diff --git a/wp-includes/author-template.php b/wp-includes/author-template.php index 19e7b86806..908e233543 100644 --- a/wp-includes/author-template.php +++ b/wp-includes/author-template.php @@ -132,7 +132,7 @@ function the_author_meta($field = '', $user_id = false) { */ function the_author_link() { if ( get_the_author_meta('url') ) { - echo '' . get_the_author() . ''; + echo '' . get_the_author() . ''; } else { the_author(); } @@ -181,7 +181,7 @@ function the_author_posts_link($deprecated = '') { printf( '%3$s', get_author_posts_url( $authordata->ID, $authordata->user_nicename ), - sprintf( __( 'Posts by %s' ), esc_attr( get_the_author() ) ), + esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ), get_the_author() ); } @@ -292,7 +292,7 @@ function wp_list_authors($args = '') { if ( ! $hide_empty ) $link = $name; } else { - $link = 'display_name)) . '">' . $name . ''; + $link = 'display_name) ) . '">' . $name . ''; if ( (! empty($feed_image)) || (! empty($feed)) ) { $link .= ' '; @@ -301,8 +301,8 @@ function wp_list_authors($args = '') { $link .= ''; + $link .= "'; else $link .= $name; diff --git a/wp-includes/bookmark-template.php b/wp-includes/bookmark-template.php index bb4f6ef37a..cf24da6c9b 100644 --- a/wp-includes/bookmark-template.php +++ b/wp-includes/bookmark-template.php @@ -90,7 +90,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) { $rel = $bookmark->link_rel; if ( '' != $rel ) - $rel = ' rel="' . $rel . '"'; + $rel = ' rel="' . esc_attr($rel) . '"'; $target = $bookmark->link_target; if ( '' != $target ) diff --git a/wp-includes/category-template.php b/wp-includes/category-template.php index 61f2faf1aa..52b42baf01 100644 --- a/wp-includes/category-template.php +++ b/wp-includes/category-template.php @@ -68,7 +68,7 @@ function get_category_parents( $id, $link = false, $separator = '/', $nicename = } if ( $link ) - $chain .= 'cat_name ) . '">'.$name.'' . $separator; + $chain .= 'cat_name ) ) . '">'.$name.'' . $separator; else $chain .= $name.$separator; return $chain; @@ -190,17 +190,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false ) case 'multiple': if ( $category->parent ) $thelist .= get_category_parents( $category->parent, true, $separator ); - $thelist .= 'name ) . '" ' . $rel . '>' . $category->name.''; + $thelist .= 'name ) ) . '" ' . $rel . '>' . $category->name.''; break; case 'single': - $thelist .= 'name ) . '" ' . $rel . '>'; + $thelist .= 'name ) ) . '" ' . $rel . '>'; if ( $category->parent ) $thelist .= get_category_parents( $category->parent, false, $separator ); $thelist .= $category->name.''; break; case '': default: - $thelist .= 'name ) . '" ' . $rel . '>' . $category->cat_name.''; + $thelist .= 'name ) ) . '" ' . $rel . '>' . $category->cat_name.''; } } $thelist .= ''; @@ -213,17 +213,17 @@ function get_the_category_list( $separator = '', $parents='', $post_id = false ) case 'multiple': if ( $category->parent ) $thelist .= get_category_parents( $category->parent, true, $separator ); - $thelist .= 'name ) . '" ' . $rel . '>' . $category->cat_name.''; + $thelist .= 'name ) ) . '" ' . $rel . '>' . $category->cat_name.''; break; case 'single': - $thelist .= 'name ) . '" ' . $rel . '>'; + $thelist .= 'name ) ) . '" ' . $rel . '>'; if ( $category->parent ) $thelist .= get_category_parents( $category->parent, false, $separator ); $thelist .= "$category->cat_name"; break; case '': default: - $thelist .= 'name ) . '" ' . $rel . '>' . $category->name.''; + $thelist .