From 2a11c994590c9a680c568377bb6f567cd7aec3de Mon Sep 17 00:00:00 2001
From: markjaquith <markjaquith@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Fri, 9 Mar 2007 04:36:24 +0000
Subject: [PATCH] Sanitize browser-bound add_query_arg() outputs.  fixes #3937

git-svn-id: http://svn.automattic.com/wordpress/trunk@5007 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/admin-functions.php  |  2 +-
 wp-admin/custom-header.php    |  6 +++---
 wp-admin/edit-comments.php    | 12 ++++++------
 wp-includes/script-loader.php |  2 +-
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php
index 2fa0688e6..336b702d3 100644
--- a/wp-admin/admin-functions.php
+++ b/wp-admin/admin-functions.php
@@ -1935,7 +1935,7 @@ function wp_import_upload_form( $action ) {
 	if (strpos($size, 'g') !== false)
 		$bytes = $size * 1024 * 1024 * 1024;
 ?>
-<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo $action ?>">
+<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>">
 <p>
 <label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> )
 <input type="file" id="upload" name="import" size="25" />
diff --git a/wp-admin/custom-header.php b/wp-admin/custom-header.php
index 1b913c28e..5daad1e04 100644
--- a/wp-admin/custom-header.php
+++ b/wp-admin/custom-header.php
@@ -174,7 +174,7 @@ Event.observe( window, 'load', hide_text );
 <h2><?php _e('Upload New Header Image'); ?></h2><p><?php _e('Here you can upload a custom header image to be shown at the top of your blog instead of the default one. On the next screen you will be able to crop the image.'); ?></p>
 <p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p>
 
-<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo add_query_arg('step', 2) ?>" style="margin: auto; width: 50%;">
+<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
 <label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
 <input type="hidden" name="action" value="save" />
 <p class="submit">
@@ -188,7 +188,7 @@ Event.observe( window, 'load', hide_text );
 <div class="wrap">
 <h2><?php _e('Reset Header Image and Color'); ?></h2>
 <p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p>
-<form method="post" action="<?php echo add_query_arg('step', 1) ?>">
+<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>">
 <input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" />
 </form>
 </div>
@@ -240,7 +240,7 @@ Event.observe( window, 'load', hide_text );
 
 <div class="wrap">
 
-<form method="POST" action="<?php echo add_query_arg('step', 3) ?>">
+<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>">
 
 <p><?php _e('Choose the part of the image you want to use as your header.'); ?></p>
 <div id="testWrap">
diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php
index e8fd200a0..4ba247901 100644
--- a/wp-admin/edit-comments.php
+++ b/wp-admin/edit-comments.php
@@ -101,7 +101,7 @@ $total_pages = ceil( $total / 20 );
 $r = '';
 if ( 1 < $page ) {
 	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-	$r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+	$r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 	for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@@ -111,7 +111,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 			$p = false;
 			if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
 				$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-				$r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n";
+				$r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
 				$in = true;
 			elseif ( $in == true ) :
 				$r .= "...\n";
@@ -122,7 +122,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 }
 if ( ( $page ) * 20 < $total || -1 == $total ) {
 	$args['apage'] = $page + 1;
-	$r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+	$r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";
 ?>
@@ -248,7 +248,7 @@ $total_pages = ceil( $total / 20 );
 $r = '';
 if ( 1 < $page ) {
 	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
-	$r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
+	$r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n";
 }
 if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 	for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) :
@@ -258,7 +258,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 			$p = false;
 			if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) :
 				$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
-				$r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n";
+				$r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
 				$in = true;
 			elseif ( $in == true ) :
 				$r .= "...\n";
@@ -269,7 +269,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
 }
 if ( ( $page ) * 20 < $total || -1 == $total ) {
 	$args['apage'] = $page + 1;
-	$r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
+	$r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n";
 }
 echo "<p class='pagenav'>$r</p>";
 ?>
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index 31d712251..a76331571 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -150,7 +150,7 @@ class WP_Scripts {
 						$ver .= '&amp;' . $this->args[$handle];
 					$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
 					$src = add_query_arg('ver', $ver, $src);
-					$src = apply_filters( 'script_loader_src', $src );
+					$src = attribute_escape(apply_filters( 'script_loader_src', $src ));
 					echo "<script type='text/javascript' src='$src'></script>\n";
 					$this->print_scripts_l10n( $handle );
 				}