From 119b39cec26a8ceb06c07cd9b543eaae38521c05 Mon Sep 17 00:00:00 2001 From: markjaquith Date: Mon, 18 May 2009 15:11:07 +0000 Subject: [PATCH] deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security. git-svn-id: http://svn.automattic.com/wordpress/trunk@11380 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-ajax.php | 8 ++--- wp-admin/admin-header.php | 2 +- wp-admin/async-upload.php | 2 +- wp-admin/categories.php | 4 +-- wp-admin/edit-attachment-rows.php | 4 +-- wp-admin/edit-category-form.php | 2 +- wp-admin/edit-comments.php | 4 +-- wp-admin/edit-form-advanced.php | 8 ++--- wp-admin/edit-link-categories.php | 4 +-- wp-admin/edit-link-form.php | 2 +- wp-admin/edit-page-form.php | 6 ++-- wp-admin/edit-pages.php | 4 +-- wp-admin/edit-tag-form.php | 2 +- wp-admin/edit-tags.php | 4 +-- wp-admin/edit.php | 4 +-- wp-admin/export.php | 2 +- wp-admin/import.php | 2 +- wp-admin/import/opml.php | 2 +- wp-admin/includes/bookmark.php | 6 ++-- wp-admin/includes/dashboard.php | 10 +++--- wp-admin/includes/export.php | 2 +- wp-admin/includes/media.php | 6 ++-- wp-admin/includes/post.php | 10 +++--- wp-admin/includes/template.php | 26 ++++++++-------- wp-admin/includes/theme-install.php | 4 +-- wp-admin/includes/user.php | 20 ++++++------ wp-admin/includes/widgets.php | 2 +- wp-admin/index.php | 2 +- wp-admin/js/revisions-js.php | 2 +- wp-admin/link-manager.php | 4 +-- wp-admin/media-upload.php | 2 +- wp-admin/options-discussion.php | 2 +- wp-admin/options-general.php | 2 +- wp-admin/options-media.php | 2 +- wp-admin/options-misc.php | 2 +- wp-admin/options-permalink.php | 6 ++-- wp-admin/options-privacy.php | 2 +- wp-admin/options-reading.php | 2 +- wp-admin/options-writing.php | 2 +- wp-admin/options.php | 2 +- wp-admin/page.php | 2 +- wp-admin/plugin-editor.php | 2 +- wp-admin/plugin-install.php | 2 +- wp-admin/plugins.php | 4 +-- wp-admin/post.php | 2 +- wp-admin/press-this.php | 2 +- wp-admin/revision.php | 2 +- wp-admin/theme-editor.php | 2 +- wp-admin/theme-install.php | 2 +- wp-admin/themes.php | 2 +- wp-admin/tools.php | 2 +- wp-admin/upload.php | 6 ++-- wp-admin/user-edit.php | 2 +- wp-admin/users.php | 4 +-- wp-admin/widgets.php | 10 +++--- wp-includes/classes.php | 2 +- wp-includes/comment-template.php | 2 +- wp-includes/default-filters.php | 10 +++--- wp-includes/default-widgets.php | 4 +-- wp-includes/feed.php | 2 +- wp-includes/formatting.php | 47 +++++++++++++++++++++++------ wp-includes/functions.php | 10 +++--- wp-includes/general-template.php | 2 +- wp-includes/l10n.php | 30 ++++++++++++++++++ wp-includes/user.php | 2 +- wp-includes/widgets.php | 2 +- wp-mail.php | 8 ++--- xmlrpc.php | 10 +++--- 68 files changed, 210 insertions(+), 151 deletions(-) diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 2486f5999e..87fb3f343c 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -422,7 +422,7 @@ case 'add-link-category' : // On the Fly $cat_id = wp_insert_term( $cat_name, 'link_category' ); } $cat_id = $cat_id['term_id']; - $cat_name = wp_specialchars(stripslashes($cat_name)); + $cat_name = esc_html(stripslashes($cat_name)); $x->add( array( 'what' => 'link-category', 'id' => $cat_id, @@ -898,7 +898,7 @@ case 'autosave' : // The name of this action is hardcoded in edit_post() $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); $data = new WP_Error( 'locked', sprintf( $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ), - wp_specialchars( $last_user_name ) + esc_html( $last_user_name ) ) ); $supplemental['disable_autosave'] = 'disable'; @@ -1057,7 +1057,7 @@ case 'inline-save': if ( $last = wp_check_post_lock( $post_ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); - printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), wp_specialchars( $last_user_name ) ); + printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), esc_html( $last_user_name ) ); exit; } @@ -1217,7 +1217,7 @@ case 'find_posts': } $html .= ''; - $html .= ''.wp_specialchars($time, true).''.wp_specialchars($stat, true).''."\n\n"; + $html .= ''.esc_html( $time ).''.esc_html( $stat ).''."\n\n"; } $html .= ''; diff --git a/wp-admin/admin-header.php b/wp-admin/admin-header.php index 2d6b33177f..2944e7154a 100644 --- a/wp-admin/admin-header.php +++ b/wp-admin/admin-header.php @@ -10,7 +10,7 @@ if (!isset($_GET["page"])) require_once('admin.php'); get_admin_page_title(); -$title = wp_specialchars( strip_tags( $title ) ); +$title = esc_html( strip_tags( $title ) ); wp_user_settings(); wp_menu_unfold(); ?> diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php index 33c6bf9718..b91faadb58 100644 --- a/wp-admin/async-upload.php +++ b/wp-admin/async-upload.php @@ -42,7 +42,7 @@ check_admin_referer('media-form'); $id = media_handle_upload('async-upload', $_REQUEST['post_id']); if (is_wp_error($id)) { - echo '
'.wp_specialchars($id->get_error_message()).'
'; + echo '
'.esc_html($id->get_error_message()).'
'; exit; } diff --git a/wp-admin/categories.php b/wp-admin/categories.php index a700fe21c0..8d26b9e134 100644 --- a/wp-admin/categories.php +++ b/wp-admin/categories.php @@ -129,9 +129,9 @@ $messages[5] = __('Category not updated.');
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

