<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre, #msg p { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[11838] trunk/wp-includes: Prophylactic escapes</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/11838">11838</a></dd>
<dt>Author</dt> <dd>ryan</dd>
<dt>Date</dt> <dd>2009-08-18 16:05:07 +0000 (Tue, 18 Aug 2009)</dd>
</dl>
<h3>Log Message</h3>
<pre>Prophylactic escapes</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpincludesauthortemplatephp">trunk/wp-includes/author-template.php</a></li>
<li><a href="#trunkwpincludesbookmarktemplatephp">trunk/wp-includes/bookmark-template.php</a></li>
<li><a href="#trunkwpincludescategorytemplatephp">trunk/wp-includes/category-template.php</a></li>
<li><a href="#trunkwpincludescommenttemplatephp">trunk/wp-includes/comment-template.php</a></li>
<li><a href="#trunkwpincludesgeneraltemplatephp">trunk/wp-includes/general-template.php</a></li>
<li><a href="#trunkwpincludesmediaphp">trunk/wp-includes/media.php</a></li>
<li><a href="#trunkwpincludesposttemplatephp">trunk/wp-includes/post-template.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpincludesauthortemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/author-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/author-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/author-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -132,7 +132,7 @@
</span><span class="cx"> */
</span><span class="cx"> function the_author_link() {
</span><span class="cx"> if ( get_the_author_meta('url') ) {
</span><del>- echo '<a href="' . get_the_author_meta('url') . '" title="' . sprintf(__("Visit %s&#8217;s website"), get_the_author()) . '" rel="external">' . get_the_author() . '</a>';
</del><ins>+ echo '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="external">' . get_the_author() . '</a>';
</ins><span class="cx"> } else {
</span><span class="cx"> the_author();
</span><span class="cx"> }
</span><span class="lines">@@ -181,7 +181,7 @@
</span><span class="cx"> printf(
</span><span class="cx"> '<a href="%1$s" title="%2$s">%3$s</a>',
</span><span class="cx"> get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
</span><del>- sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ),
</del><ins>+ esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
</ins><span class="cx"> get_the_author()
</span><span class="cx"> );
</span><span class="cx"> }
</span><span class="lines">@@ -292,7 +292,7 @@
</span><span class="cx"> if ( ! $hide_empty )
</span><span class="cx"> $link = $name;
</span><span class="cx"> } else {
</span><del>- $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . sprintf(__("Posts by %s"), esc_attr($author->display_name)) . '">' . $name . '</a>';
</del><ins>+ $link = '<a href="' . get_author_posts_url($author->ID, $author->user_nicename) . '" title="' . esc_attr( sprintf(__("Posts by %s"), $author->display_name) ) . '">' . $name . '</a>';
</ins><span class="cx">
</span><span class="cx"> if ( (! empty($feed_image)) || (! empty($feed)) ) {
</span><span class="cx"> $link .= ' ';
</span><span class="lines">@@ -301,8 +301,8 @@
</span><span class="cx"> $link .= '<a href="' . get_author_feed_link($author->ID) . '"';
</span><span class="cx">
</span><span class="cx"> if ( !empty($feed) ) {
</span><del>- $title = ' title="' . $feed . '"';
- $alt = ' alt="' . $feed . '"';
</del><ins>+ $title = ' title="' . esc_attr($feed) . '"';
+ $alt = ' alt="' . esc_attr($feed) . '"';
</ins><span class="cx"> $name = $feed;
</span><span class="cx"> $link .= $title;
</span><span class="cx"> }
</span><span class="lines">@@ -310,7 +310,7 @@
</span><span class="cx"> $link .= '>';
</span><span class="cx">
</span><span class="cx"> if ( !empty($feed_image) )
</span><del>- $link .= "<img src=\"$feed_image\" style=\"border: none;\"$alt$title" . ' />';
</del><ins>+ $link .= "<img src=\"" . esc_url($feed_image) . "\" style=\"border: none;\"$alt$title" . ' />';
</ins><span class="cx"> else
</span><span class="cx"> $link .= $name;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesbookmarktemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/bookmark-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/bookmark-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/bookmark-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -90,7 +90,7 @@
</span><span class="cx">
</span><span class="cx"> $rel = $bookmark->link_rel;
</span><span class="cx"> if ( '' != $rel )
</span><del>- $rel = ' rel="' . $rel . '"';
</del><ins>+ $rel = ' rel="' . esc_attr($rel) . '"';
</ins><span class="cx">
</span><span class="cx"> $target = $bookmark->link_target;
</span><span class="cx"> if ( '' != $target )
</span></span></pre></div>
<a id="trunkwpincludescategorytemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/category-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/category-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/category-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -68,7 +68,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if ( $link )
</span><del>- $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $parent->cat_name ) . '">'.$name.'</a>' . $separator;
</del><ins>+ $chain .= '<a href="' . get_category_link( $parent->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $parent->cat_name ) ) . '">'.$name.'</a>' . $separator;
</ins><span class="cx"> else
</span><span class="cx"> $chain .= $name.$separator;
</span><span class="cx"> return $chain;
</span><span class="lines">@@ -190,17 +190,17 @@
