golem
/
twentyGOLEM
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Make it more obvious we're escaping values in options.php. fixes #12417 

git-svn-id: http://svn.automattic.com/wordpress/trunk@13471 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
nacin 2010-02-27 22:50:00 +00:00
parent 9deb08bade
commit 473ef7d459
1 changed files with 13 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
wp-admin/options.php
View File

@ -152,24 +152,23 @@ default:
<div class="wrap"> <div class="wrap">
<?php screen_icon(); ?> <?php screen_icon(); ?>
<h2><?php _e('All Settings'); ?></h2> <h2><?php esc_html_e('All Settings'); ?></h2>
<form name="form" action="options.php" method="post" id="all-options"> <form name="form" action="options.php" method="post" id="all-options">
<?php wp_nonce_field('options-options') ?> <?php wp_nonce_field('options-options') ?>
<input type="hidden" name="action" value="update" /> <input type="hidden" name="action" value="update" />
<input type='hidden' name='option_page' value='options' /> <input type='hidden' name='option_page' value='options' />
<table class="form-table"> <table class="form-table">
<?php <?php
$options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name"); $options = $wpdb->get_results( "SELECT * FROM $wpdb->options ORDER BY option_name" );
foreach ( (array) $options as $option) : foreach ( (array) $options as $option ) :
$disabled = ''; $disabled = '';
$option->option_name = esc_attr($option->option_name);
if ( $option->option_name == '' ) if ( $option->option_name == '' )
continue; continue;
if ( is_serialized($option->option_value) ) { if ( is_serialized( $option->option_value ) ) {
if ( is_serialized_string($option->option_value) ) { if ( is_serialized_string( $option->option_value ) ) {
// this is a serialized string, so we should display it // this is a serialized string, so we should display it
$value = maybe_unserialize($option->option_value); $value = maybe_unserialize( $option->option_value );
$options_to_update[] = $option->option_name; $options_to_update[] = $option->option_name;
$class = 'all-options'; $class = 'all-options';
} else { } else {
@ -182,21 +181,21 @@ foreach ( (array) $options as $option) :
$options_to_update[] = $option->option_name; $options_to_update[] = $option->option_name;
$class = 'all-options'; $class = 'all-options';
} }
$name = esc_attr( $option->option_name );
echo " echo "
<tr> <tr>
<th scope='row'><label for='$option->option_name'>$option->option_name</label></th> <th scope='row'><label for='$'>" . esc_html( $option->option_name ) . "</label></th>
<td>"; <td>";
if ( strpos( $value, "\n" ) !== false )
if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . esc_html($value) . "</textarea>"; echo "<textarea class='$class' name='$name' id='$name' cols='30' rows='5'>" . wp_htmledit_pre( $value ) . "</textarea>";
else echo "<input class='regular-text $class' type='text' name='$option->option_name' id='$option->option_name' value='" . esc_attr($value) . "'$disabled />"; else
echo "<input class='regular-text $class' type='text' name='$name' id='$name' value='" . esc_attr( $value ) . "'$disabled />";
echo "</td> echo "</td>
</tr>"; </tr>";
endforeach; endforeach;
?> ?>
</table> </table>
<?php $options_to_update = implode(',', $options_to_update); ?> <p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr( implode( ',', $options_to_update ) ); ?>" /><input type="submit" name="Update" value="<?php esc_attr_e( 'Save Changes' ); ?>" class="button-primary" /></p>
<p class="submit"><input type="hidden" name="page_options" value="<?php echo esc_attr($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Save Changes') ?>" class="button-primary" /></p>
</form> </form>
</div> </div>