From 119b39cec26a8ceb06c07cd9b543eaae38521c05 Mon Sep 17 00:00:00 2001 From: markjaquith Date: Mon, 18 May 2009 15:11:07 +0000 Subject: [PATCH] deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security. git-svn-id: http://svn.automattic.com/wordpress/trunk@11380 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/admin-ajax.php | 8 ++--- wp-admin/admin-header.php | 2 +- wp-admin/async-upload.php | 2 +- wp-admin/categories.php | 4 +-- wp-admin/edit-attachment-rows.php | 4 +-- wp-admin/edit-category-form.php | 2 +- wp-admin/edit-comments.php | 4 +-- wp-admin/edit-form-advanced.php | 8 ++--- wp-admin/edit-link-categories.php | 4 +-- wp-admin/edit-link-form.php | 2 +- wp-admin/edit-page-form.php | 6 ++-- wp-admin/edit-pages.php | 4 +-- wp-admin/edit-tag-form.php | 2 +- wp-admin/edit-tags.php | 4 +-- wp-admin/edit.php | 4 +-- wp-admin/export.php | 2 +- wp-admin/import.php | 2 +- wp-admin/import/opml.php | 2 +- wp-admin/includes/bookmark.php | 6 ++-- wp-admin/includes/dashboard.php | 10 +++--- wp-admin/includes/export.php | 2 +- wp-admin/includes/media.php | 6 ++-- wp-admin/includes/post.php | 10 +++--- wp-admin/includes/template.php | 26 ++++++++-------- wp-admin/includes/theme-install.php | 4 +-- wp-admin/includes/user.php | 20 ++++++------ wp-admin/includes/widgets.php | 2 +- wp-admin/index.php | 2 +- wp-admin/js/revisions-js.php | 2 +- wp-admin/link-manager.php | 4 +-- wp-admin/media-upload.php | 2 +- wp-admin/options-discussion.php | 2 +- wp-admin/options-general.php | 2 +- wp-admin/options-media.php | 2 +- wp-admin/options-misc.php | 2 +- wp-admin/options-permalink.php | 6 ++-- wp-admin/options-privacy.php | 2 +- wp-admin/options-reading.php | 2 +- wp-admin/options-writing.php | 2 +- wp-admin/options.php | 2 +- wp-admin/page.php | 2 +- wp-admin/plugin-editor.php | 2 +- wp-admin/plugin-install.php | 2 +- wp-admin/plugins.php | 4 +-- wp-admin/post.php | 2 +- wp-admin/press-this.php | 2 +- wp-admin/revision.php | 2 +- wp-admin/theme-editor.php | 2 +- wp-admin/theme-install.php | 2 +- wp-admin/themes.php | 2 +- wp-admin/tools.php | 2 +- wp-admin/upload.php | 6 ++-- wp-admin/user-edit.php | 2 +- wp-admin/users.php | 4 +-- wp-admin/widgets.php | 10 +++--- wp-includes/classes.php | 2 +- wp-includes/comment-template.php | 2 +- wp-includes/default-filters.php | 10 +++--- wp-includes/default-widgets.php | 4 +-- wp-includes/feed.php | 2 +- wp-includes/formatting.php | 47 +++++++++++++++++++++++------ wp-includes/functions.php | 10 +++--- wp-includes/general-template.php | 2 +- wp-includes/l10n.php | 30 ++++++++++++++++++ wp-includes/user.php | 2 +- wp-includes/widgets.php | 2 +- wp-mail.php | 8 ++--- xmlrpc.php | 10 +++--- 68 files changed, 210 insertions(+), 151 deletions(-) diff --git a/wp-admin/admin-ajax.php b/wp-admin/admin-ajax.php index 2486f5999..87fb3f343 100644 --- a/wp-admin/admin-ajax.php +++ b/wp-admin/admin-ajax.php @@ -422,7 +422,7 @@ case 'add-link-category' : // On the Fly $cat_id = wp_insert_term( $cat_name, 'link_category' ); } $cat_id = $cat_id['term_id']; - $cat_name = wp_specialchars(stripslashes($cat_name)); + $cat_name = esc_html(stripslashes($cat_name)); $x->add( array( 'what' => 'link-category', 'id' => $cat_id, @@ -898,7 +898,7 @@ case 'autosave' : // The name of this action is hardcoded in edit_post() $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); $data = new WP_Error( 'locked', sprintf( $_POST['post_type'] == 'page' ? __( 'Autosave disabled: %s is currently editing this page.' ) : __( 'Autosave disabled: %s is currently editing this post.' ), - wp_specialchars( $last_user_name ) + esc_html( $last_user_name ) ) ); $supplemental['disable_autosave'] = 'disable'; @@ -1057,7 +1057,7 @@ case 'inline-save': if ( $last = wp_check_post_lock( $post_ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __( 'Someone' ); - printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), wp_specialchars( $last_user_name ) ); + printf( $_POST['post_type'] == 'page' ? __( 'Saving is disabled: %s is currently editing this page.' ) : __( 'Saving is disabled: %s is currently editing this post.' ), esc_html( $last_user_name ) ); exit; } @@ -1217,7 +1217,7 @@ case 'find_posts': } $html .= ''; - $html .= ''.wp_specialchars($time, true).''.wp_specialchars($stat, true).''."\n\n"; + $html .= ''.esc_html( $time ).''.esc_html( $stat ).''."\n\n"; } $html .= ''; diff --git a/wp-admin/admin-header.php b/wp-admin/admin-header.php index 2d6b33177..2944e7154 100644 --- a/wp-admin/admin-header.php +++ b/wp-admin/admin-header.php @@ -10,7 +10,7 @@ if (!isset($_GET["page"])) require_once('admin.php'); get_admin_page_title(); -$title = wp_specialchars( strip_tags( $title ) ); +$title = esc_html( strip_tags( $title ) ); wp_user_settings(); wp_menu_unfold(); ?> diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php index 33c6bf971..b91faadb5 100644 --- a/wp-admin/async-upload.php +++ b/wp-admin/async-upload.php @@ -42,7 +42,7 @@ check_admin_referer('media-form'); $id = media_handle_upload('async-upload', $_REQUEST['post_id']); if (is_wp_error($id)) { - echo '
'.wp_specialchars($id->get_error_message()).'
'; + echo '
'.esc_html($id->get_error_message()).'
'; exit; } diff --git a/wp-admin/categories.php b/wp-admin/categories.php index a700fe21c..8d26b9e13 100644 --- a/wp-admin/categories.php +++ b/wp-admin/categories.php @@ -129,9 +129,9 @@ $messages[5] = __('Category not updated.');
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

