From abcbdf58b27bf033e919a9d1735748ebbca11691 Mon Sep 17 00:00:00 2001
From: dd32 <dd32@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Sun, 18 Apr 2010 03:38:47 +0000
Subject: [PATCH] Escape/texturize Admin menu titles. Fixes page titles such as
 "Foo & Bar" not being entity encoded. Also includes some basic
 whitespace/standards cleanup to a related function. Fixes #12039

git-svn-id: http://svn.automattic.com/wordpress/trunk@14127 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/includes/plugin.php | 14 ++++++--------
 wp-admin/menu-header.php     | 12 ++++++++----
 wp-admin/menu.php            |  2 +-
 3 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/wp-admin/includes/plugin.php b/wp-admin/includes/plugin.php
index 2f5072c3c..328757b53 100644
--- a/wp-admin/includes/plugin.php
+++ b/wp-admin/includes/plugin.php
@@ -818,22 +818,20 @@ function add_menu_page( $page_title, $menu_title, $capability, $menu_slug, $func
 
 	$hookname = get_plugin_page_hookname( $menu_slug, '' );
 
-	if (!empty ( $function ) && !empty ( $hookname ) && current_user_can( $capability ) )
+	if ( !empty( $function ) && !empty( $hookname ) && current_user_can( $capability ) )
 		add_action( $hookname, $function );
 
-	if ( empty($icon_url) ) {
+	if ( empty($icon_url) )
 		$icon_url = esc_url( admin_url( 'images/generic.png' ) );
-	} elseif ( is_ssl() && 0 === strpos($icon_url, 'http://') ) {
+	elseif ( is_ssl() && 0 === strpos($icon_url, 'http://') )
 		$icon_url = 'https://' . substr($icon_url, 7);
-	}
 
-	$new_menu = array ( $menu_title, $capability, $menu_slug, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
+	$new_menu = array( $menu_title, $capability, $menu_slug, $page_title, 'menu-top ' . $hookname, $hookname, $icon_url );
 
-	if ( NULL === $position  ) {
+	if ( null === $position  )
 		$menu[] = $new_menu;
-	} else {
+	else
 		$menu[$position] = $new_menu;
-	}
 
 	$_registered_pages[$hookname] = true;
 
diff --git a/wp-admin/menu-header.php b/wp-admin/menu-header.php
index b79b2ebea..2a9ee7294 100644
--- a/wp-admin/menu-header.php
+++ b/wp-admin/menu-header.php
@@ -69,6 +69,8 @@ function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
 		}
 		$toggle = '<div class="wp-menu-toggle"><br /></div>';
 
+		$title = wptexturize($item[0]);
+
 		echo "\n\t<li$class$id>";
 
 		if ( false !== strpos($class, 'wp-menu-separator') ) {
@@ -81,9 +83,9 @@ function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
 				$menu_file = substr($menu_file, 0, $pos);
 			if ( ( ('index.php' != $submenu[$item[2]][0][2]) && file_exists(WP_PLUGIN_DIR . "/$menu_file") ) || !empty($menu_hook)) {
 				$admin_is_parent = true;
-				echo "<div class='wp-menu-image'><a href='admin.php?page={$submenu[$item[2]][0][2]}'>$img</a></div>$toggle<a href='admin.php?page={$submenu[$item[2]][0][2]}'$class$tabindex>{$item[0]}</a>";
+				echo "<div class='wp-menu-image'><a href='admin.php?page={$submenu[$item[2]][0][2]}'>$img</a></div>$toggle<a href='admin.php?page={$submenu[$item[2]][0][2]}'$class$tabindex>$title</a>";
 			} else {
-				echo "\n\t<div class='wp-menu-image'><a href='{$submenu[$item[2]][0][2]}'>$img</a></div>$toggle<a href='{$submenu[$item[2]][0][2]}'$class$tabindex>{$item[0]}</a>";
+				echo "\n\t<div class='wp-menu-image'><a href='{$submenu[$item[2]][0][2]}'>$img</a></div>$toggle<a href='{$submenu[$item[2]][0][2]}'$class$tabindex>$title</a>";
 			}
 		} else if ( current_user_can($item[1]) ) {
 			$menu_hook = get_plugin_page_hook($item[2], 'admin.php');
@@ -138,6 +140,8 @@ function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
 				if ( false !== $pos = strpos($sub_file, '?') )
 					$sub_file = substr($sub_file, 0, $pos);
 
+				$title = wptexturize($sub_item[0]);
+
 				if ( ( ('index.php' != $sub_item[2]) && file_exists(WP_PLUGIN_DIR . "/$sub_file") ) || ! empty($menu_hook) ) {
 					// If admin.php is the current page or if the parent exists as a file in the plugins or admin dir
 					if ( (!$admin_is_parent && file_exists(WP_PLUGIN_DIR . "/$menu_file") && !is_dir(WP_PLUGIN_DIR . "/{$item[2]}")) || file_exists($menu_file) )
@@ -145,9 +149,9 @@ function _wp_menu_output( $menu, $submenu, $submenu_as_parent = true ) {
 					else
 						$sub_item_url = add_query_arg( array('page' => $sub_item[2]), 'admin.php' );
 					$sub_item_url = esc_url($sub_item_url);
-					echo "<li$class><a href='$sub_item_url'$class$tabindex>{$sub_item[0]}</a></li>";
+					echo "<li$class><a href='$sub_item_url'$class$tabindex>$title</a></li>";
 				} else {
-					echo "<li$class><a href='{$sub_item[2]}'$class$tabindex>{$sub_item[0]}</a></li>";
+					echo "<li$class><a href='{$sub_item[2]}'$class$tabindex>$title</a></li>";
 				}
 			}
 			echo "</ul></div>";
diff --git a/wp-admin/menu.php b/wp-admin/menu.php
index 8c31f0b00..ab26ffacb 100644
--- a/wp-admin/menu.php
+++ b/wp-admin/menu.php
@@ -179,7 +179,7 @@ else
 
 if ( current_user_can('edit_users') ) {
 	$_wp_real_parent_file['profile.php'] = 'users.php'; // Back-compat for plugins adding submenus to profile.php.
-	$submenu['users.php'][5] = array(__('Authors &amp; Users'), 'edit_users', 'users.php');
+	$submenu['users.php'][5] = array(__('Authors & Users'), 'edit_users', 'users.php');
 	$submenu['users.php'][10] = array(_x('Add New', 'user'), 'create_users', 'user-new.php');
 
 	$submenu['users.php'][15] = array(__('Your Profile'), 'read', 'profile.php');