= 'name ) ) . '" ' . $rel . '>' . $category->name.''; } ++$i; } @@ -352,6 +352,8 @@ function wp_dropdown_categories( $args = '' ) { $tab_index_attribute = " tabindex=\"$tab_index\""; $categories = get_categories( $r ); + $name = esc_attr($name); + $class = esc_attr($class); $output = ''; if ( ! empty( $categories ) ) { diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php index e87801b6d6..a5ebcd1668 100644 --- a/wp-includes/comment-template.php +++ b/wp-includes/comment-template.php @@ -338,6 +338,8 @@ function get_comment_class( $class = '', $comment_id = null, $post_id = null ) { $classes = array_merge($classes, $class); } + $classes = array_map('esc_attr', $classes); + return apply_filters('comment_class', $classes, $class, $comment_id, $post_id); } @@ -940,7 +942,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c $number = get_comments_number( $id ); if ( 0 == $number && !comments_open() && !pings_open() ) { - echo '' . $none . ''; + echo '' . $none . ''; return; } @@ -972,7 +974,7 @@ function comments_popup_link( $zero = false, $one = false, $more = false, $css_c echo apply_filters( 'comments_popup_link_attributes', '' ); - echo ' title="' . sprintf( __('Comment on %s'), $title ) . '">'; + echo ' title="' . esc_attr( sprintf( __('Comment on %s'), $title ) ) . '">'; comments_number( $zero, $one, $more, $number ); echo ''; } diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php index 68c73cedaa..ff52097c5f 100644 --- a/wp-includes/general-template.php +++ b/wp-includes/general-template.php @@ -1023,7 +1023,7 @@ function get_calendar($initial = true) { /* translators: Calendar caption: 1: month name, 2: 4-digit year */ $calendar_caption = _x('%1$s %2$s', 'calendar caption'); - echo ' + echo '
'; @@ -1036,6 +1036,7 @@ function get_calendar($initial = true) { foreach ( $myweek as $wd ) { $day_name = (true == $initial) ? $wp_locale->get_weekday_initial($wd) : $wp_locale->get_weekday_abbrev($wd); + $wd = esc_attr($wd); echo "\n\t\t"; } @@ -1058,8 +1059,8 @@ function get_calendar($initial = true) { if ( $next ) { echo "\n\t\t".''; + get_month_link($next->year, $next->month) . '" title="' . esc_attr( sprintf(__('View posts for %1$s %2$s'), $wp_locale->get_month($next->month) , + date('Y', mktime(0, 0 , 0, $next->month, 1, $next->year))) ) . '">' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' »'; } else { echo "\n\t\t".''; } @@ -1116,7 +1117,7 @@ function get_calendar($initial = true) { // See how much we should pad in the beginning $pad = calendar_week_mod(date('w', $unixmonth)-$week_begins); if ( 0 != $pad ) - echo "\n\t\t".''; + echo "\n\t\t".''; $daysinmonth = intval(date('t', $unixmonth)); for ( $day = 1; $day <= $daysinmonth; ++$day ) { @@ -1130,7 +1131,7 @@ function get_calendar($initial = true) { echo ''; @@ -1141,7 +1142,7 @@ function get_calendar($initial = true) { $pad = 7 - calendar_week_mod(date('w', mktime(0, 0 , 0, $thismonth, $day, $thisyear))-$week_begins); if ( $pad != 0 && $pad != 7 ) - echo "\n\t\t".''; + echo "\n\t\t".''; echo "\n\t\n\t\n\t
' . sprintf($calendar_caption, $wp_locale->get_month($thismonth), date('Y', $unixmonth)) . '
$day_name' . $wp_locale->get_month_abbrev($wp_locale->get_month($next->month)) . ' »   '; if ( in_array($day, $daywithpost) ) // any posts today? - echo '$day"; + echo '$day"; else echo $day; echo '  
"; diff --git a/wp-includes/media.php b/wp-includes/media.php index 7f34963842..22e6781995 100644 --- a/wp-includes/media.php +++ b/wp-includes/media.php @@ -591,9 +591,9 @@ function img_caption_shortcode($attr, $content = null) { if ( 1 > (int) $width || empty($caption) ) return $content; - if ( $id ) $id = 'id="' . $id . '" '; + if ( $id ) $id = 'id="' . esc_attr($id) . '" '; - return '
' + return '
' . do_shortcode( $content ) . '

' . $caption . '

'; } diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 35a7caa9fb..c473bdcc59 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -342,6 +342,8 @@ function get_post_class( $class = '', $post_id = null ) { $classes = array_merge($classes, $class); } + $classes = array_map('esc_attr', $classes); + return apply_filters('post_class', $classes, $class, $post_id); } @@ -478,6 +480,8 @@ function get_body_class( $class = '' ) { $classes = array_merge($classes, $class); } + $classes = array_map('esc_attr', $classes); + return apply_filters('body_class', $classes, $class); } @@ -706,6 +710,7 @@ function wp_dropdown_pages($args = '') { $pages = get_pages($r); $output = ''; + $name = esc_attr($name); if ( ! empty($pages) ) { $output = "