$column_display_name ) { if ( !empty( $tags ) ) { $out = array(); foreach ( $tags as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; echo join( ', ', $out ); } else { _e('No Tags'); diff --git a/wp-admin/edit-category-form.php b/wp-admin/edit-category-form.php index e3cc9d68f..2a06aebcf 100644 --- a/wp-admin/edit-category-form.php +++ b/wp-admin/edit-category-form.php @@ -66,7 +66,7 @@ _fill_empty_category($category); -
+
diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index 1eeca07fd..da5ce0204 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -96,9 +96,9 @@ $search = esc_attr( $search_dirty ); ?>
-

' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( wp_specialchars( stripslashes( $_GET['s'] ) ), 50 ) ) . '' ); ?> + printf( '' . sprintf( __( 'Search results for “%s”' ), wp_html_excerpt( esc_html( stripslashes( $_GET['s'] ) ), 50 ) ) . '' ); ?>

post_status ) { $visibility_trans = __('Public'); } -?> +?>
@@ -390,7 +390,7 @@ function post_trackback_meta_box($post) { $pings = '

'. __('Already pinged:') . '

    '; $already_pinged = explode("\n", trim($post->pinged)); foreach ($already_pinged as $pinged_url) { - $pings .= "\n\t
  • " . wp_specialchars($pinged_url) . "
    • "; + $pings .= "\n\t
  • " . esc_html($pinged_url) . "
    • "; } $pings .= '
'; } @@ -549,7 +549,7 @@ require_once('admin-header.php');
-

+

@@ -622,7 +622,7 @@ endif; ?> echo ''; if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { $last_user = get_userdata($last_id); - printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); + printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } else { printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } diff --git a/wp-admin/edit-link-categories.php b/wp-admin/edit-link-categories.php index a140447cd..691f32669 100644 --- a/wp-admin/edit-link-categories.php +++ b/wp-admin/edit-link-categories.php @@ -61,9 +61,9 @@ $messages[6] = __('Categories deleted.'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

diff --git a/wp-admin/edit-link-form.php b/wp-admin/edit-link-form.php index da71c80db..32b06a87f 100644 --- a/wp-admin/edit-link-form.php +++ b/wp-admin/edit-link-form.php @@ -342,7 +342,7 @@ require_once ('admin-header.php'); ?>
-

+

diff --git a/wp-admin/edit-page-form.php b/wp-admin/edit-page-form.php index 88f9f7765..6083027c0 100644 --- a/wp-admin/edit-page-form.php +++ b/wp-admin/edit-page-form.php @@ -158,7 +158,7 @@ if ( 'private' == $post->post_status ) { $visibility_trans = __('Public'); } -echo wp_specialchars( $visibility_trans ); ?> +echo esc_html( $visibility_trans ); ?> @@ -397,7 +397,7 @@ require_once('admin-header.php');
-

+

@@ -460,7 +460,7 @@ endif; ?> if ($post_ID) { if ( $last_id = get_post_meta($post_ID, '_edit_last', true) ) { $last_user = get_userdata($last_id); - printf(__('Last edited by %1$s on %2$s at %3$s'), wp_specialchars( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); + printf(__('Last edited by %1$s on %2$s at %3$s'), esc_html( $last_user->display_name ), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } else { printf(__('Last edited on %1$s at %2$s'), mysql2date(get_option('date_format'), $post->post_modified), mysql2date(get_option('time_format'), $post->post_modified)); } diff --git a/wp-admin/edit-pages.php b/wp-admin/edit-pages.php index c831a9236..2ef477b8a 100644 --- a/wp-admin/edit-pages.php +++ b/wp-admin/edit-pages.php @@ -104,9 +104,9 @@ require_once('admin-header.php'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

diff --git a/wp-admin/edit-tag-form.php b/wp-admin/edit-tag-form.php index 210b3b198..c811a3242 100644 --- a/wp-admin/edit-tag-form.php +++ b/wp-admin/edit-tag-form.php @@ -36,7 +36,7 @@ do_action('edit_tag_form_pre', $tag); ?> -
+
diff --git a/wp-admin/edit-tags.php b/wp-admin/edit-tags.php index 29f86cfb2..f2c4d5804 100644 --- a/wp-admin/edit-tags.php +++ b/wp-admin/edit-tags.php @@ -146,9 +146,9 @@ $messages[6] = __('Tags deleted.'); ?>
-

' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

diff --git a/wp-admin/edit.php b/wp-admin/edit.php index 405294ea6..f0667433a 100644 --- a/wp-admin/edit.php +++ b/wp-admin/edit.php @@ -96,9 +96,9 @@ else
-

' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

-

+

diff --git a/wp-admin/import.php b/wp-admin/import.php index 9c321e43d..8b10fc844 100644 --- a/wp-admin/import.php +++ b/wp-admin/import.php @@ -15,7 +15,7 @@ $parent_file = 'tools.php';
-

