diff --git a/wp-admin/admin-functions.php b/wp-admin/admin-functions.php index df6051e67e..349dc4963b 100644 --- a/wp-admin/admin-functions.php +++ b/wp-admin/admin-functions.php @@ -358,7 +358,7 @@ function get_default_post_to_edit() { else if ( !empty( $post_title ) ) { $text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) ); $text = funky_javascript_fix( $text); - $popupurl = attribute_escape($_REQUEST['popupurl']); + $popupurl = clean_url($_REQUEST['popupurl']); $post_content = ''.$post_title.''."\n$text"; } @@ -417,7 +417,7 @@ function get_user_to_edit( $user_id ) { $user = new WP_User( $user_id ); $user->user_login = attribute_escape($user->user_login); $user->user_email = attribute_escape($user->user_email); - $user->user_url = attribute_escape($user->user_url); + $user->user_url = clean_url($user->user_url); $user->first_name = attribute_escape($user->first_name); $user->last_name = attribute_escape($user->last_name); $user->display_name = attribute_escape($user->display_name); @@ -562,11 +562,11 @@ function edit_user( $user_id = 0 ) { function get_link_to_edit( $link_id ) { $link = get_link( $link_id ); - $link->link_url = attribute_escape($link->link_url); + $link->link_url = clean_url($link->link_url); $link->link_name = attribute_escape($link->link_name); $link->link_image = attribute_escape($link->link_image); $link->link_description = attribute_escape($link->link_description); - $link->link_rss = attribute_escape($link->link_rss); + $link->link_rss = clean_url($link->link_rss); $link->link_rel = attribute_escape($link->link_rel); $link->link_notes = wp_specialchars($link->link_notes); $link->post_category = $link->link_category; @@ -576,7 +576,7 @@ function get_link_to_edit( $link_id ) { function get_default_link_to_edit() { if ( isset( $_GET['linkurl'] ) ) - $link->link_url = attribute_escape( $_GET['linkurl']); + $link->link_url = clean_url( $_GET['linkurl']); else $link->link_url = ''; @@ -867,7 +867,7 @@ function user_row( $user_object, $style = '' ) { } $r .= "\n\t\t"; if ( current_user_can( 'edit_user', $user_object->ID ) ) { - $edit_link = attribute_escape( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" )); + $edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" )); $r .= "".__( 'Edit' ).""; } $r .= "\n\t"; diff --git a/wp-admin/bookmarklet.php b/wp-admin/bookmarklet.php index cd2b542c7d..e84b5d9d02 100644 --- a/wp-admin/bookmarklet.php +++ b/wp-admin/bookmarklet.php @@ -37,7 +37,7 @@ else $content = wp_specialchars($_REQUEST['content']); -$popupurl = attribute_escape($_REQUEST['popupurl']); +$popupurl = clean_url($_REQUEST['popupurl']); if ( !empty($content) ) { $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) ); } else { diff --git a/wp-admin/edit-comments.php b/wp-admin/edit-comments.php index b40882a5ef..9cb0ce3593 100644 --- a/wp-admin/edit-comments.php +++ b/wp-admin/edit-comments.php @@ -101,7 +101,7 @@ $total_pages = ceil( $total / 20 ); $r = ''; if ( 1 < $page ) { $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : @@ -111,7 +111,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { $p = false; if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; - $r .= '' . ( $page_num ) . "\n"; + $r .= '' . ( $page_num ) . "\n"; $in = true; elseif ( $in == true ) : $r .= "...\n"; @@ -122,7 +122,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { } if ( ( $page ) * 20 < $total || -1 == $total ) { $args['apage'] = $page + 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } echo "

$r

"; ?> @@ -248,7 +248,7 @@ $total_pages = ceil( $total / 20 ); $r = ''; if ( 1 < $page ) { $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : @@ -258,7 +258,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { $p = false; if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; - $r .= '' . ( $page_num ) . "\n"; + $r .= '' . ( $page_num ) . "\n"; $in = true; elseif ( $in == true ) : $r .= "...\n"; @@ -269,7 +269,7 @@ if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { } if ( ( $page ) * 20 < $total || -1 == $total ) { $args['apage'] = $page + 1; - $r .= '' . "\n"; + $r .= '' . "\n"; } echo "

