WordPress.org

Make WordPress Core

Changeset 7823


Ignore:
Timestamp:
04/25/2008 06:26:54 AM (10 years ago)
Author:
markjaquith
Message:

attribute_escape() and int-casting paranoia for 2.5.1

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/wp-admin/includes/media.php

    r7819 r7823  
    633633        $keys = array_keys(wp_match_mime_types(array_keys($post_mime_types), $post->post_mime_type));
    634634        $type = array_shift($keys);
    635         $type = "<input type='hidden' id='type-of-$attachment_id' value='$type' />";
     635        $type = "<input type='hidden' id='type-of-$attachment_id' value='" . attribute_escape( $type ) . "' />";
    636636    }
    637637
     
    675675    $delete_href = wp_nonce_url("post.php?action=delete-post&amp;post=$attachment_id", 'delete-post_' . $attachment_id);
    676676    if ( $send )
    677         $send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . __('Insert into Post') . "' />";
     677        $send = "<input type='submit' class='button' name='send[$attachment_id]' value='" . attribute_escape( __( 'Insert into Post' ) ) . "' />";
    678678    if ( $delete )
    679679        $delete = "<a href='$delete_href' id='del[$attachment_id]' disabled='disabled' class='delete'>" . __('Delete') . "</button>";
     
    708708            $item .= $field[$field['input']];
    709709        elseif ( $field['input'] == 'textarea' ) {
    710             $item .= "<textarea type='text' id='$name' name='$name'>" . wp_specialchars($field['value'], 1) . "</textarea>";
     710            $item .= "<textarea type='text' id='$name' name='$name'>" . attribute_escape( $field['value'] ) . "</textarea>";
    711711        } else {
    712             $item .= "<input type='text' id='$name' name='$name' value='" . wp_specialchars($field['value'], 1) . "' />";
     712            $item .= "<input type='text' id='$name' name='$name' value='" . attribute_escape( $field['value'] ) . "' />";
    713713        }
    714714        if ( !empty($field['helps']) )
     
    738738
    739739    foreach ( $hidden_fields as $name => $value )
    740         $item .= "\t<input type='hidden' name='$name' id='$name' value='" . wp_specialchars($value, 1) . "' />\n";
     740        $item .= "\t<input type='hidden' name='$name' id='$name' value='" . attribute_escape( $value ) . "' />\n";
    741741
    742742    return $item;
     
    766766
    767767?>
    768 <input type='hidden' name='post_id' value='<?php echo $post_id; ?>' />
     768<input type='hidden' name='post_id' value='<?php echo (int) $post_id; ?>' />
    769769<div id="media-upload-notice">
    770770<?php if (isset($errors['upload_notice']) ) { ?>
     
    815815
    816816<div id="flash-upload-ui">
    817     <p><input id="flash-browse-button" type="button" value="<?php _e('Choose files to upload'); ?>" class="button" /></p>
     817    <p><input id="flash-browse-button" type="button" value="<?php echo attribute_escape( __( 'Choose files to upload' ) ); ?>" class="button" /></p>
    818818    <p><?php _e('After a file has been uploaded, you can add titles and descriptions.'); ?></p>
    819819</div>
     
    825825    <input type="file" name="async-upload" id="async-upload" /> <input type="submit" class="button" name="html-upload" value="<?php echo attribute_escape(__('Upload')); ?>" /> <a href="#" onClick="return top.tb_remove();"><?php _e('Cancel'); ?></a>
    826826    </p>
    827     <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     827    <input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    828828    <br class="clear" />
    829829    <?php if ( is_lighttpd_before_150() ): ?>
     
    845845
    846846<form enctype="multipart/form-data" method="post" action="<?php echo attribute_escape($form_action_url); ?>" class="media-upload-form type-form validate" id="<?php echo $type; ?>-form">
    847 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     847<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    848848<?php wp_nonce_field('media-form'); ?>
    849849<h3><?php _e('From Computer'); ?></h3>
     
    865865<?php echo get_media_items( $id, $errors ); ?>
    866866</div>
    867 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" />
     867<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
    868868
    869869<?php elseif ( is_callable($callback) ) : ?>
     
    879879</div>
    880880</div>
    881 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" />
     881<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
    882882<?php
    883883    endif;
     
    912912<?php echo get_media_items($post_id, $errors); ?>
    913913</div>
    914 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" />
    915 <input type="submit" class="button insert-gallery" name="insert-gallery" value="<?php _e('Insert gallery into post'); ?>" />
    916 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
    917 <input type="hidden" name="type" value="<?php echo $GLOBALS['type']; ?>" />
    918 <input type="hidden" name="tab" value="<?php echo $GLOBALS['tab']; ?>" />
     914<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
     915<input type="submit" class="button insert-gallery" name="insert-gallery" value="<?php echo attribute_escape( __( 'Insert gallery into post' ) ); ?>" />
     916<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
     917<input type="hidden" name="type" value="<?php echo attribute_escape( $GLOBALS['type'] ); ?>" />
     918<input type="hidden" name="tab" value="<?php echo attribute_escape( $GLOBALS['tab'] ); ?>" />
    919919</form>
    920920<?php
     
    944944<form id="filter" action="" method="get">
    945945<input type="hidden" name="type" value="<?php echo attribute_escape( $type ); ?>" />
    946 <input type="hidden" name="tab" value="<?php echo $tab; ?>" />
    947 <input type="hidden" name="post_id" value="<?php echo $post_id; ?>" />
    948 <input type="hidden" name="post_mime_type" value="<?php echo wp_specialchars($_GET['post_mime_type'], true); ?>" />
     946<input type="hidden" name="tab" value="<?php echo attribute_escape( $tab ); ?>" />
     947<input type="hidden" name="post_id" value="<?php echo (int) $post_id; ?>" />
     948<input type="hidden" name="post_mime_type" value="<?php echo attribute_escape( $_GET['post_mime_type'] ); ?>" />
    949949
    950950<div id="search-filter">
    951951    <input type="text" id="post-search-input" name="s" value="<?php the_search_query(); ?>" />
    952     <input type="submit" value="<?php _e( 'Search Media' ); ?>" class="button" />
     952    <input type="submit" value="<?php echo attribute_escape( __( 'Search Media' ) ); ?>" class="button" />
    953953</div>
    954954
     
    10241024        $default = '';
    10251025
    1026     echo "<option$default value='$arc_row->yyear$arc_row->mmonth'>";
    1027     echo $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear";
     1026    echo "<option$default value='" . attribute_escape( $arc_row->yyear$arc_row->mmonth ) . "'>";
     1027    echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" );
    10281028    echo "</option>\n";
    10291029}
     
    10321032<?php } ?>
    10331033
    1034 <input type="submit" id="post-query-submit" value="<?php _e('Filter &#187;'); ?>" class="button-secondary" />
     1034<input type="submit" id="post-query-submit" value="<?php echo attribute_escape( __( 'Filter &#187;' ) ); ?>" class="button-secondary" />
    10351035
    10361036</div>
     
    10601060<?php echo get_media_items(null, $errors); ?>
    10611061</div>
    1062 <input type="submit" class="button savebutton" name="save" value="<?php _e('Save all changes'); ?>" />
    1063 <input type="hidden" name="post_id" id="post_id" value="<?php echo $post_id; ?>" />
     1062<input type="submit" class="button savebutton" name="save" value="<?php echo attribute_escape( __( 'Save all changes' ) ); ?>" />
     1063<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    10641064</form>
    10651065<?php
Note: See TracChangeset for help on using the changeset viewer.