$column_display_name ) { if ( !empty( $tags ) ) { $out = array(); foreach ( $tags as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; echo join( ', ', $out ); } else { _e('No Tags'); diff --git a/wp-admin/edit-category-form.php b/wp-admin/edit-category-form.php index e3cc9d68fa..2a06aebcf5 100644 --- a/wp-admin/edit-category-form.php +++ b/wp-admin/edit-category-form.php @@ -66,7 +66,7 @@ _fill_empty_category($category); -
+
diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index 1eeca07fd6..da5ce02048 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -96,9 +96,9 @@ $search = esc_attr( $search_dirty ); ?>
-

' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( wp_specialchars( stripslashes( $_GET['s'] ) ), 50 ) ) . '' ); ?> + printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_GET['s'] ) ), 50 ) ) . '' ); ?>

post_status ) { $visibility_trans = __('Public'); } -?> +?>
@@ -390,7 +390,7 @@ function post_trackback_meta_box($post) { $pings = '

'. __('Already pinged:') . '

    '; $already_pinged = explode("\n", trim($post->pinged)); foreach ($already_pinged as $pinged_url) { - $pings .= "\n\t
  • " . wp_specialchars($pinged_url) . "
    • "; + $pings .= "\n\t
  • " . esc_html($pinged_url) . "
    • "; } $pings .= '
'; } @@ -549,7 +549,7 @@ require_once('admin-header.php');
-

+

@@ -622,7 +622,7 @@ endif; ?> echo ''; if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { $last_user = get_userdata($last_id); - printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); + printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } else { printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } diff --git a/wp-admin/edit-link-categories.php b/wp-admin/edit-link-categories.php index a140447cd3..691f326697 100644 --- a/wp-admin/edit-link-categories.php +++ b/wp-admin/edit-link-categories.php @@ -61,9 +61,9 @@ $messages[6] = __('Categories deleted.'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

diff --git a/wp-admin/edit-link-form.php b/wp-admin/edit-link-form.php index da71c80dbd..32b06a87f6 100644 --- a/wp-admin/edit-link-form.php +++ b/wp-admin/edit-link-form.php @@ -342,7 +342,7 @@ require_once ('admin-header.php'); ?>
-

+

diff --git a/wp-admin/edit-page-form.php b/wp-admin/edit-page-form.php index 88f9f7765e..6083027c01 100644 --- a/wp-admin/edit-page-form.php +++ b/wp-admin/edit-page-form.php @@ -158,7 +158,7 @@ if ( 'private' == $post->post_status ) { $visibility_trans = __('Public'); } -echo wp_specialchars( $visibility_trans ); ?> +echo esc_html( $visibility_trans ); ?> @@ -397,7 +397,7 @@ require_once('admin-header.php');
-

+

@@ -460,7 +460,7 @@ endif; ?> if ($post_ID) { if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { $last_user = get_userdata($last_id); - printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); + printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } else { printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } diff --git a/wp-admin/edit-pages.php b/wp-admin/edit-pages.php index c831a92366..2ef477b8ae 100644 --- a/wp-admin/edit-pages.php +++ b/wp-admin/edit-pages.php @@ -104,9 +104,9 @@ require_once('admin-header.php'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

diff --git a/wp-admin/edit-tag-form.php b/wp-admin/edit-tag-form.php index 210b3b198f..c811a32424 100644 --- a/wp-admin/edit-tag-form.php +++ b/wp-admin/edit-tag-form.php @@ -36,7 +36,7 @@ do_action('edit_tag_form_pre', $tag); ?> -
+
diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php index 29f86cfb2d..f2c4d5804e 100644 --- a/wp-admin/edit-tags.php +++ b/wp-admin/edit-tags.php @@ -146,9 +146,9 @@ $messages[6] = __('Tags deleted.'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 405294ea61..f0667433a4 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -96,9 +96,9 @@ else
-

' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

-

+

diff --git a/wp-admin/import.php b/wp-admin/import.php index 9c321e43de..8b10fc8440 100644 --- a/wp-admin/import.php +++ b/wp-admin/import.php @@ -15,7 +15,7 @@ $parent_file = 'tools.php';
-