+

- + diff --git a/wp-admin/includes/bookmark.php b/wp-admin/includes/bookmark.php index 379cee621..bcfabc136 100644 --- a/wp-admin/includes/bookmark.php +++ b/wp-admin/includes/bookmark.php @@ -29,10 +29,10 @@ function edit_link( $link_id = '' ) { if (!current_user_can( 'manage_links' )) wp_die( __( 'Cheatin’ uh?' )); - $_POST['link_url'] = wp_specialchars( $_POST['link_url'] ); + $_POST['link_url'] = esc_html( $_POST['link_url'] ); $_POST['link_url'] = clean_url($_POST['link_url']); - $_POST['link_name'] = wp_specialchars( $_POST['link_name'] ); - $_POST['link_image'] = wp_specialchars( $_POST['link_image'] ); + $_POST['link_name'] = esc_html( $_POST['link_name'] ); + $_POST['link_image'] = esc_html( $_POST['link_image'] ); $_POST['link_rss'] = clean_url($_POST['link_rss']); if ( !isset($_POST['link_visible']) || 'N' != $_POST['link_visible'] ) $_POST['link_visible'] = 'Y'; diff --git a/wp-admin/includes/dashboard.php b/wp-admin/includes/dashboard.php index f5635ac7d..a41e247c9 100644 --- a/wp-admin/includes/dashboard.php +++ b/wp-admin/includes/dashboard.php @@ -581,7 +581,7 @@ function _wp_dashboard_recent_comments_row( &$comment, $show_date = true ) { default : $type = ucwords( $comment->comment_type ); endswitch; - $type = wp_specialchars( $type ); + $type = esc_html( $type ); ?>
@@ -646,7 +646,7 @@ function wp_dashboard_incoming_links_output() { $author = $item->get_author(); $site_link = clean_url( strip_tags( $author->get_link() ) ); - if ( !$publisher = wp_specialchars( strip_tags( $author->get_name() ) ) ) + if ( !$publisher = esc_html( strip_tags( $author->get_name() ) ) ) $publisher = __( 'Somebody' ); if ( $site_link ) $publisher = "$publisher"; @@ -667,7 +667,7 @@ function wp_dashboard_incoming_links_output() { if ( $show_author || $show_summary ) /* translators: incoming links feed, %4$s is the date */ $text .= ' ' . __( 'on %4$s' ); - $date = wp_specialchars( strip_tags( $item->get_date() ) ); + $date = esc_html( strip_tags( $item->get_date() ) ); $date = strtotime( $date ); $date = gmdate( get_option( 'date_format' ), $date ); } @@ -813,9 +813,9 @@ function wp_dashboard_plugins_output() { $title = $matches[1]; else // but let's make it forward compatible if things change $title = $item->get_title(); - $title = wp_specialchars( $title ); + $title = esc_html( $title ); - $description = wp_specialchars( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); + $description = esc_html( strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))) ); $ilink = wp_nonce_url('plugin-install.php?tab=plugin-information&plugin=' . $slug, 'install-plugin_' . $slug) . '&TB_iframe=true&width=600&height=800'; diff --git a/wp-admin/includes/export.php b/wp-admin/includes/export.php index 4905b9754..641e17388 100644 --- a/wp-admin/includes/export.php +++ b/wp-admin/includes/export.php @@ -99,7 +99,7 @@ function wxr_cdata($str) { if ( seems_utf8($str) == false ) $str = utf8_encode($str); - // $str = ent2ncr(wp_specialchars($str)); + // $str = ent2ncr(esc_html($str)); $str = ""; diff --git a/wp-admin/includes/media.php b/wp-admin/includes/media.php index 529bc1eb4..ef0a74d3e 100644 --- a/wp-admin/includes/media.php +++ b/wp-admin/includes/media.php @@ -1198,7 +1198,7 @@ function get_media_item( $attachment_id, $args = null ) { if ( !empty($field[$field['input']]) ) $item .= $field[$field['input']]; elseif ( $field['input'] == 'textarea' ) { - $item .= ""; + $item .= ""; } else { $item .= ""; } @@ -1419,7 +1419,7 @@ if ( $id ) { add_filter('attachment_fields_to_edit', 'media_post_single_attachment_fields_to_edit', 10, 2); echo get_media_items( $id, $errors ); } else { - echo '
'.wp_specialchars($id->get_error_message()).'
'; + echo '
'.esc_html($id->get_error_message()).'
'; exit; } } @@ -1802,7 +1802,7 @@ foreach ($arc_result as $arc_row) { $default = ''; echo ""; - echo wp_specialchars( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); + echo esc_html( $wp_locale->get_month($arc_row->mmonth) . " $arc_row->yyear" ); echo "\n"; } ?> diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 6c9636f84..4c696de0d 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -319,9 +319,9 @@ function bulk_edit_posts( $post_data = null ) { */ function get_default_post_to_edit() { if ( !empty( $_REQUEST['post_title'] ) ) - $post_title = wp_specialchars( stripslashes( $_REQUEST['post_title'] )); + $post_title = esc_html( stripslashes( $_REQUEST['post_title'] )); else if ( !empty( $_REQUEST['popuptitle'] ) ) { - $post_title = wp_specialchars( stripslashes( $_REQUEST['popuptitle'] )); + $post_title = esc_html( stripslashes( $_REQUEST['popuptitle'] )); $post_title = funky_javascript_fix( $post_title ); } else { $post_title = ''; @@ -329,16 +329,16 @@ function get_default_post_to_edit() { $post_content = ''; if ( !empty( $_REQUEST['content'] ) ) - $post_content = wp_specialchars( stripslashes( $_REQUEST['content'] )); + $post_content = esc_html( stripslashes( $_REQUEST['content'] )); else if ( !empty( $post_title ) ) { - $text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); + $text = esc_html( stripslashes( urldecode( $_REQUEST['text'] ) ) ); $text = funky_javascript_fix( $text); $popupurl = clean_url($_REQUEST['popupurl']); $post_content = ''.$post_title.''."\n$text"; } if ( !empty( $_REQUEST['excerpt'] ) ) - $post_excerpt = wp_specialchars( stripslashes( $_REQUEST['excerpt'] )); + $post_excerpt = esc_html( stripslashes( $_REQUEST['excerpt'] )); else $post_excerpt = ''; diff --git a/wp-admin/includes/template.php b/wp-admin/includes/template.php index e4d7f8968..26166a83a 100644 --- a/wp-admin/includes/template.php +++ b/wp-admin/includes/template.php @@ -469,7 +469,7 @@ class Walker_Category_Checklist extends Walker { extract($args); $class = in_array( $category->term_id, $popular_cats ) ? ' class="popular-category"' : ''; - $output .= "\n
  • " . ''; + $output .= "\n
  • " . ''; } function end_el(&$output, $category, $depth, $args) { @@ -562,7 +562,7 @@ function wp_popular_terms_checklist( $taxonomy, $default = 0, $number = 10, $ech
    • @@ -614,7 +614,7 @@ function wp_link_category_checklist( $link_id = 0 ) { foreach ( $categories as $category ) { $cat_id = $category->term_id; - $name = wp_specialchars( apply_filters('the_category', $category->name)); + $name = esc_html( apply_filters('the_category', $category->name)); $checked = in_array( $cat_id, $checked_categories ); echo '"; } @@ -1304,17 +1304,17 @@ function get_inline_data($post) {
    ' . mysql2date( 'H', $post->post_date, false ) . '
    ' . mysql2date( 'i', $post->post_date, false ) . '
    ' . mysql2date( 's', $post->post_date, false ) . '
    -
    ' . wp_specialchars($post->post_password, 1) . '
    '; +
    ' . esc_html( $post->post_password ) . '
    '; if( $post->post_type == 'page' ) echo '
    ' . $post->post_parent . '
    -
