<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /><style type="text/css"><!--
#msg dl { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fc0 solid; padding: 6px; }
#msg ul, pre { overflow: auto; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<title>[16431] trunk: esc_textarea() and application for obvious textarea escaping
.</title>
</head>
<body>
<div id="msg">
<dl>
<dt>Revision</dt> <dd><a href="http://trac.wordpress.org/changeset/16431">16431</a></dd>
<dt>Author</dt> <dd>markjaquith</dd>
<dt>Date</dt> <dd>2010-11-17 17:12:01 +0000 (Wed, 17 Nov 2010)</dd>
</dl>
<h3>Log Message</h3>
<pre>esc_textarea() and application for obvious textarea escaping. props alexkingorg. fixes <a href="http://trac.wordpress.org/ticket/15454">#15454</a></pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkwpadminedittagformphp">trunk/wp-admin/edit-tag-form.php</a></li>
<li><a href="#trunkwpadminincludesclasswpcommentslisttablephp">trunk/wp-admin/includes/class-wp-comments-list-table.php</a></li>
<li><a href="#trunkwpadminincludesdashboardphp">trunk/wp-admin/includes/dashboard.php</a></li>
<li><a href="#trunkwpadminincludesmediaphp">trunk/wp-admin/includes/media.php</a></li>
<li><a href="#trunkwpadminincludesmetaboxesphp">trunk/wp-admin/includes/meta-boxes.php</a></li>
<li><a href="#trunkwpadminincludesnavmenuphp">trunk/wp-admin/includes/nav-menu.php</a></li>
<li><a href="#trunkwpadminincludestemplatephp">trunk/wp-admin/includes/template.php</a></li>
<li><a href="#trunkwpadminmaintrepairphp">trunk/wp-admin/maint/repair.php</a></li>
<li><a href="#trunkwpadminnetworksettingsphp">trunk/wp-admin/network/settings.php</a></li>
<li><a href="#trunkwpadminnetworksiteoptionsphp">trunk/wp-admin/network/site-options.php</a></li>
<li><a href="#trunkwpadminnetworkphp">trunk/wp-admin/network.php</a></li>
<li><a href="#trunkwpadminoptionsdiscussionphp">trunk/wp-admin/options-discussion.php</a></li>
<li><a href="#trunkwpadminoptionspermalinkphp">trunk/wp-admin/options-permalink.php</a></li>
<li><a href="#trunkwpadminoptionswritingphp">trunk/wp-admin/options-writing.php</a></li>
<li><a href="#trunkwpadminoptionsphp">trunk/wp-admin/options.php</a></li>
<li><a href="#trunkwpadminplugineditorphp">trunk/wp-admin/plugin-editor.php</a></li>
<li><a href="#trunkwpadminpressthisphp">trunk/wp-admin/press-this.php</a></li>
<li><a href="#trunkwpadminthemeeditorphp">trunk/wp-admin/theme-editor.php</a></li>
<li><a href="#trunkwpadminusereditphp">trunk/wp-admin/user-edit.php</a></li>
<li><a href="#trunkwpincludesdefaultwidgetsphp">trunk/wp-includes/default-widgets.php</a></li>
<li><a href="#trunkwpincludesformattingphp">trunk/wp-includes/formatting.php</a></li>
<li><a href="#trunkwpincludespostphp">trunk/wp-includes/post.php</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkwpadminedittagformphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/edit-tag-form.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/edit-tag-form.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/edit-tag-form.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> <?php endif; // is_taxonomy_hierarchical() ?>
</span><span class="cx"> <tr class="form-field">
</span><span class="cx"> <th scope="row" valign="top"><label for="description"><?php _ex('Description', 'Taxonomy Description'); ?></label></th>
</span><del>- <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_html($tag->description); ?></textarea><br />
</del><ins>+ <td><textarea name="description" id="description" rows="5" cols="50" style="width: 97%;"><?php echo esc_textarea( $tag->description ); ?></textarea><br />
</ins><span class="cx"> <span class="description"><?php _e('The description is not prominent by default, however some themes may show it.'); ?></span></td>
</span><span class="cx"> </tr>
</span><span class="cx"> <?php
</span></span></pre></div>
<a id="trunkwpadminincludesclasswpcommentslisttablephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/class-wp-comments-list-table.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/class-wp-comments-list-table.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/class-wp-comments-list-table.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -350,7 +350,7 @@
</span><span class="cx"> comment_text();
</span><span class="cx"> if ( $user_can ) { ?>
</span><span class="cx"> <div id="inline-<?php echo $comment->comment_ID; ?>" class="hidden">
</span><del>- <textarea class="comment" rows="1" cols="1"><?php echo esc_html( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
</del><ins>+ <textarea class="comment" rows="1" cols="1"><?php echo esc_textarea( apply_filters( 'comment_edit_pre', $comment->comment_content ) ); ?></textarea>
</ins><span class="cx"> <div class="author-email"><?php echo esc_attr( $comment->comment_author_email ); ?></div>
</span><span class="cx"> <div class="author"><?php echo esc_attr( $comment->comment_author ); ?></div>
