WordPress.org

Make WordPress Core

Changeset 7820


Ignore:
Timestamp:
04/25/08 06:15:17 (6 years ago)
Author:
markjaquith
Message:

attribute_escape() and int-casting paranoia for trunk.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/media.php

    r7818 r7820  
    633633        $keys = array_keys(wp_match_mime_types(array_keys($post_mime_types), $post->post_mime_type)); 
    634634        $type = array_shift($keys); 
    635         $type = "<input type='hidden' id='type-of-$attachment_id' value='$type' />"; 
     635        $type = "<input type='hidden' id='type-of-$attachment_id' value='" . attribute_escape( $type ) . "' />"; 
    636636    } 
    637637 
     
    675675    $delete_href = wp_nonce_url("post.php?action=delete-post&amp;post=$attachment_id", 'delete-post_' . $attachment_id); 
    676676    if ( $send ) 
    677         $send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . __('Insert into Post') . "' />"; 
     677        $send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . attribute_escape( __( 'Insert into Post' ) ) . "' />"; 
    678678    if ( $delete ) 
    679679        $delete = "<a href='$delete_href' id='del[$attachment_id]' disabled='disabled' class='delete'>" . __('Delete') . "</button>"; 
     
    708708            $item .= $field[$field['input']]; 
    709709        elseif ( $field['input'] == 'textarea' ) { 
    710             $item .= "<textarea type='text' id='$name' name='$name'>" . wp_specialchars($field['value'], 1) . "</textarea>"; 
     710            $item .= "<textarea type='text' id='$name' name='$name'>" . attribute_escape( $field['value'] ) . "</textarea>"; 
    711711        } else { 
    712             $item .= "<input type='text' id='$name' name='$name' value='" . wp_specialchars($field['value'], 1) . "' />"; 
     712            $item .= "<input type='text' id='$name' name='$name' value='" . attribute_escape( $field['value'] ) . "' />"; 
    713713        } 
    714714        if ( !empty($field['helps']) ) 
     
    738738 
    739739    foreach ( $hidden_fields as $name => $value ) 
    740         $item .= "\t<input type='hidden' name='$name' id='$name' value='" . wp_specialchars($value, 1) . "' />\n"; 
     740        $item .= "\t<input type='hidden' name='$name' id='$name' value='" . attribute_escape( $value ) . "' />\n"; 
    741741 
    742742    return $item; 
     
    766766 
    767767?> 
    768 <input type='hidden' name='post_id' value='<?php echo $post_id; ?>' /> 
     768<input type='hidden' name='post_id' value='<?php echo (int) $post_id; ?>' /> 
    769769<div id="media-upload-notice"> 
    770770<?php if (isset($errors['upload_notice']) ) { ?> 
     
    818818<div id="flash-upload-ui"> 
    819819<?php do_action('pre-flash-upload-ui'); ?> 
    820     <p><input id="flash-browse-button" type="button" value="<?php _e('Choose files to upload'); ?>" class="button" /></p> 
     820    <p><input id="flash-browse-button" type="button" value="<?php echo attribute_escape( __( 'Choose files to upload' ) ); ?>" class="button" /></p> 
    821821<?php do_action('post-flash-upload-ui'); ?> 
    822822    <p class="howto"><?php _e('After a file has been uploaded, you can add titles and descriptions.'); ?></p> 
     
    830830    <input type="file" name="async-upload" id="async-upload" /> <input type="submit" class="button" name="html-upload" value="<?php echo attribute_escape(__('Upload')); ?>" /> <a href="#" onClick="return top.tb_remove();"><?php _e('Cancel'); ?></a> 
    831831    </p> 
    832     <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" /> 
     832    <input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
    833833    <br class="clear" /> 
    834834    <?php if ( is_lighttpd_before_150() ): ?> 
     
    853853 
    854854<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form"> 
    855 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" /> 
     855<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
    856856<?php wp_nonce_field('media-form'); ?> 
    857857<h3><?php _e('From Computer'); ?></h3> 
     
    873873<?php echo get_media_items( $id, $errors ); ?> 
    874874</div> 
    875 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" /> 
     875<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" /> 
    876876 
    877877<?php elseif ( is_callable($callback) ) : ?> 
     
    887887</div> 
    888888</div> 
    889 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" /> 
     889<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" /> 
    890890<?php 
    891891    endif; 
     
    920920<?php echo get_media_items($post_id, $errors); ?> 
    921921</div> 
    922 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" /> 
    923 <input type="submit" class="button insert-gallery" name="insert-gallery" value="<?php _e('Insert gallery into post'); ?>" /> 
    924 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" /> 
    925 <input type="hidden" name="type" value="<?php echo $GLOBALS['type']; ?>" /> 
    926 <input type="hidden" name="tab" value="<?php echo $GLOBALS['tab']; ?>" /> 
     922<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" /> 
     923<input type="submit" class="button insert-gallery" name="insert-gallery" value="<?php echo attribute_escape( __( 'Insert gallery into post' ) ); ?>" /> 
     924<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
     925<input type="hidden" name="type" value="<?php echo attribute_escape( $GLOBALS['type'] ); ?>" /> 
     926<input type="hidden" name="tab" value="<?php echo attribute_escape( $GLOBALS['tab'] ); ?>" /> 
    927927</form> 
    928928<?php 
     
    952952<form id="filter" action="" method="get"> 
    953953<input type="hidden" name="type" value="<?php echo attribute_escape( $type ); ?>" /> 
    954 <input type="hidden" name="tab" value="<?php echo $tab; ?>" /> 
    955 <input type="hidden" name="post_id" value="<?php echo $post_id; ?>" /> 
    956 <input type="hidden" name="post_mime_type" value="<?php echo wp_specialchars($_GET['post_mime_type'], true); ?>" /> 
     954<input type="hidden" name="tab" value="<?php echo attribute_escape( $tab ); ?>" /> 
     955<input type="hidden" name="post_id" value="<?php echo (int) $post_id; ?>" /> 
     956<input type="hidden" name="post_mime_type" value="<?php echo attribute_escape( $_GET['post_mime_type'] ); ?>" /> 
    957957 
    958958<div id="search-filter"> 
    959959    <input type="text" id="post-search-input" name="s" value="<?php the_search_query(); ?>" /> 
    960     <input type="submit" value="<?php _e( 'Search Media' ); ?>" class="button" /> 
     960    <input type="submit" value="<?php echo attribute_escape( __( 'Search Media' ) ); ?>" class="button" /> 
    961961</div> 
    962962 
     
    10321032        $default = ''; 
    10331033 
    1034     echo "<option$default value='$arc_row->yyear$arc_row->mmonth'>"; 
    1035     echo $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear"; 
     1034    echo "<option$default value='" . attribute_escape( $arc_row->yyear$arc_row->mmonth ) . "'>"; 
     1035    echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); 
    10361036    echo "</option>\n"; 
    10371037} 
     
    10401040<?php } ?> 
    10411041 
    1042 <input type="submit" id="post-query-submit" value="<?php _e('Filter &#187;'); ?>" class="button-secondary" /> 
     1042<input type="submit" id="post-query-submit" value="<?php echo attribute_escape( __( 'Filter &#187;' ) ); ?>" class="button-secondary" /> 
    10431043 
    10441044</div> 
     
    10681068<?php echo get_media_items(null, $errors); ?> 
    10691069</div> 
    1070 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" /> 
    1071 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" /> 
     1070<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" /> 
     1071<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
    10721072</form> 
    10731073<?php 
Note: See TracChangeset for help on using the changeset viewer.