+

- + diff --git a/wp-admin/includes/bookmark.php b/wp-admin/includes/bookmark.php index 379cee6211..bcfabc1362 100644 --- a/wp-admin/includes/bookmark.php +++ b/wp-admin/includes/bookmark.php @@ -29,10 +29,10 @@ function edit_link( $link_id = '' ) { if (!current_user_can( 'manage_links' )) wp_die( __( 'Cheatin’ uh?' )); - $_POST['link_url'] = wp_specialchars( $_POST['link_url'] ); + $_POST['link_url'] = esc_html( $_POST['link_url'] ); $_POST['link_url'] = clean_url($_POST['link_url']); - $_POST['link_name'] = wp_specialchars( $_POST['link_name'] ); - $_POST['link_image'] = wp_specialchars( $_POST['link_image'] ); + $_POST['link_name'] = esc_html( $_POST['link_name'] ); + $_POST['link_image'] = esc_html( $_POST['link_image'] ); $_POST['link_rss'] = clean_url($_POST['link_rss']); if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] ) $_POST['link_visible'] = 'Y'; diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index f5635ac7d8..a41e247c93 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -581,7 +581,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) { default : $type = ucwords( $comment->comment_type ); endswitch; - $type = wp_specialchars( $type ); + $type = esc_html( $type ); ?>
@@ -646,7 +646,7 @@ function wp_dashboard_incoming_links_output() { $author = $item->get_author(); $site_link = clean_url( strip_tags( $author->get_link() ) ); - if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) ) + if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) ) $publisher = __( 'Somebody' ); if ( $site_link ) $publisher = "$publisher"; @@ -667,7 +667,7 @@ function wp_dashboard_incoming_links_output() { if ( $show_author || $show_summary ) /* translators: incoming links feed, %4$s is the date */ $text .= ' ' . __( 'on %4$s' ); - $date = wp_specialchars( strip_tags( $item->get_date() ) ); + $date = esc_html( strip_tags( $item->get_date() ) ); $date = strtotime( $date ); $date = gmdate( get_option( 'date_format' ), $date ); } @@ -813,9 +813,9 @@ function wp_dashboard_plugins_output() { $title = $matches[1]; else // but let's make it forward compatible if things change $title = $item->get_title(); - $title = wp_specialchars( $title ); + $title = esc_html( $title ); - $description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); + $description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); $ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) . '&TB_iframe=true&width=600&height=800'; diff --git a/wp-admin/includes/export.php b/wp-admin/includes/export.php index 4905b97544..641e173881 100644 --- a/wp-admin/includes/export.php +++ b/wp-admin/includes/export.php @@ -99,7 +99,7 @@ function wxr_cdata($str) { if ( seems_utf8($str) == false ) $str = utf8_encode($str); - // $str = ent2ncr(wp_specialchars($str)); + // $str = ent2ncr(esc_html($str)); $str = ""; diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 529bc1eb4a..ef0a74d3e4 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -1198,7 +1198,7 @@ function get_media_item( $attachment_id, $args = null ) { if ( !empty($field[$field['input']]) ) $item .= $field[$field['input']]; elseif ( $field['input'] == 'textarea' ) { - $item .= ""; + $item .= ""; } else { $item .= ""; } @@ -1419,7 +1419,7 @@ if ( $id ) { add_filter('attachment_fields_to_edit', 'media_post_single_attachment_fields_to_edit', 10, 2); echo get_media_items( $id, $errors ); } else { - echo '
'.wp_specialchars($id->get_error_message()).'
'; + echo '
'.esc_html($id->get_error_message()).'
'; exit; } } @@ -1802,7 +1802,7 @@ foreach ($arc_result as $arc_row) { $default = ''; echo ""; - echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); + echo esc_html( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); echo "\n"; } ?> diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 6c9636f840..4c696de0d0 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -319,9 +319,9 @@ function bulk_edit_posts( $post_data = null ) { */ function get_default_post_to_edit() { if ( !empty( $_REQUEST['post_title'] ) ) - $post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] )); + $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); else if ( !empty( $_REQUEST['popuptitle'] ) ) { - $post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] )); + $post_title = esc_html( stripslashes( $_REQUEST['popuptitle'] )); $post_title = funky_javascript_fix( $post_title ); } else { $post_title = ''; @@ -329,16 +329,16 @@ function get_default_post_to_edit() { $post_content = ''; if ( !empty( $_REQUEST['content'] ) ) - $post_content = wp_specialchars( stripslashes( $_REQUEST['content'] )); + $post_content = esc_html( stripslashes( $_REQUEST['content'] )); else if ( !empty( $post_title ) ) { - $text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); + $text = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) ); $text = funky_javascript_fix( $text); $popupurl = clean_url($_REQUEST['popupurl']); $post_content = ''.$post_title.''."\n$text"; } if ( !empty( $_REQUEST['excerpt'] ) ) - $post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] )); + $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); else $post_excerpt = ''; diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index e4d7f8968c..26166a83a5 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -469,7 +469,7 @@ class Walker_Category_Checklist extends Walker { extract($args); $class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : ''; - $output .= "\n
  • " . ''; + $output .= "\n
  • " . ''; } function end_el(&$output, $category, $depth, $args) { @@ -562,7 +562,7 @@ function wp_popular_terms_checklist( $taxonomy, $default = 0, $number = 10, $ech
    • @@ -614,7 +614,7 @@ function wp_link_category_checklist( $link_id = 0 ) { foreach ( $categories as $category ) { $cat_id = $category->term_id; - $name = wp_specialchars( apply_filters('the_category', $category->name)); + $name = esc_html( apply_filters('the_category', $category->name)); $checked = in_array( $cat_id, $checked_categories ); echo '"; } @@ -1304,17 +1304,17 @@ function get_inline_data($post) {
    ' . mysql2date( 'H', $post->post_date, false ) . '
    ' . mysql2date( 'i', $post->post_date, false ) . '
    ' . mysql2date( 's', $post->post_date, false ) . '
    -
    ' . wp_specialchars($post->post_password, 1) . '
    '; +
    ' . esc_html( $post->post_password ) . '
    '; if( $post->post_type == 'page' ) echo '
    ' . $post->post_parent . '
