WordPress.org

Make WordPress Core

Changeset 7963


Ignore:
Timestamp:
05/20/2008 06:09:38 PM (10 years ago)
Author:
ryan
Message:

Clean and escape

Location:
branches/2.5
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • branches/2.5/wp-admin/includes/dashboard.php

    r7853 r7963  
    217217            $sidebar_widget_name = $wp_registered_widget_controls[$widget_id]['name'];
    218218            $params[1] = 'wp_dashboard_trigger_widget_control';
    219             $sidebar_before_widget .= '<form action="' . remove_query_arg( 'edit' )  . '" method="post">';
     219            $sidebar_before_widget .= '<form action="' . clean_url(remove_query_arg( 'edit' ))  . '" method="post">';
    220220            $sidebar_after_widget   = "<div class='dashboard-widget-submit'><input type='hidden' name='sidebar' value='wp_dashboard' /><input type='hidden' name='widget_id' value='$widget_id' /><input type='submit' value='" . __( 'Save' ) . "' /></div></form>$sidebar_after_widget";
    221             $links[] = '<a href="' . remove_query_arg( 'edit' ) . '">' . __( 'Cancel' ) . '</a>';
     221            $links[] = '<a href="' . clean_url(remove_query_arg( 'edit' )) . '">' . __( 'Cancel' ) . '</a>';
    222222        } else {
    223             $links[] = '<a href="' . add_query_arg( 'edit', $widget_id ) . "#$widget_id" . '">' . __( 'Edit' ) . '</a>';
     223            $links[] = '<a href="' . clean_url(add_query_arg( 'edit', $widget_id )) . "#$widget_id" . '">' . __( 'Edit' ) . '</a>';
    224224        }
    225225    }
  • branches/2.5/wp-admin/includes/file.php

    r7643 r7963  
    5555
    5656    return '/tmp/';
    57 }
    58 
    59 function validate_file( $file, $allowed_files = '' ) {
    60     if ( false !== strpos( $file, '..' ))
    61         return 1;
    62 
    63     if ( false !== strpos( $file, './' ))
    64         return 1;
    65 
    66     if (':' == substr( $file, 1, 1 ))
    67         return 2;
    68 
    69     if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
    70         return 3;
    71 
    72     return 0;
    7357}
    7458
  • branches/2.5/wp-admin/includes/media.php

    r7875 r7963  
    4242                $class = " class='current'";
    4343            $href = add_query_arg(array('tab'=>$callback, 's'=>false, 'paged'=>false, 'post_mime_type'=>false, 'm'=>false));
    44             $link = "<a href='$href'$class>$text</a>";
    45             echo "\t<li id='tab-$callback'>$link</li>\n";
     44            $link = "<a href='" . clean_url($href) . "'$class>$text</a>";
     45            echo "\t<li id='" . attribute_escape("tab-$callback") . "'>$link</li>\n";
    4646        }
    4747        echo "</ul>\n";
     
    971971if ( empty($_GET['post_mime_type']) || $_GET['post_mime_type'] == 'all' )
    972972    $class = ' class="current"';
    973 $type_links[] = "<li><a href='" . add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false)) . "'$class>".__('All Types')."</a>";
     973$type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>'all', 'paged'=>false, 'm'=>false))) . "'$class>".__('All Types')."</a>";
    974974foreach ( $post_mime_types as $mime_type => $label ) {
    975975    $class = '';
     
    981981        $class = ' class="current"';
    982982
    983     $type_links[] = "<li><a href='" . add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false)) . "'$class>" . sprintf(__ngettext($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
     983    $type_links[] = "<li><a href='" . clean_url(add_query_arg(array('post_mime_type'=>$mime_type, 'paged'=>false))) . "'$class>" . sprintf(__ngettext($label[2][0], $label[2][1], $num_posts[$mime_type]), "<span id='$mime_type-counter'>" . number_format_i18n( $num_posts[$mime_type] ) . '</span>') . '</a>';
    984984}
    985985echo implode(' | </li>', $type_links) . '</li>';
  • branches/2.5/wp-admin/includes/widgets.php

    r7882 r7963  
    7777                $add_query['add'] = $widget['id'];
    7878                $action = 'add';
    79                 $add_url = wp_nonce_url( add_query_arg( $add_query ), "add-widget_$widget[id]" );
     79                $add_url = clean_url( wp_nonce_url( add_query_arg( $add_query ), "add-widget_$widget[id]" ) );
    8080            } else {
    8181                $action = 'edit';
     
    233233            <?php if ( $edit ) : ?>
    234234
    235             <a class="widget-action widget-control-edit" href="<?php echo remove_query_arg( array( 'edit', 'key' ) ); ?>"><?php _e('Cancel'); ?></a>
     235            <a class="widget-action widget-control-edit" href="<?php echo clean_url( remove_query_arg( array( 'edit', 'key' ) ) ); ?>"><?php _e('Cancel'); ?></a>
    236236
    237237            <?php else : ?>
  • branches/2.5/wp-includes/functions.php

    r7630 r7963  
    17501750}
    17511751
     1752function validate_file( $file, $allowed_files = '' ) {
     1753    if ( false !== strpos( $file, '..' ))
     1754        return 1;
     1755
     1756    if ( false !== strpos( $file, './' ))
     1757        return 1;
     1758
     1759    if (':' == substr( $file, 1, 1 ))
     1760        return 2;
     1761
     1762    if (!empty ( $allowed_files ) && (!in_array( $file, $allowed_files ) ) )
     1763        return 3;
     1764
     1765    return 0;
     1766}
     1767
    17521768?>
  • branches/2.5/wp-includes/theme.php

    r7586 r7963  
    420420        $template = '';
    421421
    422     if ( !empty($template) && file_exists(TEMPLATEPATH . "/$template") )
     422    if ( !empty($template) && !validate_file($template) && file_exists(TEMPLATEPATH . "/$template") )
    423423        $template = TEMPLATEPATH . "/$template";
    424424    elseif ( file_exists(TEMPLATEPATH . "/page.php") )
Note: See TracChangeset for help on using the changeset viewer.