</span><span class="cx"> <div class="author-url"><?php echo esc_attr( $comment->comment_author_url ); ?></div>
</span></span></pre></div>
<a id="trunkwpadminincludesdashboardphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/dashboard.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/dashboard.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/dashboard.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -518,7 +518,7 @@
</span><span class="cx">
</span><span class="cx"> <h4 id="content-label"><label for="content"><?php _e('Content') ?></label></h4>
</span><span class="cx"> <div class="textarea-wrap">
</span><del>- <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo $post->post_content; ?></textarea>
</del><ins>+ <textarea name="content" id="content" class="mceEditor" rows="3" cols="15" tabindex="2"><?php echo esc_textarea( $post->post_content ); ?></textarea>
</ins><span class="cx"> </div>
</span><span class="cx">
</span><span class="cx"> <script type="text/javascript">edCanvas = document.getElementById('content');edInsertContent = null;</script>
</span></span></pre></div>
<a id="trunkwpadminincludesmediaphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/media.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/media.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/media.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -1282,7 +1282,7 @@
</span><span class="cx"> if ( !empty( $field[ $field['input'] ] ) )
</span><span class="cx"> $item .= $field[ $field['input'] ];
</span><span class="cx"> elseif ( $field['input'] == 'textarea' ) {
</span><del>- $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_html( $field['value'] ) . '</textarea>';
</del><ins>+ $item .= "<textarea type='text' id='$name' name='$name' $aria_required>" . esc_textarea( $field['value'] ) . '</textarea>';
</ins><span class="cx"> } else {
</span><span class="cx"> $item .= "<input type='text' class='text' id='$name' name='$name' value='" . esc_attr( $field['value'] ) . "' $aria_required />";
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminincludesmetaboxesphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/meta-boxes.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/meta-boxes.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/meta-boxes.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -285,7 +285,7 @@
</span><span class="cx"> <div class="jaxtag">
</span><span class="cx"> <div class="nojs-tags hide-if-js">
</span><span class="cx"> <p><?php echo $taxonomy->labels->add_or_remove_items; ?></p>
</span><del>- <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_attr(get_terms_to_edit( $post->ID, $tax_name )); ?></textarea></div>
</del><ins>+ <textarea name="<?php echo "tax_input[$tax_name]"; ?>" rows="3" cols="20" class="the-tags" id="tax-input-<?php echo $tax_name; ?>" <?php echo $disabled; ?>><?php echo esc_textarea( get_terms_to_edit( $post->ID, $tax_name ) ); ?></textarea></div>
</ins><span class="cx"> <?php if ( current_user_can($taxonomy->cap->assign_terms) ) : ?>
</span><span class="cx"> <div class="ajaxtag hide-if-no-js">
</span><span class="cx"> <label class="screen-reader-text" for="new-tag-<?php echo $tax_name; ?>"><?php echo $box['title']; ?></label>
</span><span class="lines">@@ -385,7 +385,7 @@
</span><span class="cx"> */
</span><span class="cx"> function post_excerpt_meta_box($post) {
</span><span class="cx"> ?>
</span><del>-<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo $post->post_excerpt ?></textarea>
</del><ins>+<label class="screen-reader-text" for="excerpt"><?php _e('Excerpt') ?></label><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo esc_textarea( $post->post_excerpt ); ?></textarea>
</ins><span class="cx"> <p><?php _e('Excerpts are optional hand-crafted summaries of your content that can be used in your theme. <a href="http://codex.wordpress.org/Excerpt" target="_blank">Learn more about manual excerpts.</a>'); ?></p>
</span><span class="cx"> <?php
</span><span class="cx"> }
</span><span class="lines">@@ -894,7 +894,7 @@
</span><span class="cx"> </tr>
</span><span class="cx"> <tr class="form-field">
</span><span class="cx"> <th valign="top" scope="row"><label for="link_notes"><?php _e('Notes') ?></label></th>
</span><del>- <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo ( isset( $link->link_notes ) ? $link->link_notes : ''); ?></textarea></td>
</del><ins>+ <td><textarea name="link_notes" id="link_notes" cols="50" rows="10" style="width: 95%"><?php echo esc_textarea( ( isset( $link->link_notes ) ? $link->link_notes : '') ); ?></textarea></td>
</ins><span class="cx"> </tr>
</span><span class="cx"> <tr class="form-field">
</span><span class="cx"> <th valign="top" scope="row"><label for="link_rating"><?php _e('Rating') ?></label></th>
</span></span></pre></div>
<a id="trunkwpadminincludesnavmenuphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/nav-menu.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/nav-menu.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/nav-menu.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -161,7 +161,7 @@
</span><span class="cx"> <p class="field-description description description-wide">
</span><span class="cx"> <label for="edit-menu-item-description-<?php echo $item_id; ?>">
</span><span class="cx"> <?php _e( 'Description' ); ?><br />
</span><del>- <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_html( $item->description ); ?></textarea>
</del><ins>+ <textarea id="edit-menu-item-description-<?php echo $item_id; ?>" class="widefat edit-menu-item-description" rows="3" cols="20" name="menu-item-description[<?php echo $item_id; ?>]"><?php echo esc_textarea( $item->description ); ?></textarea>
</ins><span class="cx"> <span class="description"><?php _e('The description will be displayed in the menu if the current theme supports it.'); ?></span>
</span><span class="cx"> </label>
</span><span class="cx"> </p>
</span></span></pre></div>
<a id="trunkwpadminincludestemplatephp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/includes/template.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/includes/template.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/includes/template.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -483,7 +483,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> $entry['meta_key'] = esc_attr($entry['meta_key']);
</span><del>- $entry['meta_value'] = htmlspecialchars($entry['meta_value']); // using a <textarea />
</del><ins>+ $entry['meta_value'] = esc_textarea( $entry['meta_value'] ); // using a <textarea />
</ins><span class="cx"> $entry['meta_id'] = (int) $entry['meta_id'];
</span><span class="cx">
</span><span class="cx"> $delete_nonce = wp_create_nonce( 'delete-meta_' . $entry['meta_id'] );
</span><span class="lines">@@ -718,7 +718,7 @@
</span><span class="cx"> <col class="widefat" />
</span><span class="cx"> <tr>
</span><span class="cx"> <th scope="row"><?php _e( 'URL' ) ?></th>
</span><del>- <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo wp_get_attachment_url(); ?></textarea></td>
</del><ins>+ <td><textarea rows="1" cols="40" type="text" class="attachmentlinks" readonly="readonly"><?php echo esc_textarea( wp_get_attachment_url() ); ?></textarea></td>
</ins><span class="cx"> </tr>
</span><span class="cx"> <?php if ( $icon ) : ?>
</span><span class="cx"> <tr>
</span></span></pre></div>
<a id="trunkwpadminmaintrepairphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/maint/repair.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/maint/repair.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/maint/repair.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -72,7 +72,7 @@
</span><span class="cx"> $problem_output = array();
</span><span class="cx"> foreach ( $problems as $table => $problem )
</span><span class="cx"> $problem_output[] = "$table: $problem";
</span><del>- echo '<textarea name="errors" id="errors" rows="20" cols="60">' . format_to_edit(implode("\n", $problem_output)) . '</textarea>';
</del><ins>+ echo '<textarea name="errors" id="errors" rows="20" cols="60">' . esc_textarea( implode("\n", $problem_output) ) . '</textarea>';
</ins><span class="cx"> } else {
</span><span class="cx"> echo '<p>'.__('Repairs complete. Please remove the following line from wp-config.php to prevent this page from being used by unauthorized users.')."</p><code>define('WP_ALLOW_REPAIR', true);</code>";
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkwpadminnetworksettingsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/settings.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/settings.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/network/settings.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -121,7 +121,7 @@
</span><span class="cx"> <?php $limited_email_domains = get_site_option( 'limited_email_domains' );
</span><span class="cx"> $limited_email_domains = str_replace( ' ', "\n", $limited_email_domains ); ?>
</span><span class="cx"> <textarea name="limited_email_domains" id="limited_email_domains" cols="45" rows="5">
</span><del>-<?php echo wp_htmledit_pre( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
</del><ins>+<?php echo esc_textarea( $limited_email_domains == '' ? '' : implode( "\n", (array) $limited_email_domains ) ); ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'If you want to limit site registrations to certain domains. One domain per line.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -131,7 +131,7 @@
</span><span class="cx"> <th scope="row"><label for="banned_email_domains"><?php _e('Banned Email Domains') ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="banned_email_domains" id="banned_email_domains" cols="45" rows="5">
</span><del>-<?php echo wp_htmledit_pre( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
