WordPress.org

Make WordPress Core

Changeset 7963


Ignore:
Timestamp:
05/20/08 18:09:38 (7 years ago)
Author:
ryan
Message:

Clean and escape

Location:
branches/2.5
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/wp-admin/includes/dashboard.php

    r7853 r7963  
    217217            $sidebar_widget_name = $wp_registered_widget_controls[$widget_id]['name']; 
    218218            $params[1] = 'wp_dashboard_trigger_widget_control'; 
    219             $sidebar_before_widget .= '<form action="' . remove_query_arg( 'edit' )  . '" method="post">'; 
     219            $sidebar_before_widget .= '<form action="' . clean_url(remove_query_arg( 'edit' ))  . '" method="post">'; 
    220220            $sidebar_after_widget   = "<div class='dashboard-widget-submit'><input type='hidden' name='sidebar' value='wp_dashboard' /><input type='hidden' name='widget_id' value='$widget_id' /><input type='submit' value='" . __( 'Save' ) . "' /></div></form>$sidebar_after_widget"; 
    221             $links[] = '<a href="' . remove_query_arg( 'edit' ) . '">' . __( 'Cancel' ) . '</a>'; 
     221            $links[] = '<a href="' . clean_url(remove_query_arg( 'edit' )) . '">' . __( 'Cancel' ) . '</a>'; 
    222222        } else { 
    223             $links[] = '<a href="' . add_query_arg( 'edit', $widget_id ) . "#$widget_id" . '">' . __( 'Edit' ) . '</a>'; 
     223            $links[] = '<a href="' . clean_url(add_query_arg( 'edit', $widget_id )) . "#$widget_id" . '">' . __( 'Edit' ) . '</a>'; 
    224224        } 
    225225    } 
  • branches/2.5/wp-admin/includes/file.php

    r7643 r7963  
    5555 
    5656    return '/tmp/'; 
    57 } 
    58  
    59 function validate_file( $file, $allowed_files = '' ) { 
    60     if ( false !== strpos( $file, '..' )) 
    61         return 1; 
    62  
    63     if ( false !== strpos( $file, './' )) 
    64         return 1; 
    65  
    66     if (':' == substr( $file, 1, 1 )) 
    67         return 2; 
    68  
    69     if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) ) 
    70         return 3; 
    71  
    72     return 0; 
    7357} 
    7458 
  • branches/2.5/wp-admin/includes/media.php

    r7875 r7963  
    4242                $class = " class='current'"; 
    4343            $href = add_query_arg(array('tab'=>$callback, 's'=>false, 'paged'=>false, 'post_mime_type'=>false, 'm'=>false)); 
    44             $link = "<a href='$href'$class>$text</a>"; 
    45             echo "\t<li id='tab-$callback'>$link</li>\n"; 
     44            $link = "<a href='" . clean_url($href) . "'$class>$text</a>"; 
     45            echo "\t<li id='" . attribute_escape("tab-$callback") . "'>$link</li>\n"; 
    4646        } 
    4747        echo "</ul>\n"; 
     
    971971if ( empty($_GET['post_mime_type']) || $_GET['post_mime_type'] == 'all' ) 
    972972    $class = ' class="current"'; 
    973 $type_links[] = "<li><a href='" . add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false)) . "'$class>".__('All Types')."</a>"; 
     973$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>"; 
    974974foreach ( $post_mime_types as $mime_type => $label ) { 
    975975    $class = ''; 
     
    981981        $class = ' class="current"'; 
    982982 
    983     $type_links[] = "<li><a href='" . add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false)) . "'$class>" . sprintf(__ngettext($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>'; 
     983    $type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(__ngettext($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>'; 
    984984} 
    985985echo implode(' | </li>', $type_links) . '</li>'; 
  • branches/2.5/wp-admin/includes/widgets.php

    r7882 r7963  
    7777                $add_query['add'] = $widget['id']; 
    7878                $action = 'add'; 
    79                 $add_url = wp_nonce_url( add_query_arg( $add_query ), "add-widget_$widget[id]" ); 
     79                $add_url = clean_url( wp_nonce_url( add_query_arg( $add_query ), "add-widget_$widget[id]" ) ); 
    8080            } else { 
    8181                $action = 'edit'; 
     
    233233            <?php if ( $edit ) : ?> 
    234234 
    235             <a class="widget-action widget-control-edit" href="<?php echo remove_query_arg( array( 'edit', 'key' ) ); ?>"><?php _e('Cancel'); ?></a> 
     235            <a class="widget-action widget-control-edit" href="<?php echo clean_url( remove_query_arg( array( 'edit', 'key' ) ) ); ?>"><?php _e('Cancel'); ?></a> 
    236236 
    237237            <?php else : ?> 
  • branches/2.5/wp-includes/functions.php

    r7630 r7963  
    17501750} 
    17511751 
     1752function validate_file( $file, $allowed_files = '' ) { 
     1753    if ( false !== strpos( $file, '..' )) 
     1754        return 1; 
     1755 
     1756    if ( false !== strpos( $file, './' )) 
     1757        return 1; 
     1758 
     1759    if (':' == substr( $file, 1, 1 )) 
     1760        return 2; 
     1761 
     1762    if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) ) 
     1763        return 3; 
     1764 
     1765    return 0; 
     1766} 
     1767 
    17521768?> 
  • branches/2.5/wp-includes/theme.php

    r7586 r7963  
    420420        $template = ''; 
    421421 
    422     if ( !empty($template) && file_exists(TEMPLATEPATH . "/$template") ) 
     422    if ( !empty($template) && !validate_file($template) && file_exists(TEMPLATEPATH . "/$template") ) 
    423423        $template = TEMPLATEPATH . "/$template"; 
    424424    elseif ( file_exists(TEMPLATEPATH . "/page.php") ) 
Note: See TracChangeset for help on using the changeset viewer.