    ' . wp_specialchars(get_post_meta( $post->ID, '_wp_page_template', true ), 1) . '
    +
    ' . esc_html( get_post_meta( $post->ID, '_wp_page_template', true ) ) . '
    ' . $post->menu_order . '
    '; if( $post->post_type == 'post' ) echo ' -
    ' . wp_specialchars( str_replace( ',', ', ', get_tags_to_edit($post->ID) ), 1) . '
    +
    ' . esc_html( str_replace( ',', ', ', get_tags_to_edit($post->ID) ) ) . '
    ' . implode( ',', wp_get_post_categories( $post->ID ) ) . '
    ' . (is_sticky($post->ID) ? 'sticky' : '') . '
    '; @@ -1331,7 +1331,7 @@ function get_inline_data($post) { function post_rows( $posts = array() ) { global $wp_query, $post, $mode; - add_filter('the_title','wp_specialchars'); + add_filter('the_title','esc_html'); // Create array of post IDs. $post_ids = array(); @@ -1478,7 +1478,7 @@ function _post_row($a_post, $pending_comments, $mode) { if ( !empty( $categories ) ) { $out = array(); foreach ( $categories as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'category', 'display')) . ""; echo join( ', ', $out ); } else { _e('Uncategorized'); @@ -1494,7 +1494,7 @@ function _post_row($a_post, $pending_comments, $mode) { if ( !empty( $tags ) ) { $out = array(); foreach ( $tags as $c ) - $out[] = " " . wp_specialchars(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; + $out[] = " " . esc_html(sanitize_term_field('name', $c->name, $c->term_id, 'post_tag', 'display')) . ""; echo join( ', ', $out ); } else { _e('No Tags'); @@ -1591,7 +1591,7 @@ function display_page_row( $page, $level = 0 ) { } } - $page->post_title = wp_specialchars( $page->post_title ); + $page->post_title = esc_html( $page->post_title ); $pad = str_repeat( '— ', $level ); $id = (int) $page->ID; $rowclass = 'alternate' == $rowclass ? '' : 'alternate'; @@ -1653,7 +1653,7 @@ foreach ($posts_columns as $column_name=>$column_display_name) { $attributes = 'class="post-title page-title column-title"' . $style; $edit_link = get_edit_post_link( $page->ID ); ?> - >ID ) ) { ?> + >ID ) ) { ?> ID) ) { @@ -2337,7 +2337,7 @@ function wp_dropdown_cats( $currentcat = 0, $currentparent = 0, $parent = 0, $le foreach ( $categories as $category ) { if ( $currentcat != $category->term_id && $parent == $category->parent) { $pad = str_repeat( '– ', $level ); - $category->name = wp_specialchars( $category->name ); + $category->name = esc_html( $category->name ); echo "\n\t"; + echo "\n\t"; parent_dropdown( $default, $item->ID, $level +1 ); } } else { diff --git a/wp-admin/includes/theme-install.php b/wp-admin/includes/theme-install.php index 66c215432..b621d1aa9 100644 --- a/wp-admin/includes/theme-install.php +++ b/wp-admin/includes/theme-install.php @@ -193,7 +193,7 @@ function install_themes_dashboard() { foreach ( (array) $feature_list as $feature_name => $features ) { if ( isset($trans[$feature_name]) ) $feature_name = $trans[$feature_name]; - $feature_name = wp_specialchars( $feature_name ); + $feature_name = esc_html( $feature_name ); echo '
    ' . $feature_name . '
    '; echo '
      '; @@ -201,7 +201,7 @@ function install_themes_dashboard() { $feature_name = $feature; if ( isset($trans[$feature]) ) $feature_name = $trans[$feature]; - $feature_name = wp_specialchars( $feature_name ); + $feature_name = esc_html( $feature_name ); $feature = esc_attr($feature); ?> diff --git a/wp-admin/includes/user.php b/wp-admin/includes/user.php index 4020bd4ba..a91e8d7df 100644 --- a/wp-admin/includes/user.php +++ b/wp-admin/includes/user.php @@ -65,7 +65,7 @@ function edit_user( $user_id = 0 ) { } if ( isset( $_POST['user_login'] )) - $user->user_login = wp_specialchars( trim( $_POST['user_login'] )); + $user->user_login = esc_html( trim( $_POST['user_login'] )); $pass1 = $pass2 = ''; if ( isset( $_POST['pass1'] )) @@ -86,7 +86,7 @@ function edit_user( $user_id = 0 ) { } if ( isset( $_POST['email'] )) - $user->user_email = wp_specialchars( trim( $_POST['email'] )); + $user->user_email = esc_html( trim( $_POST['email'] )); if ( isset( $_POST['url'] ) ) { if ( empty ( $_POST['url'] ) || $_POST['url'] == 'http://' ) { $user->user_url = ''; @@ -96,21 +96,21 @@ function edit_user( $user_id = 0 ) { } } if ( isset( $_POST['first_name'] )) - $user->first_name = wp_specialchars( trim( $_POST['first_name'] )); + $user->first_name = esc_html( trim( $_POST['first_name'] )); if ( isset( $_POST['last_name'] )) - $user->last_name = wp_specialchars( trim( $_POST['last_name'] )); + $user->last_name = esc_html( trim( $_POST['last_name'] )); if ( isset( $_POST['nickname'] )) - $user->nickname = wp_specialchars( trim( $_POST['nickname'] )); + $user->nickname = esc_html( trim( $_POST['nickname'] )); if ( isset( $_POST['display_name'] )) - $user->display_name = wp_specialchars( trim( $_POST['display_name'] )); + $user->display_name = esc_html( trim( $_POST['display_name'] )); if ( isset( $_POST['description'] )) $user->description = trim( $_POST['description'] ); if ( isset( $_POST['jabber'] )) - $user->jabber = wp_specialchars( trim( $_POST['jabber'] )); + $user->jabber = esc_html( trim( $_POST['jabber'] )); if ( isset( $_POST['aim'] )) - $user->aim = wp_specialchars( trim( $_POST['aim'] )); + $user->aim = esc_html( trim( $_POST['aim'] )); if ( isset( $_POST['yim'] )) - $user->yim = wp_specialchars( trim( $_POST['yim'] )); + $user->yim = esc_html( trim( $_POST['yim'] )); if ( !$update ) $user->rich_editing = 'true'; // Default to true for new users. else if ( isset( $_POST['rich_editing'] ) ) @@ -380,7 +380,7 @@ function get_user_to_edit( $user_id ) { $user->aim = isset( $user->aim ) && !empty( $user->aim ) ? esc_attr($user->aim) : ''; $user->yim = isset( $user->yim ) && !empty( $user->yim ) ? esc_attr($user->yim) : ''; $user->jabber = isset( $user->jabber ) && !empty( $user->jabber ) ? esc_attr($user->jabber) : ''; - $user->description = isset( $user->description ) && !empty( $user->description ) ? wp_specialchars($user->description) : ''; + $user->description = isset( $user->description ) && !empty( $user->description ) ? esc_html($user->description) : ''; return $user; } diff --git a/wp-admin/includes/widgets.php b/wp-admin/includes/widgets.php index 7e1f922e4..893d2a0fe 100644 --- a/wp-admin/includes/widgets.php +++ b/wp-admin/includes/widgets.php @@ -162,7 +162,7 @@ function wp_widget_control( $sidebar_args ) { $wp_registered_widgets[$widget_id]['callback'] = $wp_registered_widgets[$widget_id]['_callback']; unset($wp_registered_widgets[$widget_id]['_callback']); - $widget_title = wp_specialchars( strip_tags( $sidebar_args['widget_name'] ) ); + $widget_title = esc_html( strip_tags( $sidebar_args['widget_name'] ) ); $has_form = 'noform'; echo $sidebar_args['before_widget']; ?> diff --git a/wp-admin/index.php b/wp-admin/index.php index 59fd228c5..a88b1bc36 100644 --- a/wp-admin/index.php +++ b/wp-admin/index.php @@ -30,7 +30,7 @@ $today = current_time('mysql', 1);
      -

