From 293b3b4deef798df33f1e4d1cda1f37cedfc6a32 Mon Sep 17 00:00:00 2001 From: ryan Date: Fri, 5 May 2006 07:49:05 +0000 Subject: [PATCH] Better escaping of strings used in JS. git-svn-id: http://svn.automattic.com/wordpress/trunk@3763 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/edit-comments.php | 6 +++--- wp-admin/edit.php | 6 +++--- wp-admin/moderation.php | 2 +- wp-includes/functions-formatting.php | 5 +++++ 4 files changed, 12 insertions(+), 7 deletions(-) diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index eff027780..57fb693ff 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -119,12 +119,12 @@ if ('view' == $mode) { comment_post_ID) ) { echo " " . __('Edit') . ''; - echo ' | comment_author, 1)) . "' );\">" . __('Delete') . ' '; + echo ' | comment_author)) . "' );\">" . __('Delete') . ' '; if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { echo ' | ' . __('Unapprove') . ' '; echo ' | ' . __('Approve') . ' '; } - echo " | comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . " "; + echo " | comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . " "; } $post = get_post($comment->comment_post_ID); $post_title = wp_specialchars( $post->post_title, 'double' ); @@ -183,7 +183,7 @@ $post_title = ('' == $post_title) ? "# $comment->comment_post_ID" : $post_title; comment_post_ID) ) { echo "" . __('Edit') . ""; } ?> comment_post_ID) ) { - echo "comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars( $comment->comment_author, 1 )) . "' );\" class='edit'>" . __('Delete') . " "; + echo "comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape( $comment->comment_author )) . "' );\" class='edit'>" . __('Delete') . " "; } ?> $column_display_name) { case 'control_delete': ?> - ID) ) { echo "ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . ""; } ?> + ID) ) { echo "ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), js_escape(get_the_title()) ) . "' );\">" . __('Delete') . ""; } ?> comment_post_ID) ) { echo " " . __('Edit') . ''; - echo ' | comment_author, 1)) . "' );\">" . __('Delete') . ' '; + echo ' | comment_author)) . "' );\">" . __('Delete') . ' '; if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) { echo ' | ' . __('Unapprove') . ' '; echo ' | ' . __('Approve') . ' '; } - echo " | comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . " ]"; + echo " | comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . " ]"; } // end if any comments to show ?>

diff --git a/wp-admin/moderation.php b/wp-admin/moderation.php index fb00bce06..d8367f0df 100644 --- a/wp-admin/moderation.php +++ b/wp-admin/moderation.php @@ -149,7 +149,7 @@ $i = 0;

— [ comment_ID.'">' . __('Edit') . ' | '; -echo " comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete ') . " | "; ?> +echo " comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete ') . " | "; ?> comment_post_ID); $post_title = wp_specialchars( $post->post_title, 'double' ); diff --git a/wp-includes/functions-formatting.php b/wp-includes/functions-formatting.php index 72d0971f4..874785440 100644 --- a/wp-includes/functions-formatting.php +++ b/wp-includes/functions-formatting.php @@ -1040,4 +1040,9 @@ function htmlentities2($myHTML) { return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($myHTML, $translation_table)); } +// Escape single quotes, specialchar double quotes, and fix line endings. +function js_escape($text) { + $text = wp_specialchars($text, 'double'); + return preg_replace("/\r?\n/", "\\n", addslashes($text)); +} ?>