    -
    ' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '
    +
    ' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '
    ' . $post->menu_order . '
    '; if( $post->post_type == 'post' ) echo ' -
    ' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '
    +
    ' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '
    ' . implode( ',', wp_get_post_categories( $post->ID ) ) . '
    ' . (is_sticky($post->ID) ? 'sticky' : '') . '
    '; @@ -1331,7 +1331,7 @@ function get_inline_data($post) { function post_rows( $posts = array() ) { global $wp_query, $post, $mode; - add_filter('the_title','wp_specialchars'); + add_filter('the_title','esc_html'); // Create array of post IDs. $post_ids = array(); @@ -1478,7 +1478,7 @@ function _post_row($a_post, $pending_comments, $mode) { if ( !empty( $categories ) ) { $out = array(); foreach ( $categories as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . ""; echo join( ', ', $out ); } else { _e('Uncategorized'); @@ -1494,7 +1494,7 @@ function _post_row($a_post, $pending_comments, $mode) { if ( !empty( $tags ) ) { $out = array(); foreach ( $tags as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; echo join( ', ', $out ); } else { _e('No Tags'); @@ -1591,7 +1591,7 @@ function display_page_row( $page, $level = 0 ) { } } - $page->post_title = wp_specialchars( $page->post_title ); + $page->post_title = esc_html( $page->post_title ); $pad = str_repeat( '— ', $level ); $id = (int) $page->ID; $rowclass = 'alternate' == $rowclass ? '' : 'alternate'; @@ -1653,7 +1653,7 @@ foreach ($posts_columns as $column_name=>$column_display_name) { $attributes = 'class="post-title page-title column-title"' . $style; $edit_link = get_edit_post_link( $page->ID ); ?> - >ID ) ) { ?> + >ID ) ) { ?> ID) ) { @@ -2337,7 +2337,7 @@ function wp_dropdown_cats( $currentcat = 0, $currentparent = 0, $parent = 0, $le foreach ( $categories as $category ) { if ( $currentcat != $category->term_id && $parent == $category->parent) { $pad = str_repeat( '– ', $level ); - $category->name = wp_specialchars( $category->name ); + $category->name = esc_html( $category->name ); echo "\n\t"; + echo "\n\t"; parent_dropdown( $default, $item->ID, $level +1 ); } } else { diff --git a/wp-admin/includes/theme-install.php b/wp-admin/includes/theme-install.php index 66c215432e..b621d1aa90 100644 --- a/wp-admin/includes/theme-install.php +++ b/wp-admin/includes/theme-install.php @@ -193,7 +193,7 @@ function install_themes_dashboard() { foreach ( (array) $feature_list as $feature_name => $features ) { if ( isset($trans[$feature_name]) ) $feature_name = $trans[$feature_name]; - $feature_name = wp_specialchars( $feature_name ); + $feature_name = esc_html( $feature_name ); echo '
    ' . $feature_name . '
    '; echo '
      '; @@ -201,7 +201,7 @@ function install_themes_dashboard() { $feature_name = $feature; if ( isset($trans[$feature]) ) $feature_name = $trans[$feature]; - $feature_name = wp_specialchars( $feature_name ); + $feature_name = esc_html( $feature_name ); $feature = esc_attr($feature); ?> diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index 4020bd4bae..a91e8d7dfd 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -65,7 +65,7 @@ function edit_user( $user_id = 0 ) { } if ( isset( $_POST['user_login'] )) - $user->user_login = wp_specialchars( trim( $_POST['user_login'] )); + $user->user_login = esc_html( trim( $_POST['user_login'] )); $pass1 = $pass2 = ''; if ( isset( $_POST['pass1'] )) @@ -86,7 +86,7 @@ function edit_user( $user_id = 0 ) { } if ( isset( $_POST['email'] )) - $user->user_email = wp_specialchars( trim( $_POST['email'] )); + $user->user_email = esc_html( trim( $_POST['email'] )); if ( isset( $_POST['url'] ) ) { if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { $user->user_url = ''; @@ -96,21 +96,21 @@ function edit_user( $user_id = 0 ) { } } if ( isset( $_POST['first_name'] )) - $user->first_name = wp_specialchars( trim( $_POST['first_name'] )); + $user->first_name = esc_html( trim( $_POST['first_name'] )); if ( isset( $_POST['last_name'] )) - $user->last_name = wp_specialchars( trim( $_POST['last_name'] )); + $user->last_name = esc_html( trim( $_POST['last_name'] )); if ( isset( $_POST['nickname'] )) - $user->nickname = wp_specialchars( trim( $_POST['nickname'] )); + $user->nickname = esc_html( trim( $_POST['nickname'] )); if ( isset( $_POST['display_name'] )) - $user->display_name = wp_specialchars( trim( $_POST['display_name'] )); + $user->display_name = esc_html( trim( $_POST['display_name'] )); if ( isset( $_POST['description'] )) $user->description = trim( $_POST['description'] ); if ( isset( $_POST['jabber'] )) - $user->jabber = wp_specialchars( trim( $_POST['jabber'] )); + $user->jabber = esc_html( trim( $_POST['jabber'] )); if ( isset( $_POST['aim'] )) - $user->aim = wp_specialchars( trim( $_POST['aim'] )); + $user->aim = esc_html( trim( $_POST['aim'] )); if ( isset( $_POST['yim'] )) - $user->yim = wp_specialchars( trim( $_POST['yim'] )); + $user->yim = esc_html( trim( $_POST['yim'] )); if ( !$update ) $user->rich_editing = 'true'; // Default to true for new users. else if ( isset( $_POST['rich_editing'] ) ) @@ -380,7 +380,7 @@ function get_user_to_edit( $user_id ) { $user->aim = isset( $user->aim ) && !empty( $user->aim ) ? esc_attr($user->aim) : ''; $user->yim = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : ''; $user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : ''; - $user->description = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : ''; + $user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; return $user; } diff --git a/wp-admin/includes/widgets.php b/wp-admin/includes/widgets.php index 7e1f922e44..893d2a0fe4 100644 --- a/wp-admin/includes/widgets.php +++ b/wp-admin/includes/widgets.php @@ -162,7 +162,7 @@ function wp_widget_control( $sidebar_args ) { $wp_registered_widgets[$widget_id]['callback'] = $wp_registered_widgets[$widget_id]['_callback']; unset($wp_registered_widgets[$widget_id]['_callback']); - $widget_title = wp_specialchars( strip_tags( $sidebar_args['widget_name'] ) ); + $widget_title = esc_html( strip_tags( $sidebar_args['widget_name'] ) ); $has_form = 'noform'; echo $sidebar_args['before_widget']; ?> diff --git a/wp-admin/index.php b/wp-admin/index.php index 59fd228c59..a88b1bc368 100644 --- a/wp-admin/index.php +++ b/wp-admin/index.php @@ -30,7 +30,7 @@ $today = current_time('mysql', 1);
      -

