From 28c0f0d0ee581a0619ac5c10137a310aaf3e3e33 Mon Sep 17 00:00:00 2001 From: markjaquith Date: Fri, 16 Mar 2007 08:04:24 +0000 Subject: [PATCH] Sanitize output of previous_posts() and next_posts(). Props Alex Concha for the report. git-svn-id: http://svn.automattic.com/wordpress/trunk@5045 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/link-template.php | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index 10de62a71..44352f070 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -422,7 +422,7 @@ function next_post_link($format='%link »', $link='%title', $in_same_cat = function get_pagenum_link($pagenum = 1) { global $wp_rewrite; - $qstr = wp_specialchars($_SERVER['REQUEST_URI']); + $qstr = $_SERVER['REQUEST_URI']; $page_querystring = "paged"; $page_modstring = "page/"; @@ -490,7 +490,7 @@ function get_pagenum_link($pagenum = 1) { return $qstr; } -function next_posts($max_page = 0) { // original by cfactor at cooltux.org +function get_next_posts_page_link($max_page = 0) { global $paged, $pagenow; if ( !is_single() ) { @@ -498,10 +498,14 @@ function next_posts($max_page = 0) { // original by cfactor at cooltux.org $paged = 1; $nextpage = intval($paged) + 1; if ( !$max_page || $max_page >= $nextpage ) - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function next_posts($max_page = 0) { + echo attribute_escape(get_next_posts_page_link($max_page)); +} + function next_posts_link($label='Next Page »', $max_page=0) { global $paged, $wpdb, $wp_query; if ( !$max_page ) { @@ -517,18 +521,20 @@ function next_posts_link($label='Next Page »', $max_page=0) { } } - -function previous_posts() { // original by cfactor at cooltux.org +function get_previous_posts_page_link() { global $paged, $pagenow; if ( !is_single() ) { $nextpage = intval($paged) - 1; if ( $nextpage < 1 ) $nextpage = 1; - echo get_pagenum_link($nextpage); + return get_pagenum_link($nextpage); } } +function previous_posts() { + echo attribute_escape(get_previous_posts_page_link()); +} function previous_posts_link($label='« Previous Page') { global $paged;