</del><ins>+<?php echo esc_textarea( get_site_option( 'banned_email_domains' ) == '' ? '' : implode( "\n", (array) get_site_option( 'banned_email_domains' ) ) ); ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'If you want to ban domains from site registrations. One domain per line.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -145,7 +145,7 @@
</span><span class="cx"> <th scope="row"><label for="welcome_email"><?php _e( 'Welcome Email' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="welcome_email" id="welcome_email" rows="5" cols="45" class="large-text">
</span><del>-<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_email' ) ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The welcome email sent to new site owners.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -154,7 +154,7 @@
</span><span class="cx"> <th scope="row"><label for="welcome_user_email"><?php _e( 'Welcome User Email' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="welcome_user_email" id="welcome_user_email" rows="5" cols="45" class="large-text">
</span><del>-<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( stripslashes( get_site_option( 'welcome_user_email' ) ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The welcome email sent to new users.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -163,7 +163,7 @@
</span><span class="cx"> <th scope="row"><label for="first_post"><?php _e( 'First Post' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_post" id="first_post" rows="5" cols="45" class="large-text">
</span><del>-<?php echo wp_htmledit_pre( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( stripslashes( get_site_option( 'first_post' ) ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first post on a new site.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -172,7 +172,7 @@
</span><span class="cx"> <th scope="row"><label for="first_page"><?php _e( 'First Page' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_page" id="first_page" rows="5" cols="45" class="large-text">
</span><del>-<?php echo wp_htmledit_pre( stripslashes( get_site_option('first_page') ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( stripslashes( get_site_option('first_page') ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first page on a new site.' ) ?>
</span><span class="cx"> </td>
</span><span class="lines">@@ -181,7 +181,7 @@
</span><span class="cx"> <th scope="row"><label for="first_comment"><?php _e( 'First Comment' ) ?></label></th>
</span><span class="cx"> <td>
</span><span class="cx"> <textarea name="first_comment" id="first_comment" rows="5" cols="45" class="large-text">
</span><del>-<?php echo wp_htmledit_pre( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
</del><ins>+<?php echo esc_textarea( stripslashes( get_site_option('first_comment') ) ) ?></textarea>
</ins><span class="cx"> <br />
</span><span class="cx"> <?php _e( 'The first comment on a new site.' ) ?>
</span><span class="cx"> </td>
</span></span></pre></div>
<a id="trunkwpadminnetworksiteoptionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network/site-options.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network/site-options.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/network/site-options.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -106,7 +106,7 @@
</span><span class="cx"> ?>
</span><span class="cx"> <tr class="form-field">
</span><span class="cx"> <th scope="row"><?php echo ucwords( str_replace( "_", " ", $option->option_name ) ) ?></th>
</span><del>- <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo wp_htmledit_pre( $option->option_value ) ?></textarea></td>
</del><ins>+ <td><textarea class="<?php echo $class; ?>" rows="5" cols="40" name="option[<?php echo esc_attr( $option->option_name ) ?>]" id="<?php echo esc_attr( $option->option_name ) ?>"<?php disabled( $disabled ) ?>><?php echo esc_textarea( $option->option_value ) ?></textarea></td>
</ins><span class="cx"> </tr>
</span><span class="cx"> <?php
</span><span class="cx"> } else {
</span></span></pre></div>
<a id="trunkwpadminnetworkphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/network.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/network.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/network.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -368,7 +368,7 @@
</span><span class="cx"> echo _n( 'This unique authentication key is also missing from your <code>wp-config.php</code> file.', 'These unique authentication keys are also missing from your <code>wp-config.php</code> file.', $num_keys_salts ); ?> <?php _e( 'To make your installation more secure, you should also add:' ) ?></p>
</span><span class="cx"> <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $num_keys_salts; ?>"><?php
</span><span class="cx"> foreach ( $keys_salts as $c => $v ) {
</span><del>- echo "\ndefine( '$c', '" . wp_htmledit_pre( $v ) . "' );";
</del><ins>+ echo "\ndefine( '$c', '" . esc_textarea( $v ) . "' );";
</ins><span class="cx"> }