      +

      diff --git a/wp-admin/js/revisions-js.php b/wp-admin/js/revisions-js.php index ecba762154..de3294ca23 100644 --- a/wp-admin/js/revisions-js.php +++ b/wp-admin/js/revisions-js.php @@ -13,7 +13,7 @@ function dvortr( $str ) { } $j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) ); -$n = wp_specialchars( $GLOBALS['current_user']->data->display_name ); +$n = esc_html( $GLOBALS['current_user']->data->display_name ); $d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) ); wp_die( << -

      ' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

      -

      +

      diff --git a/wp-admin/options-discussion.php b/wp-admin/options-discussion.php index 3a17fbf9b2..5013ebca94 100644 --- a/wp-admin/options-discussion.php +++ b/wp-admin/options-discussion.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index 8cc00f3090..cd4b8cdb3a 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -52,7 +52,7 @@ include('./admin-header.php');
      -

      +

      diff --git a/wp-admin/options-media.php b/wp-admin/options-media.php index 9a591c22d8..6c97c0323c 100644 --- a/wp-admin/options-media.php +++ b/wp-admin/options-media.php @@ -18,7 +18,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-misc.php b/wp-admin/options-misc.php index 10594052b5..e63528103c 100644 --- a/wp-admin/options-misc.php +++ b/wp-admin/options-misc.php @@ -18,7 +18,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-permalink.php b/wp-admin/options-permalink.php index 124abd822e..e1d7ef8a6a 100644 --- a/wp-admin/options-permalink.php +++ b/wp-admin/options-permalink.php @@ -142,7 +142,7 @@ if ( $iis7_permalinks ) {
      -

      +

      @@ -226,7 +226,7 @@ $structures = array(

      web.config file were writable, we could do this automatically, but it isn’t so this is the url rewrite rule you should have in your web.config file. Click in the field and press CTRL + a to select all. Then insert this rule inside of the /<configuration>/<system.webServer>/<rewrite>/<rules> element in web.config file.') ?>

      -

      +

      web.config file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.') ?>

      @@ -235,7 +235,7 @@ $structures = array(

      .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.') ?>

      -

      +

      diff --git a/wp-admin/options-privacy.php b/wp-admin/options-privacy.php index 3786376848..b501a27cb2 100644 --- a/wp-admin/options-privacy.php +++ b/wp-admin/options-privacy.php @@ -17,7 +17,7 @@ include('./admin-header.php');
      -

      +

      diff --git a/wp-admin/options-reading.php b/wp-admin/options-reading.php index 35ac1c1687..64410c380d 100644 --- a/wp-admin/options-reading.php +++ b/wp-admin/options-reading.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-writing.php b/wp-admin/options-writing.php index c77de00431..208aab4b93 100644 --- a/wp-admin/options-writing.php +++ b/wp-admin/options-writing.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options.php b/wp-admin/options.php index 7ac8012e82..6bc0561553 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -121,7 +121,7 @@ foreach ( (array) $options as $option) : "; - if (strpos($value, "\n") !== false) echo ""; + if (strpos($value, "\n") !== false) echo ""; else echo ""; echo " diff --git a/wp-admin/page.php b/wp-admin/page.php index 4fe87b1e17..68a6690201 100644 --- a/wp-admin/page.php +++ b/wp-admin/page.php @@ -100,7 +100,7 @@ case 'edit': if ( $last = wp_check_post_lock( $post->ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); - $message = sprintf( __( 'Warning: %s is currently editing this page' ), wp_specialchars( $last_user_name ) ); + $message = sprintf( __( 'Warning: %s is currently editing this page' ), esc_html( $last_user_name ) ); $message = str_replace( "'", "\'", "

      $message

      " ); add_action('admin_notices', create_function( '', "echo '$message';" ) ); } else { diff --git a/wp-admin/plugin-editor.php b/wp-admin/plugin-editor.php index 9b87d0d633..7d8e99628b 100644 --- a/wp-admin/plugin-editor.php +++ b/wp-admin/plugin-editor.php @@ -135,7 +135,7 @@ default:
      -

      +

      diff --git a/wp-admin/plugin-install.php b/wp-admin/plugin-install.php index 82dd3f8662..452aee1e6d 100644 --- a/wp-admin/plugin-install.php +++ b/wp-admin/plugin-install.php @@ -56,7 +56,7 @@ include('admin-header.php'); ?>
      -

      +

        $error ) - echo '

        ' . sprintf(__('The plugin %s has been deactivated due to an error: %s'), wp_specialchars($plugin_file), $error->get_error_message()) . '

        '; + echo '

        ' . sprintf(__('The plugin %s has been deactivated due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '

        '; ?> @@ -222,7 +222,7 @@ if ( !empty($invalid) )
        -

        +

        ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); - $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) ); + $message = sprintf( __( 'Warning: %s is currently editing this post' ), esc_html( $last_user_name ) ); $message = str_replace( "'", "\'", "