</span><span class="cx"> case 'multiple':
</span><span class="cx"> if ( $category->parent )
</span><span class="cx"> $thelist .= get_category_parents( $category->parent, true, $separator );
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a></li>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a></li>';
</ins><span class="cx"> break;
</span><span class="cx"> case 'single':
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
</ins><span class="cx"> if ( $category->parent )
</span><span class="cx"> $thelist .= get_category_parents( $category->parent, false, $separator );
</span><span class="cx"> $thelist .= $category->name.'</a></li>';
</span><span class="cx"> break;
</span><span class="cx"> case '':
</span><span class="cx"> default:
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a></li>';
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> $thelist .= '</ul>';
</span><span class="lines">@@ -213,17 +213,17 @@
</span><span class="cx"> case 'multiple':
</span><span class="cx"> if ( $category->parent )
</span><span class="cx"> $thelist .= get_category_parents( $category->parent, true, $separator );
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->cat_name.'</a>';
</ins><span class="cx"> break;
</span><span class="cx"> case 'single':
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>';
</ins><span class="cx"> if ( $category->parent )
</span><span class="cx"> $thelist .= get_category_parents( $category->parent, false, $separator );
</span><span class="cx"> $thelist .= "$category->cat_name</a>";
</span><span class="cx"> break;
</span><span class="cx"> case '':
</span><span class="cx"> default:
</span><del>- $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . sprintf( __( "View all posts in %s" ), $category->name ) . '" ' . $rel . '>' . $category->name.'</a>';
</del><ins>+ $thelist .= '<a href="' . get_category_link( $category->term_id ) . '" title="' . esc_attr( sprintf( __( "View all posts in %s" ), $category->name ) ) . '" ' . $rel . '>' . $category->name.'</a>';
</ins><span class="cx"> }
</span><span class="cx"> ++$i;
</span><span class="cx"> }
</span><span class="lines">@@ -352,6 +352,8 @@
</span><span class="cx"> $tab_index_attribute = " tabindex=\"$tab_index\"";
</span><span class="cx">
</span><span class="cx"> $categories = get_categories( $r );
</span><ins>+ $name = esc_attr($name);
+ $class = esc_attr($class);
</ins><span class="cx">
</span><span class="cx"> $output = '';
</span><span class="cx"> if ( ! empty( $categories ) ) {
</span></span></pre></div>
<a id="trunkwpincludescommenttemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/comment-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/comment-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/comment-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -338,6 +338,8 @@
</span><span class="cx"> $classes = array_merge($classes, $class);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ $classes = array_map('esc_attr', $classes);
+
</ins><span class="cx"> return apply_filters('comment_class', $classes, $class, $comment_id, $post_id);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -940,7 +942,7 @@
</span><span class="cx"> $number = get_comments_number( $id );
</span><span class="cx">
</span><span class="cx"> if ( 0 == $number && !comments_open() && !pings_open() ) {
</span><del>- echo '<span' . ((!empty($css_class)) ? ' class="' . $css_class . '"' : '') . '>' . $none . '</span>';
</del><ins>+ echo '<span' . ((!empty($css_class)) ? ' class="' . esc_attr( $css_class ) . '"' : '') . '>' . $none . '</span>';
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -972,7 +974,7 @@
</span><span class="cx">
</span><span class="cx"> echo apply_filters( 'comments_popup_link_attributes', '' );
</span><span class="cx">
</span><del>- echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">';
</del><ins>+ echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">';
</ins><span class="cx"> comments_number( $zero, $one, $more, $number );
</span><span class="cx"> echo '</a>';
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpincludesgeneraltemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/general-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/general-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/general-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -1023,7 +1023,7 @@
</span><span class="cx">
</span><span class="cx"> /* translators: Calendar caption: 1: month name, 2: 4-digit year */
</span><span class="cx"> $calendar_caption = _x('%1$s %2$s', 'calendar caption');
</span><del>- echo '<table id="wp-calendar" summary="' . __('Calendar') . '">
</del><ins>+ echo '<table id="wp-calendar" summary="' . esc_attr__('Calendar') . '">
</ins><span class="cx"> <caption>' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '</caption>
</span><span class="cx"> <thead>
</span><span class="cx"> <tr>';
</span><span class="lines">@@ -1036,6 +1036,7 @@
</span><span class="cx">
</span><span class="cx"> foreach ( $myweek as $wd ) {
</span><span class="cx"> $day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd);
</span><ins>+ $wd = esc_attr($wd);
</ins><span class="cx"> echo "\n\t\t<th abbr=\"$wd\" scope=\"col\" title=\"$wd\">$day_name</th>";
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1058,8 +1059,8 @@
</span><span class="cx">
</span><span class="cx"> if ( $next ) {
</span><span class="cx"> echo "\n\t\t".'<td abbr="' . $wp_locale->get_month($next->month) . '" colspan="3" id="next"><a href="' .