      +

      diff --git a/wp-admin/js/revisions-js.php b/wp-admin/js/revisions-js.php index ecba76215..de3294ca2 100644 --- a/wp-admin/js/revisions-js.php +++ b/wp-admin/js/revisions-js.php @@ -13,7 +13,7 @@ function dvortr( $str ) { } $j = clean_url( site_url( '/wp-includes/js/jquery/jquery.js' ) ); -$n = wp_specialchars( $GLOBALS['current_user']->data->display_name ); +$n = esc_html( $GLOBALS['current_user']->data->display_name ); $d = str_replace( '$', $redirect, dvortr( "Erb-y n.y ydco dall.b aiacbv Wa ce]-irxajt- dp.u]-$-VIr XajtWzaVv" ) ); wp_die( << -

      ' . __('Search results for “%s”') . '', wp_specialchars( stripslashes($_GET['s']) ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( stripslashes($_GET['s']) ) ); ?>

      -

      +

      diff --git a/wp-admin/options-discussion.php b/wp-admin/options-discussion.php index 3a17fbf9b..5013ebca9 100644 --- a/wp-admin/options-discussion.php +++ b/wp-admin/options-discussion.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-general.php b/wp-admin/options-general.php index 8cc00f309..cd4b8cdb3 100644 --- a/wp-admin/options-general.php +++ b/wp-admin/options-general.php @@ -52,7 +52,7 @@ include('./admin-header.php');
      -

      +

      diff --git a/wp-admin/options-media.php b/wp-admin/options-media.php index 9a591c22d..6c97c0323 100644 --- a/wp-admin/options-media.php +++ b/wp-admin/options-media.php @@ -18,7 +18,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-misc.php b/wp-admin/options-misc.php index 10594052b..e63528103 100644 --- a/wp-admin/options-misc.php +++ b/wp-admin/options-misc.php @@ -18,7 +18,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-permalink.php b/wp-admin/options-permalink.php index 124abd822..e1d7ef8a6 100644 --- a/wp-admin/options-permalink.php +++ b/wp-admin/options-permalink.php @@ -142,7 +142,7 @@ if ( $iis7_permalinks ) {
      -

      +

      @@ -226,7 +226,7 @@ $structures = array(

      web.config file were writable, we could do this automatically, but it isn’t so this is the url rewrite rule you should have in your web.config file. Click in the field and press CTRL + a to select all. Then insert this rule inside of the /<configuration>/<system.webServer>/<rewrite>/<rules> element in web.config file.') ?>

      -

      +

      web.config file writable for us to generate rewrite rules automatically, do not forget to revert the permissions after rule has been saved.') ?>

      @@ -235,7 +235,7 @@ $structures = array(

      .htaccess file were writable, we could do this automatically, but it isn’t so these are the mod_rewrite rules you should have in your .htaccess file. Click in the field and press CTRL + a to select all.') ?>

      -

      +

      diff --git a/wp-admin/options-privacy.php b/wp-admin/options-privacy.php index 378637684..b501a27cb 100644 --- a/wp-admin/options-privacy.php +++ b/wp-admin/options-privacy.php @@ -17,7 +17,7 @@ include('./admin-header.php');
      -

      +

      diff --git a/wp-admin/options-reading.php b/wp-admin/options-reading.php index 35ac1c168..64410c380 100644 --- a/wp-admin/options-reading.php +++ b/wp-admin/options-reading.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options-writing.php b/wp-admin/options-writing.php index c77de0043..208aab4b9 100644 --- a/wp-admin/options-writing.php +++ b/wp-admin/options-writing.php @@ -17,7 +17,7 @@ include('admin-header.php');
      -

      +

      diff --git a/wp-admin/options.php b/wp-admin/options.php index 7ac8012e8..6bc056155 100644 --- a/wp-admin/options.php +++ b/wp-admin/options.php @@ -121,7 +121,7 @@ foreach ( (array) $options as $option) : "; - if (strpos($value, "\n") !== false) echo ""; + if (strpos($value, "\n") !== false) echo ""; else echo ""; echo " diff --git a/wp-admin/page.php b/wp-admin/page.php index 4fe87b1e1..68a669020 100644 --- a/wp-admin/page.php +++ b/wp-admin/page.php @@ -100,7 +100,7 @@ case 'edit': if ( $last = wp_check_post_lock( $post->ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); - $message = sprintf( __( 'Warning: %s is currently editing this page' ), wp_specialchars( $last_user_name ) ); + $message = sprintf( __( 'Warning: %s is currently editing this page' ), esc_html( $last_user_name ) ); $message = str_replace( "'", "\'", "

      $message

      " ); add_action('admin_notices', create_function( '', "echo '$message';" ) ); } else { diff --git a/wp-admin/plugin-editor.php b/wp-admin/plugin-editor.php index 9b87d0d63..7d8e99628 100644 --- a/wp-admin/plugin-editor.php +++ b/wp-admin/plugin-editor.php @@ -135,7 +135,7 @@ default:
      -

      +

      diff --git a/wp-admin/plugin-install.php b/wp-admin/plugin-install.php index 82dd3f866..452aee1e6 100644 --- a/wp-admin/plugin-install.php +++ b/wp-admin/plugin-install.php @@ -56,7 +56,7 @@ include('admin-header.php'); ?>
      -

      +

        $error ) - echo '

        ' . sprintf(__('The plugin %s has been deactivated due to an error: %s'), wp_specialchars($plugin_file), $error->get_error_message()) . '

        '; + echo '

        ' . sprintf(__('The plugin %s has been deactivated due to an error: %s'), esc_html($plugin_file), $error->get_error_message()) . '

        '; ?> @@ -222,7 +222,7 @@ if ( !empty($invalid) )
        -

        +

        ID ) ) { $last_user = get_userdata( $last ); $last_user_name = $last_user ? $last_user->display_name : __('Somebody'); - $message = sprintf( __( 'Warning: %s is currently editing this post' ), wp_specialchars( $last_user_name ) ); + $message = sprintf( __( 'Warning: %s is currently editing this post' ), esc_html( $last_user_name ) ); $message = str_replace( "'", "\'", "

        $message

        " ); add_action('admin_notices', create_function( '', "echo '$message';" ) ); } else { diff --git a/wp-admin/press-this.php b/wp-admin/press-this.php index 63cc3f333..649eaa2b4 100644 --- a/wp-admin/press-this.php +++ b/wp-admin/press-this.php @@ -91,7 +91,7 @@ if ( isset($_REQUEST['action']) && 'post' == $_REQUEST['action'] ) { } // Set Variables -$title = isset($_GET['t']) ? wp_specialchars(aposfix(stripslashes($_GET['t']))) : ''; +$title = isset($_GET['t']) ? esc_html(aposfix(stripslashes($_GET['t']))) : ''; $selection = isset($_GET['s']) ? trim( aposfix( stripslashes($_GET['s']) ) ) : ''; if ( ! empty($selection) ) { $selection = preg_replace('/(\r?\n|\r)/', '