        $message

        " ); add_action('admin_notices', create_function( '', "echo '$message';" ) ); } else { diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php index 63cc3f3331..649eaa2b40 100644 --- a/wp-admin/press-this.php +++ b/wp-admin/press-this.php @@ -91,7 +91,7 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) { } // Set Variables -$title = isset($_GET['t']) ? wp_specialchars(aposfix(stripslashes($_GET['t']))) : ''; +$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; $selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; if ( ! empty($selection) ) { $selection = preg_replace('/(\r?\n|\r)/', '

        ', $selection); diff --git a/wp-admin/revision.php b/wp-admin/revision.php index c93357cc36..9c3ce3630b 100644 --- a/wp-admin/revision.php +++ b/wp-admin/revision.php @@ -177,7 +177,7 @@ foreach ( _wp_post_revision_fields() as $field => $field_title ) : ?> - +

        diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index f2524e58f4..7713fa5db7 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -115,7 +115,7 @@ $desc_header = ( $description != $file_show ) ? "$description ( ?>
        -

        +

        diff --git a/wp-admin/theme-install.php b/wp-admin/theme-install.php index 480bec304f..8bfe387da0 100644 --- a/wp-admin/theme-install.php +++ b/wp-admin/theme-install.php @@ -56,7 +56,7 @@ include('admin-header.php'); ?>
        -

        +

          -

          +

          diff --git a/wp-admin/tools.php b/wp-admin/tools.php index dddc2db0a0..c2b2844ee8 100644 --- a/wp-admin/tools.php +++ b/wp-admin/tools.php @@ -17,7 +17,7 @@ require_once('admin-header.php'); screen_icon(); ?>
          -

          +

          -

          ' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

          ID) ); + $att_title = esc_html( _draft_or_post_title($post->ID) ); ?> diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index 714cea170f..f6b6439c90 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -115,7 +115,7 @@ include ('admin-header.php');
          -

          +

          diff --git a/wp-admin/users.php b/wp-admin/users.php index 246e704946..758a5927ed 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -239,9 +239,9 @@ if ( ! empty($messages) ) {
          -

          ' . __('Search results for “%s”') . '', wp_specialchars( $_GET['usersearch'] ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( $_GET['usersearch'] ) ); ?>

          diff --git a/wp-admin/widgets.php b/wp-admin/widgets.php index 56a9d6e600..79258c9c7f 100644 --- a/wp-admin/widgets.php +++ b/wp-admin/widgets.php @@ -125,7 +125,7 @@ if ( count($wp_registered_sidebars) == 1 ) {
          -

          +

          @@ -258,9 +258,9 @@ if ( isset($_GET['editwidget']) && $_GET['editwidget'] ) { require_once( 'admin-header.php' ); ?>
          -

          +

          > -

          +

          @@ -334,7 +334,7 @@ require_once( 'admin-header.php' ); ?>
          -

          +

          @@ -378,7 +378,7 @@ foreach ( $wp_registered_sidebars as $sidebar => $registered_sidebar ) {