</span><span class="cx"> ?></textarea>
</span><span class="cx"> <?php
</span><span class="lines">@@ -456,7 +456,7 @@
</span><span class="cx"> ?>
</span><span class="cx"> <li><p><?php printf( __( 'Add the following to your <code>web.config</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
</span><span class="cx"> <textarea class="code" readonly="readonly" cols="100" rows="20">
</span><del>- <?php echo wp_htmledit_pre( $web_config_file ); ?>
</del><ins>+ <?php echo esc_textarea( $web_config_file ); ?>
</ins><span class="cx"> </textarea></li>
</span><span class="cx"> </ol>
</span><span class="cx">
</span><span class="lines">@@ -485,7 +485,7 @@
</span><span class="cx"> ?>
</span><span class="cx"> <li><p><?php printf( __( 'Add the following to your <code>.htaccess</code> file in <code>%s</code>, replacing other WordPress rules:' ), ABSPATH ); ?></p>
</span><span class="cx"> <textarea class="code" readonly="readonly" cols="100" rows="<?php echo $subdomain_install ? 11 : 16; ?>">
</span><del>-<?php echo wp_htmledit_pre( $htaccess_file ); ?></textarea></li>
</del><ins>+<?php echo esc_textarea( $htaccess_file ); ?></textarea></li>
</ins><span class="cx"> </ol>
</span><span class="cx">
</span><span class="cx"> <?php endif; // end IIS/Apache code branches.
</span></span></pre></div>
<a id="trunkwpadminoptionsdiscussionphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-discussion.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-discussion.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/options-discussion.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -141,7 +141,7 @@
</span><span class="cx">
</span><span class="cx"> <p><label for="moderation_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be held in the <a href="edit-comments.php?comment_status=moderated">moderation queue</a>. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
</span><span class="cx"> <p>
</span><del>-<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php form_option('moderation_keys'); ?></textarea>
</del><ins>+<textarea name="moderation_keys" rows="10" cols="50" id="moderation_keys" class="large-text code"><?php esc_textarea( get_option( 'moderation_keys' ) ); ?></textarea>
</ins><span class="cx"> </p>
</span><span class="cx"> </fieldset></td>
</span><span class="cx"> </tr>
</span><span class="lines">@@ -150,7 +150,7 @@
</span><span class="cx"> <td><fieldset><legend class="screen-reader-text"><span><?php _e('Comment Blacklist') ?></span></legend>
</span><span class="cx"> <p><label for="blacklist_keys"><?php _e('When a comment contains any of these words in its content, name, URL, e-mail, or IP, it will be marked as spam. One word or IP per line. It will match inside words, so &#8220;press&#8221; will match &#8220;WordPress&#8221;.') ?></label></p>
</span><span class="cx"> <p>
</span><del>-<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php form_option('blacklist_keys'); ?></textarea>
</del><ins>+<textarea name="blacklist_keys" rows="10" cols="50" id="blacklist_keys" class="large-text code"><?php esc_textarea( get_option( 'blacklist_keys' ) ); ?></textarea>
</ins><span class="cx"> </p>
</span><span class="cx"> </fieldset></td>
</span><span class="cx"> </tr>
</span></span></pre></div>
<a id="trunkwpadminoptionspermalinkphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-permalink.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-permalink.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/options-permalink.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -230,14 +230,14 @@
</span><span class="cx"> <p><?php _e('If your <code>web.config</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this rule inside of the <code>/&lt;configuration&gt;/&lt;system.webServer&gt;/&lt;rewrite&gt;/&lt;rules&gt;</code> element in <code>web.config</code> file.') ?></p>
</span><span class="cx"> <form action="options-permalink.php" method="post">
</span><span class="cx"> <?php wp_nonce_field('update-permalink') ?>
</span><del>- <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules()); ?></textarea></p>
</del><ins>+ <p><textarea rows="9" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules() ); ?></textarea></p>
</ins><span class="cx"> </form>
</span><span class="cx"> <p><?php _e('If you temporarily make your <code>web.config</code> file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.') ?></p>
</span><span class="cx"> <?php else : ?>
</span><span class="cx"> <p><?php _e('If the root directory of your site were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so this is the url rewrite rule you should have in your <code>web.config</code> file. Create a new file, called <code>web.config</code> in the root directory of your site. Click in the field and press <kbd>CTRL + a</kbd> to select all. Then insert this code into the <code>web.config</code> file.') ?></p>
</span><span class="cx"> <form action="options-permalink.php" method="post">