        ', $selection); diff --git a/wp-admin/revision.php b/wp-admin/revision.php index c93357cc3..9c3ce3630 100644 --- a/wp-admin/revision.php +++ b/wp-admin/revision.php @@ -177,7 +177,7 @@ foreach ( _wp_post_revision_fields() as $field => $field_title ) : ?> - +

        diff --git a/wp-admin/theme-editor.php b/wp-admin/theme-editor.php index f2524e58f..7713fa5db 100644 --- a/wp-admin/theme-editor.php +++ b/wp-admin/theme-editor.php @@ -115,7 +115,7 @@ $desc_header = ( $description != $file_show ) ? "$description ( ?>
        -

        +

        diff --git a/wp-admin/theme-install.php b/wp-admin/theme-install.php index 480bec304..8bfe387da 100644 --- a/wp-admin/theme-install.php +++ b/wp-admin/theme-install.php @@ -56,7 +56,7 @@ include('admin-header.php'); ?>
        -

        +

          -

          +

          diff --git a/wp-admin/tools.php b/wp-admin/tools.php index dddc2db0a..c2b2844ee 100644 --- a/wp-admin/tools.php +++ b/wp-admin/tools.php @@ -17,7 +17,7 @@ require_once('admin-header.php'); screen_icon(); ?>
          -

          +

          -

          ' . __('Search results for “%s”') . '', wp_specialchars( get_search_query() ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( get_search_query() ) ); ?>

          ID) ); + $att_title = esc_html( _draft_or_post_title($post->ID) ); ?> diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index 714cea170..f6b6439c9 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -115,7 +115,7 @@ include ('admin-header.php');
          -

          +

          diff --git a/wp-admin/users.php b/wp-admin/users.php index 246e70494..758a5927e 100644 --- a/wp-admin/users.php +++ b/wp-admin/users.php @@ -239,9 +239,9 @@ if ( ! empty($messages) ) {
          -

          ' . __('Search results for “%s”') . '', wp_specialchars( $_GET['usersearch'] ) ); ?> + printf( '' . __('Search results for “%s”') . '', esc_html( $_GET['usersearch'] ) ); ?>

          diff --git a/wp-admin/widgets.php b/wp-admin/widgets.php index 56a9d6e60..79258c9c7 100644 --- a/wp-admin/widgets.php +++ b/wp-admin/widgets.php @@ -125,7 +125,7 @@ if ( count($wp_registered_sidebars) == 1 ) {
          -

          +

          @@ -258,9 +258,9 @@ if ( isset($_GET['editwidget']) && $_GET['editwidget'] ) { require_once( 'admin-header.php' ); ?>
          -

          +

          > -

          +

          @@ -334,7 +334,7 @@ require_once( 'admin-header.php' ); ?>
          -

          +

          @@ -378,7 +378,7 @@ foreach ( $wp_registered_sidebars as $sidebar => $registered_sidebar ) {