$r

"; ?> diff --git a/wp-admin/edit-form-advanced.php b/wp-admin/edit-form-advanced.php index c07ae4cf47..b400fb1cc2 100644 --- a/wp-admin/edit-form-advanced.php +++ b/wp-admin/edit-form-advanced.php @@ -168,11 +168,11 @@ if ('publish' != $post->post_status || 0 == $post_ID) { ?>

diff --git a/wp-admin/edit-page-form.php b/wp-admin/edit-page-form.php index 6f2cbd17f8..d13c613d16 100644 --- a/wp-admin/edit-page-form.php +++ b/wp-admin/edit-page-form.php @@ -13,7 +13,7 @@ if (0 == $post_ID) { $form_extra = ""; } -$sendto = attribute_escape(stripslashes(wp_get_referer())); +$sendto = clean_url(stripslashes(wp_get_referer())); if ( 0 != $post_ID && $sendto == get_permalink($post_ID) ) $sendto = 'redo'; diff --git a/wp-admin/link-manager.php b/wp-admin/link-manager.php index 4957645c22..12b90af9de 100644 --- a/wp-admin/link-manager.php +++ b/wp-admin/link-manager.php @@ -133,7 +133,7 @@ if ( $links ) { foreach ($links as $link) { $link->link_name = attribute_escape($link->link_name); $link->link_description = wp_specialchars($link->link_description); - $link->link_url = attribute_escape($link->link_url); + $link->link_url = clean_url($link->link_url); $link->link_category = wp_get_link_cats($link->link_id); $short_url = str_replace('http://', '', $link->link_url); $short_url = str_replace('www.', '', $short_url); diff --git a/wp-admin/page.php b/wp-admin/page.php index 1acc8c367a..3b55924600 100644 --- a/wp-admin/page.php +++ b/wp-admin/page.php @@ -63,7 +63,7 @@ case 'edit': ?>

- +

- +

@@ -40,7 +40,7 @@ switch($step) { if ( empty( $_GET['backto'] ) ) $backto = __get_option('home'); else - $backto = attribute_escape(stripslashes($_GET['backto'])); + $backto = clean_url(stripslashes($_GET['backto'])); ?>

Have fun!"), $backto); ?>

diff --git a/wp-admin/upload-functions.php b/wp-admin/upload-functions.php index 8a054ced0d..f7f19b7ee2 100644 --- a/wp-admin/upload-functions.php +++ b/wp-admin/upload-functions.php @@ -35,7 +35,7 @@ function wp_upload_display( $dims = false, $href = '' ) { $r = ''; if ( $href ) - $r .= "\n"; + $r .= "\n"; if ( $href || $image_src ) $r .= "\t\t\t$innerHTML"; if ( $href ) @@ -83,9 +83,9 @@ function wp_upload_view() { echo '[ '; echo '' . __('view') . ''; echo ' | '; - echo '' . __('edit') . ''; + echo '' . __('edit') . ''; echo ' | '; - echo '' . __('cancel') . ''; + echo '' . __('cancel') . ''; echo ' ]'; ?> @@ -123,9 +123,9 @@ function wp_upload_form() { echo '[ '; echo '' . __('view') . ''; echo ' | '; - echo '' . __('links') . ''; + echo '' . __('links') . ''; echo ' | '; - echo '' . __('cancel') . ''; + echo '' . __('cancel') . ''; echo ' ]'; ?> diff --git a/wp-admin/upload.php b/wp-admin/upload.php index f592edba32..562272cc30 100644 --- a/wp-admin/upload.php +++ b/wp-admin/upload.php @@ -90,7 +90,7 @@ foreach ( $wp_upload_tabs as $t => $tab_array ) { // We've already done the curr $href = add_query_arg( array('tab' => $t, 'ID' => '', 'action' => '', 'paged' => '') ); if ( isset($tab_array[4]) && is_array($tab_array[4]) ) add_query_arg( $tab_array[4], $href ); - $_href = attribute_escape( $href); + $_href = clean_url( $href); $page_links = ''; $class = 'upload-tab alignleft'; if ( $tab == $t ) { diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index b2c19699f7..b6ab11992a 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -55,7 +55,7 @@ include ('admin-header.php');