</span><del>- get_month_link($next->year, $next->month) . '" title="' . sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month),
- date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
</del><ins>+ get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) ,
+ date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' &raquo;</a></td>';
</ins><span class="cx"> } else {
</span><span class="cx"> echo "\n\t\t".'<td colspan="3" id="next" class="pad">&nbsp;</td>';
</span><span class="cx"> }
</span><span class="lines">@@ -1116,7 +1117,7 @@
</span><span class="cx"> // See how much we should pad in the beginning
</span><span class="cx"> $pad = calendar_week_mod(date('w', $unixmonth)-$week_begins);
</span><span class="cx"> if ( 0 != $pad )
</span><del>- echo "\n\t\t".'<td colspan="'.$pad.'" class="pad">&nbsp;</td>';
</del><ins>+ echo "\n\t\t".'<td colspan="'. esc_attr($pad) .'" class="pad">&nbsp;</td>';
</ins><span class="cx">
</span><span class="cx"> $daysinmonth = intval(date('t', $unixmonth));
</span><span class="cx"> for ( $day = 1; $day <= $daysinmonth; ++$day ) {
</span><span class="lines">@@ -1130,7 +1131,7 @@
</span><span class="cx"> echo '<td>';
</span><span class="cx">
</span><span class="cx"> if ( in_array($day, $daywithpost) ) // any posts today?
</span><del>- echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"$ak_titles_for_day[$day]\">$day</a>";
</del><ins>+ echo '<a href="' . get_day_link($thisyear, $thismonth, $day) . "\" title=\"" . esc_attr($ak_titles_for_day[$day]) . "\">$day</a>";
</ins><span class="cx"> else
</span><span class="cx"> echo $day;
</span><span class="cx"> echo '</td>';
</span><span class="lines">@@ -1141,7 +1142,7 @@
</span><span class="cx">
</span><span class="cx"> $pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins);
</span><span class="cx"> if ( $pad != 0 && $pad != 7 )
</span><del>- echo "\n\t\t".'<td class="pad" colspan="'.$pad.'">&nbsp;</td>';
</del><ins>+ echo "\n\t\t".'<td class="pad" colspan="'. esc_attr($pad) .'">&nbsp;</td>';
</ins><span class="cx">
</span><span class="cx"> echo "\n\t</tr>\n\t</tbody>\n\t</table>";
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesmediaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/media.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/media.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/media.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -616,9 +616,9 @@
</span><span class="cx"> if ( 1 > (int) $width || empty($caption) )
</span><span class="cx"> return $content;
</span><span class="cx">
</span><del>- if ( $id ) $id = 'id="' . $id . '" ';
</del><ins>+ if ( $id ) $id = 'id="' . esc_attr($id) . '" ';
</ins><span class="cx">
</span><del>- return '<div ' . $id . 'class="wp-caption ' . $align . '" style="width: ' . (10 + (int) $width) . 'px">'
</del><ins>+ return '<div ' . $id . 'class="wp-caption ' . esc_attr($align) . '" style="width: ' . (10 + (int) $width) . 'px">'
</ins><span class="cx"> . do_shortcode( $content ) . '<p class="wp-caption-text">' . $caption . '</p></div>';
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesposttemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/post-template.php (11837 => 11838)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/post-template.php 2009-08-18 09:53:37 UTC (rev 11837)
+++ trunk/wp-includes/post-template.php 2009-08-18 16:05:07 UTC (rev 11838)
</span><span class="lines">@@ -342,6 +342,8 @@
</span><span class="cx"> $classes = array_merge($classes, $class);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ $classes = array_map('esc_attr', $classes);
+
</ins><span class="cx"> return apply_filters('post_class', $classes, $class, $post_id);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -478,6 +480,8 @@
</span><span class="cx"> $classes = array_merge($classes, $class);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ $classes = array_map('esc_attr', $classes);
+
</ins><span class="cx"> return apply_filters('body_class', $classes, $class);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -706,6 +710,7 @@
</span><span class="cx">
</span><span class="cx"> $pages = get_pages($r);
</span><span class="cx"> $output = '';
</span><ins>+ $name = esc_attr($name);
</ins><span class="cx">
</span><span class="cx"> if ( ! empty($pages) ) {
</span><span class="cx"> $output = "<select name=\"$name\" id=\"$name\">\n";
</span><span class="lines">@@ -842,7 +847,7 @@
</span><span class="cx"> if ( $menu )
</span><span class="cx"> $menu = '<ul>' . $menu . '</ul>';
</span><span class="cx">
</span><del>- $menu = '<div class="' . $args['menu_class'] . '">' . $menu . "</div>\n";
</del><ins>+ $menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n";
</ins><span class="cx"> $menu = apply_filters( 'wp_page_menu', $menu, $args );
</span><span class="cx"> if ( $args['echo'] )
</span><span class="cx"> echo $menu;
</span></span></pre>
</div>
</div>
</body>
</html>