</span><span class="cx"> <?php wp_nonce_field('update-permalink') ?>
</span><del>- <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->iis7_url_rewrite_rules(true)); ?></textarea></p>
</del><ins>+ <p><textarea rows="18" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->iis7_url_rewrite_rules(true) ); ?></textarea></p>
</ins><span class="cx"> </form>
</span><span class="cx"> <p><?php _e('If you temporarily make your site&#8217;s root directory writable for us to generate the <code>web.config</code> file automatically, do not forget to revert the permissions after the file has been created.') ?></p>
</span><span class="cx"> <?php endif; ?>
</span><span class="lines">@@ -247,7 +247,7 @@
</span><span class="cx"> <p><?php _e('If your <code>.htaccess</code> file were <a href="http://codex.wordpress.org/Changing_File_Permissions">writable</a>, we could do this automatically, but it isn&#8217;t so these are the mod_rewrite rules you should have in your <code>.htaccess</code> file. Click in the field and press <kbd>CTRL + a</kbd> to select all.') ?></p>
</span><span class="cx"> <form action="options-permalink.php" method="post">
</span><span class="cx"> <?php wp_nonce_field('update-permalink') ?>
</span><del>- <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_html($wp_rewrite->mod_rewrite_rules()); ?></textarea></p>
</del><ins>+ <p><textarea rows="6" class="large-text readonly" name="rules" id="rules" readonly="readonly"><?php echo esc_textarea( $wp_rewrite->mod_rewrite_rules() ); ?></textarea></p>
</ins><span class="cx"> </form>
</span><span class="cx"> <?php endif; ?>
</span><span class="cx"> <?php endif; ?>
</span></span></pre></div>
<a id="trunkwpadminoptionswritingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options-writing.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options-writing.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/options-writing.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -137,7 +137,7 @@
</span><span class="cx">
</span><span class="cx"> <p><label for="ping_sites"><?php _e('When you publish a new post, WordPress automatically notifies the following site update services. For more about this, see <a href="http://codex.wordpress.org/Update_Services">Update Services</a> on the Codex. Separate multiple service <abbr title="Universal Resource Locator">URL</abbr>s with line breaks.') ?></label></p>
</span><span class="cx">
</span><del>-<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php form_option('ping_sites'); ?></textarea>
</del><ins>+<textarea name="ping_sites" id="ping_sites" class="large-text code" rows="3"><?php esc_textarea( get_option('ping_sites') ); ?></textarea>
</ins><span class="cx">
</span><span class="cx"> <?php else : ?>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpadminoptionsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/options.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/options.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/options.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -201,7 +201,7 @@
</span><span class="cx"> <th scope='row'><label for='$name'>" . esc_html( $option->option_name ) . "</label></th>
</span><span class="cx"> <td>";
</span><span class="cx"> if ( strpos( $value, "\n" ) !== false )
</span><del>- echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
</del><ins>+ echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . esc_textarea( $value ) . "</textarea>";
</ins><span class="cx"> else
</span><span class="cx"> echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'" . disabled( $disabled, true, false ) . " />";
</span><span class="cx"> echo "</td>
</span></span></pre></div>
<a id="trunkwpadminplugineditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/plugin-editor.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/plugin-editor.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/plugin-editor.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -136,7 +136,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $content = htmlspecialchars( $content );
</del><ins>+ $content = esc_textarea( $content );
</ins><span class="cx"> ?>
</span><span class="cx"> <?php if (isset($_GET['a'])) : ?>
</span><span class="cx"> <div id="message" class="updated"><p><?php _e('File edited successfully.') ?></p></div>
</span></span></pre></div>
<a id="trunkwpadminpressthisphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/press-this.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/press-this.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/press-this.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -113,7 +113,7 @@
</span><span class="cx"> <div class="postbox">
</span><span class="cx"> <h2><label for="embed-code"><?php _e('Embed Code') ?></label></h2>
</span><span class="cx"> <div class="inside">
</span><del>- <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo wp_htmledit_pre( $selection ); ?></textarea>