-

+

diff --git a/wp-includes/bookmark-template.php b/wp-includes/bookmark-template.php index 0770268190..7747ed0e67 100644 --- a/wp-includes/bookmark-template.php +++ b/wp-includes/bookmark-template.php @@ -96,7 +96,7 @@ function get_links($category = -1, $output .= get_option('links_recently_updated_prepend'); $the_link = '#'; if ( !empty($row->link_url) ) - $the_link = wp_specialchars($row->link_url); + $the_link = clean_url($row->link_url); $rel = $row->link_rel; if ( '' != $rel ) $rel = ' rel="' . $rel . '"'; @@ -260,7 +260,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) { $the_link = '#'; if ( !empty($bookmark->link_url) ) - $the_link = wp_specialchars($bookmark->link_url); + $the_link = clean_url($bookmark->link_url); $rel = $bookmark->link_rel; if ( '' != $rel ) diff --git a/wp-includes/comment.php b/wp-includes/comment.php index 6bdf060fa3..2d0243bcc8 100644 --- a/wp-includes/comment.php +++ b/wp-includes/comment.php @@ -169,7 +169,7 @@ function sanitize_comment_cookies() { if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) { $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]); $comment_author_url = stripslashes($comment_author_url); - $comment_author_url = attribute_escape($comment_author_url); + $comment_author_url = clean_url($comment_author_url); $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url; } } diff --git a/wp-includes/functions.php b/wp-includes/functions.php index e69a4d91b6..cfe7e06200 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1192,7 +1192,7 @@ function wp_nonce_ays($action) { $adminurl = get_option('siteurl') . '/wp-admin'; if ( wp_get_referer() ) - $adminurl = attribute_escape(wp_get_referer()); + $adminurl = clean_url(wp_get_referer()); $title = __('WordPress Confirmation'); // Remove extra layer of slashes. @@ -1209,7 +1209,7 @@ function wp_nonce_ays($action) { $html .= "\t\t\n"; $html .= "\t\t
\n\t\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t\t

" . __('No') . "

\n\t\t
\n\t\n"; } else { - $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; + $html .= "\t
\n\t

" . wp_specialchars(wp_explain_nonce($action)) . "

\n\t

" . __('No') . " " . __('Yes') . "

\n\t
\n"; } $html .= "\n"; wp_die($html, $title); diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index 18185ee4a1..1722db7104 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -289,6 +289,7 @@ function single_month_title($prefix = '', $display = true ) { function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') { $text = wptexturize($text); $title_text = attribute_escape($text); + $url = clean_url($url); if ('link' == $format) return "\t\n"; @@ -971,7 +972,7 @@ function paginate_links( $arg = '' ) { $link = str_replace('%#%', $current - 1, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = ""; + $page_links[] = ""; endif; for ( $n = 1; $n <= $total; $n++ ) : if ( $n == $current ) : @@ -983,7 +984,7 @@ function paginate_links( $arg = '' ) { $link = str_replace('%#%', $n, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = "$n"; + $page_links[] = "$n"; $dots = true; elseif ( $dots && !$show_all ) : $page_links[] = "..."; @@ -996,7 +997,7 @@ function paginate_links( $arg = '' ) { $link = str_replace('%#%', $current + 1, $link); if ( $add_args ) $link = add_query_arg( $add_args, $link ); - $page_links[] = ""; + $page_links[] = ""; endif; switch ( $type ) : case 'array' : diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php index 915ba5a4c0..78dc093da8 100644 --- a/wp-includes/link-template.php +++ b/wp-includes/link-template.php @@ -459,7 +459,7 @@ function get_next_posts_page_link($max_page = 0) { } function next_posts($max_page = 0) { - echo attribute_escape(get_next_posts_page_link($max_page)); + echo clean_url(get_next_posts_page_link($max_page)); } function next_posts_link($label='Next Page »', $max_page=0) { @@ -489,7 +489,7 @@ function get_previous_posts_page_link() { } function previous_posts() { - echo attribute_escape(get_previous_posts_page_link()); + echo clean_url(get_previous_posts_page_link()); } function previous_posts_link($label='« Previous Page') { diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php index 32b2d4f2c9..00140de9cc 100644 --- a/wp-includes/script-loader.php +++ b/wp-includes/script-loader.php @@ -78,7 +78,7 @@ class WP_Scripts { if ( isset($this->args[$handle]) ) $ver .= '&' . $this->args[$handle]; $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src; - $src = attribute_escape(add_query_arg('ver', $ver, $src)); + $src = clean_url(add_query_arg('ver', $ver, $src)); echo "\n"; } $this->printed[] = $handle;