          -

          +

          diff --git a/wp-includes/classes.php b/wp-includes/classes.php index 3c0c5b9c7..c00fcd547 100644 --- a/wp-includes/classes.php +++ b/wp-includes/classes.php @@ -1252,7 +1252,7 @@ class Walker_PageDropdown extends Walker { if ( $page->ID == $args['selected'] ) $output .= ' selected="selected"'; $output .= '>'; - $title = wp_specialchars($page->post_title); + $title = esc_html($page->post_title); $output .= "$pad$title"; $output .= "\n"; } diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php index c164055aa..c82c8eb8f 100644 --- a/wp-includes/comment-template.php +++ b/wp-includes/comment-template.php @@ -1078,7 +1078,7 @@ function get_cancel_comment_reply_link($text = '') { $text = __('Click here to cancel reply.'); $style = isset($_GET['replytocom']) ? '' : ' style="display:none;"'; - $link = wp_specialchars( remove_query_arg('replytocom') ) . '#respond'; + $link = esc_html( remove_query_arg('replytocom') ) . '#respond'; return apply_filters('cancel_comment_reply_link', '' . $text . '', $link, $text); } diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php index 7effbf8f6..0944f81f5 100644 --- a/wp-includes/default-filters.php +++ b/wp-includes/default-filters.php @@ -20,7 +20,7 @@ foreach ( $filters as $filter ) { add_filter($filter, 'strip_tags'); add_filter($filter, 'trim'); add_filter($filter, 'wp_filter_kses'); - add_filter($filter, 'wp_specialchars', 30); + add_filter($filter, 'esc_html', 30); } // Kses only for textarea saves @@ -80,7 +80,7 @@ $filters = array('comment_author', 'term_name', 'link_name', 'link_description', foreach ( $filters as $filter ) { add_filter($filter, 'wptexturize'); add_filter($filter, 'convert_chars'); - add_filter($filter, 'wp_specialchars'); + add_filter($filter, 'esc_html'); } // Format text area for display. @@ -131,19 +131,19 @@ add_filter('wp_sprintf', 'wp_sprintf_l', 10, 2); // RSS filters add_filter('the_title_rss', 'strip_tags'); add_filter('the_title_rss', 'ent2ncr', 8); -add_filter('the_title_rss', 'wp_specialchars'); +add_filter('the_title_rss', 'esc_html'); add_filter('the_content_rss', 'ent2ncr', 8); add_filter('the_excerpt_rss', 'convert_chars'); add_filter('the_excerpt_rss', 'ent2ncr', 8); add_filter('comment_author_rss', 'ent2ncr', 8); add_filter('comment_text_rss', 'ent2ncr', 8); -add_filter('comment_text_rss', 'wp_specialchars'); +add_filter('comment_text_rss', 'esc_html'); add_filter('bloginfo_rss', 'ent2ncr', 8); add_filter('the_author', 'ent2ncr', 8); // Misc filters add_filter('option_ping_sites', 'privacy_ping_filter'); -add_filter('option_blog_charset', 'wp_specialchars'); +add_filter('option_blog_charset', '_wp_specialchars'); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop add_filter('option_home', '_config_wp_home'); add_filter('option_siteurl', '_config_wp_siteurl'); add_filter('tiny_mce_before_init', '_mce_set_direction'); diff --git a/wp-includes/default-widgets.php b/wp-includes/default-widgets.php index 923ecdc6c..a1700bea0 100644 --- a/wp-includes/default-widgets.php +++ b/wp-includes/default-widgets.php @@ -820,7 +820,7 @@ function wp_widget_rss_output( $rss, $args = array() ) { $desc = str_replace(array("\n", "\r"), ' ', esc_attr(strip_tags(@html_entity_decode($item->get_description(), ENT_QUOTES, get_option('blog_charset'))))); $desc = wp_html_excerpt( $desc, 360 ) . ' […]'; - $desc = wp_specialchars( $desc ); + $desc = esc_html( $desc ); if ( $show_summary ) { $summary = "
          $desc
          "; @@ -844,7 +844,7 @@ function wp_widget_rss_output( $rss, $args = array() ) { if ( $show_author ) { $author = $item->get_author(); $author = $author->get_name(); - $author = ' ' . wp_specialchars( strip_tags( $author ) ) . ''; + $author = ' ' . esc_html( strip_tags( $author ) ) . ''; } if ( $link == '' ) { diff --git a/wp-includes/feed.php b/wp-includes/feed.php index 74cb6b4a4..b15ad704b 100644 --- a/wp-includes/feed.php +++ b/wp-includes/feed.php @@ -165,7 +165,7 @@ function the_content_rss($more_link_text='(more...)', $stripteaser=0, $more_file if ( $cut && !$encode_html ) $encode_html = 2; if ( 1== $encode_html ) { - $content = wp_specialchars($content); + $content = esc_html($content); $cut = 0; } elseif ( 0 == $encode_html ) { $content = make_url_footnote($content); diff --git a/wp-includes/formatting.php b/wp-includes/formatting.php index 7fbde2599..7879162a7 100644 --- a/wp-includes/formatting.php +++ b/wp-includes/formatting.php @@ -213,7 +213,7 @@ function seems_utf8($Str) { # by bmorel at ssi dot fr * @param boolean $double_encode Optional. Whether or not to encode existing html entities. Default is false. * @return string The encoded text with HTML entities. */ -function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { +function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { $string = (string) $string; if ( 0 === strlen( $string ) ) { @@ -286,7 +286,7 @@ function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false * @since 2.8 * * @param string $string The text which is to be decoded. - * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. + * @param mixed $quote_style Optional. Converts double quotes if set to ENT_COMPAT, both single and double if set to ENT_QUOTES or none if set to ENT_NOQUOTES. Also compatible with old _wp_specialchars() values; converting single quotes if set to 'single', double if set to 'double' or both if otherwise set. Default is ENT_NOQUOTES. * @return string The decoded text without HTML entities. */ function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) { @@ -301,7 +301,7 @@ function wp_specialchars_decode( $string, $quote_style = ENT_NOQUOTES ) { return $string; } - // Match the previous behaviour of wp_specialchars() when the $quote_style is not an accepted value + // Match the previous behaviour of _wp_specialchars() when the $quote_style is not an accepted value if ( empty( $quote_style ) ) { $quote_style = ENT_NOQUOTES; } elseif ( !in_array( $quote_style, array( 0, 2, 3, 'single', 'double' ), true ) ) { @@ -2074,7 +2074,7 @@ function htmlentities2($myHTML) { */ function esc_js( $text ) { $safe_text = wp_check_invalid_utf8( $text ); - $safe_text = wp_specialchars( $safe_text, ENT_COMPAT ); + $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT ); $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) ); $safe_text = preg_replace( "/\r?\n/", "\\n", addslashes( $safe_text ) ); return apply_filters( 'js_escape', $safe_text, $text ); @@ -2097,6 +2097,35 @@ function js_escape( $text ) { return esc_js( $text ); } +/** + * Escaping for HTML blocks. + * + * @since 2.8.0 + * + * @param string $text + * @return string + */ +function esc_html( $text ) { + $safe_text = wp_check_invalid_utf8( $text ); + $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); + return apply_filters( 'esc_html', $safe_text, $text ); + return $text; +} + +/** + * Escaping for HTML blocks + * @deprecated 2.8.0 + * @see esc_html() + */ +function wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = false, $double_encode = false ) { + if ( func_num_args() > 1 ) { // Maintain backwards compat for people passing additional args + $args = func_get_args(); + return call_user_func_array( '_wp_specialchars', $args ); + } else { + return esc_html( $string ); + } +} + /** * Escaping for HTML attributes. * @@ -2107,7 +2136,7 @@ function js_escape( $text ) { */ function esc_attr( $text ) { $safe_text = wp_check_invalid_utf8( $text ); - $safe_text = wp_specialchars( $safe_text, ENT_QUOTES ); + $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( 'attribute_escape', $safe_text, $text ); } @@ -2224,7 +2253,7 @@ function sanitize_option($option, $value) { $value = addslashes($value); $value = wp_filter_post_kses( $value ); // calls stripslashes then addslashes $value = stripslashes($value); - $value = wp_specialchars( $value ); + $value = esc_html( $value ); break; case 'blog_charset': @@ -2298,15 +2327,15 @@ function wp_pre_kses_less_than( $text ) { /** * Callback function used by preg_replace. * - * @uses wp_specialchars to format the $matches text. + * @uses esc_html to format the $matches text. * @since 2.3.0 * * @param array $matches Populated by matches to preg_replace. - * @return string The text returned after wp_specialchars if needed. + * @return string The text returned after esc_html if needed. */ function wp_pre_kses_less_than_callback( $matches ) { if ( false === strpos($matches[0], '>') ) - return wp_specialchars($matches[0]); + return esc_html($matches[0]); return $matches[0]; } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 29ce24d44..7ec2ca424 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -379,7 +379,7 @@ function get_option( $setting, $default = false ) { function wp_protect_special_option( $option ) { $protected = array( 'alloptions', 'notoptions' ); if ( in_array( $option, $protected ) ) - die( sprintf( __( '%s is a protected WP option and may not be modified' ), wp_specialchars( $option ) ) ); + die( sprintf( __( '%s is a protected WP option and may not be modified' ), esc_html( $option ) ) ); } /** @@ -1593,7 +1593,7 @@ function do_feed() { $hook = 'do_feed_' . $feed; if ( !has_action($hook) ) { - $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), wp_specialchars($feed)); + $message = sprintf( __( 'ERROR: %s is not a valid feed template' ), esc_html($feed)); wp_die($message); } @@ -1718,7 +1718,7 @@ function is_blog_installed() { */ function wp_nonce_url( $actionurl, $action = -1 ) { $actionurl = str_replace( '&', '&', $actionurl ); - return wp_specialchars( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); + return esc_html( add_query_arg( '_wpnonce', wp_create_nonce( $action ), $actionurl ) ); } /** @@ -2308,7 +2308,7 @@ function wp_explain_nonce( $action ) { else $object = call_user_func( $lookup, $object ); } - return sprintf( $trans[$verb][$noun][0], wp_specialchars($object) ); + return sprintf( $trans[$verb][$noun][0], esc_html($object) ); } else { return $trans[$verb][$noun][0]; } @@ -2334,7 +2334,7 @@ function wp_explain_nonce( $action ) { */ function wp_nonce_ays( $action ) { $title = __( 'WordPress Failure Notice' ); - $html = wp_specialchars( wp_explain_nonce( $action ) ); + $html = esc_html( wp_explain_nonce( $action ) ); if ( wp_get_referer() ) $html .= "