</del><ins>+ <textarea name="embed-code" id="embed-code" rows="8" cols="40"><?php echo esc_textarea( $selection ); ?></textarea>
</ins><span class="cx"> <p id="options"><a href="#" class="select button"><?php _e('Insert Video'); ?></a> <a href="#" class="close button"><?php _e('Cancel'); ?></a></p>
</span><span class="cx"> </div>
</span><span class="cx"> </div>
</span></span></pre></div>
<a id="trunkwpadminthemeeditorphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/theme-editor.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/theme-editor.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/theme-editor.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -116,7 +116,7 @@
</span><span class="cx"> $docs_select .= '</select>';
</span><span class="cx"> }
</span><span class="cx">
</span><del>- $content = htmlspecialchars( $content );
</del><ins>+ $content = esc_textarea( $content );
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> ?>
</span></span></pre></div>
<a id="trunkwpadminusereditphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-admin/user-edit.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-admin/user-edit.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-admin/user-edit.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -340,7 +340,7 @@
</span><span class="cx"> <table class="form-table">
</span><span class="cx"> <tr>
</span><span class="cx"> <th><label for="description"><?php _e('Biographical Info'); ?></label></th>
</span><del>- <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_html($profileuser->description); ?></textarea><br />
</del><ins>+ <td><textarea name="description" id="description" rows="5" cols="30"><?php echo esc_textarea( $profileuser->description ); ?></textarea><br />
</ins><span class="cx"> <span class="description"><?php _e('Share a little biographical information to fill out your profile. This may be shown publicly.'); ?></span></td>
</span><span class="cx"> </tr>
</span><span class="cx">
</span></span></pre></div>
<a id="trunkwpincludesdefaultwidgetsphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/default-widgets.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/default-widgets.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-includes/default-widgets.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -399,7 +399,7 @@
</span><span class="cx"> function form( $instance ) {
</span><span class="cx"> $instance = wp_parse_args( (array) $instance, array( 'title' => '', 'text' => '' ) );
</span><span class="cx"> $title = strip_tags($instance['title']);
</span><del>- $text = format_to_edit($instance['text']);
</del><ins>+ $text = esc_textarea($instance['text']);
</ins><span class="cx"> ?>
</span><span class="cx"> <p><label for="<?php echo $this->get_field_id('title'); ?>"><?php _e('Title:'); ?></label>
</span><span class="cx"> <input class="widefat" id="<?php echo $this->get_field_id('title'); ?>" name="<?php echo $this->get_field_name('title'); ?>" type="text" value="<?php echo esc_attr($title); ?>" /></p>
</span></span></pre></div>
<a id="trunkwpincludesformattingphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/formatting.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/formatting.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-includes/formatting.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -2353,6 +2353,19 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> /**
</span><ins>+ * Escaping for textarea values.
+ *
+ * @since 3.1
+ *
+ * @param string $text
+ * @return string
+ */
+function esc_textarea( $text ) {
+ $safe_text = htmlspecialchars( $text );
+ return apply_filters( 'esc_textarea', $safe_text, $text );
+}
+
+/**
</ins><span class="cx"> * Escape a HTML tag name.
</span><span class="cx"> *
</span><span class="cx"> * @since 2.5.0
</span></span></pre></div>
<a id="trunkwpincludespostphp"></a>
<div class="modfile"><h4>Modified: trunk/wp-includes/post.php (16430 => 16431)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/wp-includes/post.php 2010-11-17 17:10:50 UTC (rev 16430)
+++ trunk/wp-includes/post.php 2010-11-17 17:12:01 UTC (rev 16431)
</span><span class="lines">@@ -5123,7 +5123,7 @@
</span><span class="cx"> 'capability' => '',
</span><span class="cx"> 'output' => '<h4 id="%s-content-label"><label for="content">'. __('Content') .'</label></h4>
</span><span class="cx"> <div class="textarea-wrap">
</span><del>- <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. $post->post_content.'</textarea>
</del><ins>+ <textarea name="content" id="%s-content" class="mceEditor" rows="3" cols="15" tabindex="%d">'. esc_textarea( $post->post_content ) .'</textarea>
</ins><span class="cx"> </div>
</span><span class="cx"> '." <script type='text/javascript'>edCanvas = document.getElementById('content');edInsertContent = null;</script>
</span><span class="cx"> "
</span></span></pre>
</div>
</div>
</body>
</html>