id = (int) $post_id;
    109109?>
    110     <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&amp;tab=upload&amp;post_id=' . $post_id); ?>">
     110    <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style) . '&amp;tab=upload&amp;post_id=' . $post_id; ?>">
    111111<?php
    112112    if ( $id ) :
     
    203203        if ( !current_user_can( 'upload_files' ) )
    204204            wp_die( __('You are not allowed to upload files.')
    205                 . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=browse-all&amp;post_id=$post_id") . "'>"
     205                . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=browse-all&amp;post_id=$post_id'>"
    206206                . __('Browse Files') . '</a>'
    207207            );
     
    213213        if ( isset($file['error']) )
    214214            wp_die($file['error'] . "<br /><a href='" . get_option('siteurl')
    215             . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>'
     215            . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>" . __('Back to Image Uploading') . '</a>'
    216216        );
    217217
     
    260260        if ( !current_user_can('edit_post', (int) $ID) )
    261261            wp_die( __('You are not allowed to delete this attachment.')
    262                 . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>"
     262                . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>"
    263263                . __('Go back') . '</a>'
    264264            );
  • branches/2.2/wp-includes/functions.php

    r5841 r5828  
    204204/* Options functions */
    205205
    206 // expects $setting to already be SQL-escaped
    207206function get_option($setting) {
    208207    global $wpdb;
     
    304303}
    305304
    306 // expects $option_name to NOT be SQL-escaped
    307305function update_option($option_name, $newvalue) {
    308306    global $wpdb;
     
    310308    wp_protect_special_option($option_name);
    311309
    312     $safe_option_name = $wpdb->escape($option_name);
    313 
    314310    if ( is_string($newvalue) )
    315311        $newvalue = trim($newvalue);
    316312
    317313    // If the new and old values are the same, no need to update.
    318     $oldvalue = get_option($safe_option_name);
     314    $oldvalue = get_option($option_name);
    319315    if ( $newvalue === $oldvalue ) {
    320316        return false;
     
    354350
    355351// thx Alex Stapleton, http://alex.vort-x.net/blog/
    356 // expects $name to NOT be SQL-escaped
    357352function add_option($name, $value = '', $description = '', $autoload = 'yes') {
    358353    global $wpdb;
    359354
    360355    wp_protect_special_option($name);
    361     $safe_name = $wpdb->escape($name);
    362356
    363357    // Make sure the option doesn't already exist. We can check the 'notoptions' cache before we ask for a db query
    364358    $notoptions = wp_cache_get('notoptions', 'options');
    365359    if ( !is_array($notoptions) || !isset($notoptions[$name]) )
    366         if ( false !== get_option($safe_name) )
     360        if ( false !== get_option($name) )
    367361            return;
    368362
Note: See TracChangeset for help on using the changeset viewer.