          " . __( 'Please try again.' ) . ""; elseif ( 'log-out' == $action ) diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index bad1e00dc..8d4cc057e 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -1469,7 +1469,7 @@ function feed_links_extra( $args ) { $post = &get_post( $id = 0 ); if ( comments_open() || pings_open() || $post->comment_count > 0 ) { - $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], wp_specialchars( get_the_title() ) )); + $title = esc_attr(sprintf( $args['singletitle'], get_bloginfo('name'), $args['separator'], esc_html( get_the_title() ) )); $href = get_post_comments_feed_link( $post->ID ); } } elseif ( is_category() ) { diff --git a/wp-includes/l10n.php b/wp-includes/l10n.php index fa891fc3f..a9d822ff4 100644 --- a/wp-includes/l10n.php +++ b/wp-includes/l10n.php @@ -119,6 +119,22 @@ function esc_attr__( $text, $domain = 'default' ) { return esc_attr( translate( $text, $domain ) ); } +/** + * Retrieves the translation of $text and escapes it for safe use in HTML output. + * If there is no translation, or the domain isn't loaded the original text is returned. + * + * @see translate() An alias of translate() + * @see esc_html() + * @since 2.8.0 + * + * @param string $text Text to translate + * @param string $domain Optional. Domain to retrieve the translated text + * @return string Translated text + */ +function esc_html__( $text, $domain = 'default' ) { + return esc_html( translate( $text, $domain ) ); +} + /** * Displays the returned translated text from translate(). * @@ -146,6 +162,20 @@ function esc_attr_e( $text, $domain = 'default' ) { echo esc_attr( translate( $text, $domain ) ); } +/** + * Displays translated text that has been escaped for safe use in HTML output. + * + * @see translate() Echoes returned translate() string + * @see esc_html() + * @since 2.8.0 + * + * @param string $text Text to translate + * @param string $domain Optional. Domain to retrieve the translated text + */ +function esc_html_e( $text, $domain = 'default' ) { + echo esc_html( translate( $text, $domain ) ); +} + /** * Retrieve translated string with vertical bar context * diff --git a/wp-includes/user.php b/wp-includes/user.php index c7ab654d9..76fd6afeb 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -540,7 +540,7 @@ function wp_dropdown_users( $args = '' ) { $user->ID = (int) $user->ID; $_selected = $user->ID == $selected ? " selected='selected'" : ''; $display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')'; - $output .= "\t\n"; + $output .= "\t\n"; } $output .= ""; diff --git a/wp-includes/widgets.php b/wp-includes/widgets.php index a30857359..73e3253d6 100644 --- a/wp-includes/widgets.php +++ b/wp-includes/widgets.php @@ -601,7 +601,7 @@ function wp_widget_description( $id ) { global $wp_registered_widgets; if ( isset($wp_registered_widgets[$id]['description']) ) - return wp_specialchars( $wp_registered_widgets[$id]['description'] ); + return esc_html( $wp_registered_widgets[$id]['description'] ); } /** diff --git a/wp-mail.php b/wp-mail.php index 6da286963..4dc4ed019 100644 --- a/wp-mail.php +++ b/wp-mail.php @@ -23,7 +23,7 @@ if ( ! $pop3->connect(get_option('mailserver_url'), get_option('mailserver_port' ! $pop3->user(get_option('mailserver_login')) || ( ! $count = $pop3->pass(get_option('mailserver_pass')) ) ) { $pop3->quit(); - wp_die( ( 0 === $count ) ? __('There doesn’t seem to be any new mail.') : wp_specialchars($pop3->ERROR) ); + wp_die( ( 0 === $count ) ? __('There doesn’t seem to be any new mail.') : esc_html($pop3->ERROR) ); } for ( $i = 1; $i <= $count; $i++ ) { @@ -195,11 +195,11 @@ for ( $i = 1; $i <= $count; $i++ ) { do_action('publish_phone', $post_ID); - echo "\n

          " . sprintf(__('Author: %s'), wp_specialchars($post_author)) . '

          '; - echo "\n

          " . sprintf(__('Posted title: %s'), wp_specialchars($post_title)) . '

          '; + echo "\n

          " . sprintf(__('Author: %s'), esc_html($post_author)) . '

          '; + echo "\n

          " . sprintf(__('Posted title: %s'), esc_html($post_title)) . '

          '; if(!$pop3->delete($i)) { - echo '

          ' . sprintf(__('Oops: %s'), wp_specialchars($pop3->ERROR)) . '

          '; + echo '

          ' . sprintf(__('Oops: %s'), esc_html($pop3->ERROR)) . '

          '; $pop3->reset(); exit; } else { diff --git a/xmlrpc.php b/xmlrpc.php index 08e137af0..f015fb848 100644 --- a/xmlrpc.php +++ b/xmlrpc.php @@ -883,8 +883,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['name'] = $tag->name; $struct['count'] = $tag->count; $struct['slug'] = $tag->slug; - $struct['html_url'] = wp_specialchars( get_tag_link( $tag->term_id ) ); - $struct['rss_url'] = wp_specialchars( get_tag_feed_link( $tag->term_id ) ); + $struct['html_url'] = esc_html( get_tag_link( $tag->term_id ) ); + $struct['rss_url'] = esc_html( get_tag_feed_link( $tag->term_id ) ); $tags[] = $struct; } @@ -2790,8 +2790,8 @@ class wp_xmlrpc_server extends IXR_Server { $struct['description'] = $cat->name; $struct['categoryDescription'] = $cat->description; $struct['categoryName'] = $cat->name; - $struct['htmlUrl'] = wp_specialchars(get_category_link($cat->term_id)); - $struct['rssUrl'] = wp_specialchars(get_category_feed_link($cat->term_id, 'rss2')); + $struct['htmlUrl'] = esc_html(get_category_link($cat->term_id)); + $struct['rssUrl'] = esc_html(get_category_feed_link($cat->term_id, 'rss2')); $categories_struct[] = $struct; } @@ -3327,7 +3327,7 @@ class wp_xmlrpc_server extends IXR_Server { $pagelinkedfrom = str_replace('&', '&', $pagelinkedfrom); - $context = '[...] ' . wp_specialchars( $excerpt ) . ' [...]'; + $context = '[...] ' . esc_html( $excerpt ) . ' [...]'; $pagelinkedfrom = $wpdb->escape( $pagelinkedfrom ); $comment_post_ID = (int) $post_ID;