          -

          +

          diff --git a/wp-includes/classes.php b/wp-includes/classes.php index 3c0c5b9c7c..c00fcd547c 100644 --- a/wp-includes/classes.php +++ b/wp-includes/classes.php @@ -1252,7 +1252,7 @@ class Walker_PageDropdown extends Walker { if ( $page->ID == $args['selected'] ) $output .= ' selected="selected"'; $output .= '>'; - $title = wp_specialchars($page->post_title); + $title = esc_html($page->post_title); $output .= "$pad$title"; $output .= "\n"; } diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php index c164055aa8..c82c8eb8f1 100644 --- a/wp-includes/comment-template.php +++ b/wp-includes/comment-template.php @@ -1078,7 +1078,7 @@ function get_cancel_comment_reply_link($text = '') { $text = __('Click here to cancel reply.'); $style = isset($_GET['replytocom']) ? '' : ' style="display:none;"'; - $link = wp_specialchars( remove_query_arg('replytocom') ) . '#respond'; + $link = esc_html( remove_query_arg('replytocom') ) . '#respond'; return apply_filters('cancel_comment_reply_link', '' . $text . '', $link, $text); } diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 7effbf8f6e..0944f81f5a 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -20,7 +20,7 @@ foreach ( $filters as $filter ) { add_filter($filter, 'strip_tags'); add_filter($filter, 'trim'); add_filter($filter, 'wp_filter_kses'); - add_filter($filter, 'wp_specialchars', 30); + add_filter($filter, 'esc_html', 30); } // Kses only for textarea saves @@ -80,7 +80,7 @@ $filters = array('comment_author', 'term_name', 'link_name', 'link_description', foreach ( $filters as $filter ) { add_filter($filter, 'wptexturize'); add_filter($filter, 'convert_chars'); - add_filter($filter, 'wp_specialchars'); + add_filter($filter, 'esc_html'); } // Format text area for display. @@ -131,19 +131,19 @@ add_filter('wp_sprintf', 'wp_sprintf_l', 10, 2); // RSS filters add_filter('the_title_rss', 'strip_tags'); add_filter('the_title_rss', 'ent2ncr', 8); -add_filter('the_title_rss', 'wp_specialchars'); +add_filter('the_title_rss', 'esc_html'); add_filter('the_content_rss', 'ent2ncr', 8); add_filter('the_excerpt_rss', 'convert_chars'); add_filter('the_excerpt_rss', 'ent2ncr', 8); add_filter('comment_author_rss', 'ent2ncr', 8); add_filter('comment_text_rss', 'ent2ncr', 8); -add_filter('comment_text_rss', 'wp_specialchars'); +add_filter('comment_text_rss', 'esc_html'); add_filter('bloginfo_rss', 'ent2ncr', 8); add_filter('the_author', 'ent2ncr', 8); // Misc filters add_filter('option_ping_sites', 'privacy_ping_filter'); -add_filter('option_blog_charset', 'wp_specialchars'); +add_filter('option_blog_charset', '_wp_specialchars'); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop add_filter('option_home', '_config_wp_home'); add_filter('option_siteurl', '_config_wp_siteurl'); add_filter('tiny_mce_before_init', '_mce_set_direction'); diff --git a/wp-includes/default-widgets.php b/wp-includes/default-widgets.php index 923ecdc6c8..a1700bea01 100644 --- a/wp-includes/default-widgets.php +++ b/wp-includes/default-widgets.php @@ -820,7 +820,7 @@ function wp_widget_rss_output( $rss, $args = array() ) { $desc = str_replace(array("\n", "\r"), ' ', esc_attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))))); $desc = wp_html_excerpt( $desc, 360 ) . ' […]'; - $desc = wp_specialchars( $desc ); + $desc = esc_html( $desc ); if ( $show_summary ) { $summary = "
          $desc
          "; @@ -844,7 +844,7 @@ function wp_widget_rss_output( $rss, $args = array() ) { if ( $show_author ) { $author = $item->get_author(); $author = $author->get_name(); - $author = ' ' . wp_specialchars( strip_tags( $author ) ) . ''; + $author = ' ' . esc_html( strip_tags( $author ) ) . ''; } if ( $link == '' ) { diff --git a/wp-includes/feed.php b/wp-includes/feed.php index 74cb6b4a43..b15ad704b6 100644 --- a/wp-includes/feed.php +++ b/wp-includes/feed.php @@ -165,7 +165,7 @@ function the_content_rss($more_link_text='(more...)', $stripteaser=0, $more_file if ( $cut && !$encode_html ) $encode_html = 2; if ( 1== $encode_html ) { - $content = wp_specialchars($content); + $content = esc_html($content); $cut = 0; } elseif ( 0 == $encode_html ) { $content = make_url_footnote($content); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 7fbde25994..7879162a76 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -213,7 +213,7 @@ function seems_utf8($Str) { # by bmorel at ssi dot fr * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false. * @return string The encoded text with HTML entities. */ -function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { +function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { $string = (string) $string; if ( 0 === strlen( $string ) ) { @@ -286,7 +286,7 @@ function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false * @since 2.8 * * @param string $string The text which is to be decoded. - * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. + * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. * @return string The decoded text without HTML entities. */ function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) { @@ -301,7 +301,7 @@ function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) { return $string; } - // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value + // Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value if ( empty( $quote_style ) ) { $quote_style = ENT_NOQUOTES; } elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) { @@ -2074,7 +2074,7 @@ function htmlentities2($myHTML) { */ function esc_js( $text ) { $safe_text = wp_check_invalid_utf8( $text ); - $safe_text = wp_specialchars( $safe_text, ENT_COMPAT ); + $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT ); $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) ); $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) ); return apply_filters( 'js_escape', $safe_text, $text ); @@ -2097,6 +2097,35 @@ function js_escape( $text ) { return esc_js( $text ); } +/** + * Escaping for HTML blocks. + * + * @since 2.8.0 + * + * @param string $text + * @return string + */ +function esc_html( $text ) { + $safe_text = wp_check_invalid_utf8( $text ); + $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); + return apply_filters( 'esc_html', $safe_text, $text ); + return $text; +} + +/** + * Escaping for HTML blocks + * @deprecated 2.8.0 + * @see esc_html() + */ +function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { + if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args + $args = func_get_args(); + return call_user_func_array( '_wp_specialchars', $args ); + } else { + return esc_html( $string ); + } +} + /** * Escaping for HTML attributes. * @@ -2107,7 +2136,7 @@ function js_escape( $text ) { */ function esc_attr( $text ) { $safe_text = wp_check_invalid_utf8( $text ); - $safe_text = wp_specialchars( $safe_text, ENT_QUOTES ); + $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( 'attribute_escape', $safe_text, $text ); } @@ -2224,7 +2253,7 @@ function sanitize_option($option, $value) { $value = addslashes($value); $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes $value = stripslashes($value); - $value = wp_specialchars( $value ); + $value = esc_html( $value ); break; case 'blog_charset': @@ -2298,15 +2327,15 @@ function wp_pre_kses_less_than( $text ) { /** * Callback function used by preg_replace. * - * @uses wp_specialchars to format the $matches text. + * @uses esc_html to format the $matches text. * @since 2.3.0 * * @param array $matches Populated by matches to preg_replace. - * @return string The text returned after wp_specialchars if needed. + * @return string The text returned after esc_html if needed. */ function wp_pre_kses_less_than_callback( $matches ) { if ( false === strpos($matches[0], '>') ) - return wp_specialchars($matches[0]); + return esc_html($matches[0]); return $matches[0]; } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 29ce24d44d..7ec2ca4241 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -379,7 +379,7 @@ function get_option( $setting, $default = false ) { function wp_protect_special_option( $option ) { $protected = array( 'alloptions', 'notoptions' ); if ( in_array( $option, $protected ) ) - die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) ); + die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) ); } /** @@ -1593,7 +1593,7 @@ function do_feed() { $hook = 'do_feed_' . $feed; if ( !has_action($hook) ) { - $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed)); + $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed)); wp_die($message); } @@ -1718,7 +1718,7 @@ function is_blog_installed() { */ function wp_nonce_url( $actionurl, $action = -1 ) { $actionurl = str_replace( '&', '&', $actionurl ); - return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); + return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); } /** @@ -2308,7 +2308,7 @@ function wp_explain_nonce( $action ) { else $object = call_user_func( $lookup, $object ); } - return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) ); + return sprintf( $trans[$verb][$noun][0], esc_html($object) ); } else { return $trans[$verb][$noun][0]; } @@ -2334,7 +2334,7 @@ function wp_explain_nonce( $action ) { */ function wp_nonce_ays( $action ) { $title = __( 'WordPress Failure Notice' ); - $html = wp_specialchars( wp_explain_nonce( $action ) ); + $html = esc_html( wp_explain_nonce( $action ) ); if ( wp_get_referer() ) $html .= "

          " . __( 'Please try again.' ) . ""; elseif ( 'log-out' == $action ) diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index bad1e00dcc..8d4cc057ea 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -1469,7 +1469,7 @@ function feed_links_extra( $args ) { $post = &get_post( $id = 0 ); if ( comments_open() || pings_open() || $post->comment_count > 0 ) { - $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) )); + $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], esc_html( get_the_title() ) )); $href = get_post_comments_feed_link( $post->ID ); } } elseif ( is_category() ) { diff --git a/wp-includes/l10n.php b/wp-includes/l10n.php index fa891fc3f2..a9d822ff4f 100644 --- a/wp-includes/l10n.php +++ b/wp-includes/l10n.php @@ -119,6 +119,22 @@ function esc_attr__( $text, $domain = 'default' ) { return esc_attr( translate( $text, $domain ) ); } +/** + * Retrieves the translation of $text and escapes it for safe use in HTML output. + * If there is no translation, or the domain isn't loaded the original text is returned. + * + * @see translate() An alias of translate() + * @see esc_html() + * @since 2.8.0 + * + * @param string $text Text to translate + * @param string $domain Optional. Domain to retrieve the translated text + * @return string Translated text + */ +function esc_html__( $text, $domain = 'default' ) { + return esc_html( translate( $text, $domain ) ); +} + /** * Displays the returned translated text from translate(). * @@ -146,6 +162,20 @@ function esc_attr_e( $text, $domain = 'default' ) { echo esc_attr( translate( $text, $domain ) ); } +/** + * Displays translated text that has been escaped for safe use in HTML output. + * + * @see translate() Echoes returned translate() string + * @see esc_html() + * @since 2.8.0 + * + * @param string $text Text to translate + * @param string $domain Optional. Domain to retrieve the translated text + */ +function esc_html_e( $text, $domain = 'default' ) { + echo esc_html( translate( $text, $domain ) ); +} + /** * Retrieve translated string with vertical bar context * diff --git a/wp-includes/user.php b/wp-includes/user.php index c7ab654d94..76fd6afeb9 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -540,7 +540,7 @@ function wp_dropdown_users( $args = '' ) { $user->ID = (int) $user->ID; $_selected = $user->ID == $selected ? " selected='selected'" : ''; $display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')'; - $output .= "\t\n"; + $output .= "\t\n"; } $output .= ""; diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index a308573594..73e3253d65 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -601,7 +601,7 @@ function wp_widget_description( $id ) { global $wp_registered_widgets; if ( isset($wp_registered_widgets[$id]['description']) ) - return wp_specialchars( $wp_registered_widgets[$id]['description'] ); + return esc_html( $wp_registered_widgets[$id]['description'] ); } /** diff --git a/wp-mail.php b/wp-mail.php index 6da2869632..4dc4ed019e 100644 --- a/wp-mail.php +++ b/wp-mail.php @@ -23,7 +23,7 @@ if ( ! $pop3->connect(get_option('mailserver_url'), get_option('mailserver_port' ! $pop3->user(get_option('mailserver_login')) || ( ! $count = $pop3->pass(get_option('mailserver_pass')) ) ) { $pop3->quit(); - wp_die( ( 0 === $count ) ? __('There doesn’t seem to be any new mail.') : wp_specialchars($pop3->ERROR) ); + wp_die( ( 0 === $count ) ? __('There doesn’t seem to be any new mail.') : esc_html($pop3->ERROR) ); } for ( $i = 1; $i <= $count; $i++ ) { @@ -195,11 +195,11 @@ for ( $i = 1; $i <= $count; $i++ ) { do_action('publish_phone', $post_ID); - echo "\n

          " . sprintf(__('Author: %s'), wp_specialchars($post_author)) . '

          '; - echo "\n

          " . sprintf(__('Posted title: %s'), wp_specialchars($post_title)) . '

          '; + echo "\n

          " . sprintf(__('Author: %s'), esc_html($post_author)) . '

          '; + echo "\n

          " . sprintf(__('Posted title: %s'), esc_html($post_title)) . '

          '; if(!$pop3->delete($i)) { - echo '

          ' . sprintf(__('Oops: %s'), wp_specialchars($pop3->ERROR)) . '

          '; + echo '

          ' . sprintf(__('Oops: %s'), esc_html($pop3->ERROR)) . '

          '; $pop3->reset(); exit; } else { diff --git a/xmlrpc.php b/xmlrpc.php index 08e137af01..f015fb8483 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -883,8 +883,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['name'] = $tag->name; $struct['count'] = $tag->count; $struct['slug'] = $tag->slug; - $struct['html_url'] = wp_specialchars( get_tag_link( $tag->term_id ) ); - $struct['rss_url'] = wp_specialchars( get_tag_feed_link( $tag->term_id ) ); + $struct['html_url'] = esc_html( get_tag_link( $tag->term_id ) ); + $struct['rss_url'] = esc_html( get_tag_feed_link( $tag->term_id ) ); $tags[] = $struct; } @@ -2790,8 +2790,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['description'] = $cat->name; $struct['categoryDescription'] = $cat->description; $struct['categoryName'] = $cat->name; - $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id)); - $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2')); + $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id)); + $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2')); $categories_struct[] = $struct; } @@ -3327,7 +3327,7 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); - $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; + $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $comment_post_ID = (int) $post_ID;