Better escaping of strings used in JS.
git-svn-id: http://svn.automattic.com/wordpress/trunk@3763 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
63001676c3
commit
293b3b4dee
|
@ -119,12 +119,12 @@ if ('view' == $mode) {
|
||||||
<?php
|
<?php
|
||||||
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||||
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
||||||
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> ';
|
||||||
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
||||||
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||||
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||||
}
|
}
|
||||||
echo " | <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ";
|
echo " | <a href=\"comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> ";
|
||||||
}
|
}
|
||||||
$post = get_post($comment->comment_post_ID);
|
$post = get_post($comment->comment_post_ID);
|
||||||
$post_title = wp_specialchars( $post->post_title, 'double' );
|
$post_title = wp_specialchars( $post->post_title, 'double' );
|
||||||
|
@ -183,7 +183,7 @@ $post_title = ('' == $post_title) ? "# $comment->comment_post_ID" : $post_title;
|
||||||
<td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
<td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||||
echo "<a href='comment.php?action=editcomment&comment=$comment->comment_ID' class='edit'>" . __('Edit') . "</a>"; } ?></td>
|
echo "<a href='comment.php?action=editcomment&comment=$comment->comment_ID' class='edit'>" . __('Edit') . "</a>"; } ?></td>
|
||||||
<td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
<td><?php if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||||
echo "<a href=\"comment.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars( $comment->comment_author, 1 )) . "' );\" class='edit'>" . __('Delete') . "</a> ";
|
echo "<a href=\"comment.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape( $comment->comment_author )) . "' );\" class='edit'>" . __('Delete') . "</a> ";
|
||||||
} ?></td>
|
} ?></td>
|
||||||
</tr>
|
</tr>
|
||||||
<?php
|
<?php
|
||||||
|
|
|
@ -211,7 +211,7 @@ foreach($posts_columns as $column_name=>$column_display_name) {
|
||||||
|
|
||||||
case 'control_delete':
|
case 'control_delete':
|
||||||
?>
|
?>
|
||||||
<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), addslashes(wp_specialchars(get_the_title(),'double')) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
<td><?php if ( current_user_can('delete_post',$post->ID) ) { echo "<a href='" . wp_nonce_url("post.php?action=delete&post=$id", 'delete-post' . $post->ID) . "' class='delete' onclick=\"return deleteSomething( 'post', " . $id . ", '" . sprintf(__("You are about to delete this post "%s".\\n"OK" to delete, "Cancel" to stop."), js_escape(get_the_title()) ) . "' );\">" . __('Delete') . "</a>"; } ?></td>
|
||||||
<?php
|
<?php
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
@ -273,12 +273,12 @@ foreach ($comments as $comment) {
|
||||||
<?php
|
<?php
|
||||||
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
if ( current_user_can('edit_post', $comment->comment_post_ID) ) {
|
||||||
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
echo " <a href='comment.php?action=editcomment&comment=".$comment->comment_ID."\'>" . __('Edit') . '</a>';
|
||||||
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete') . '</a> ';
|
echo ' | <a href="' . wp_nonce_url('comment.php?action=deletecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'delete-comment' . $comment->comment_ID) . '" onclick="return deleteSomething( \'comment\', ' . $comment->comment_ID . ', \'' . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete') . '</a> ';
|
||||||
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
if ( ('none' != $comment_status) && ( current_user_can('moderate_comments') ) ) {
|
||||||
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
echo '<span class="unapprove"> | <a href="' . wp_nonce_url('comment.php?action=unapprovecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'unapprove-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Unapprove') . '</a> </span>';
|
||||||
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
echo '<span class="approve"> | <a href="' . wp_nonce_url('comment.php?action=approvecomment&p=' . $post->ID . '&comment=' . $comment->comment_ID, 'approve-comment' . $comment->comment_ID) . '" onclick="return dimSomething( \'comment\', ' . $comment->comment_ID . ', \'unapproved\' );">' . __('Approve') . '</a> </span>';
|
||||||
}
|
}
|
||||||
echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), wp_specialchars( $comment->comment_author, 1 )) . "' );\">" . __('Spam') . "</a> ]";
|
echo " | <a href=\"" . wp_nonce_url("comment.php?action=deletecomment&delete_type=spam&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID, 'delete-comment' . $comment->comment_ID) . "\" onclick=\"return deleteSomething( 'comment-as-spam', $comment->comment_ID, '" . sprintf(__("You are about to mark as spam this comment by "%s".\\n"Cancel" to stop, "OK" to mark as spam."), js_escape( $comment->comment_author)) . "' );\">" . __('Spam') . "</a> ]";
|
||||||
} // end if any comments to show
|
} // end if any comments to show
|
||||||
?>
|
?>
|
||||||
</p>
|
</p>
|
||||||
|
|
|
@ -149,7 +149,7 @@ $i = 0;
|
||||||
<?php comment_text() ?>
|
<?php comment_text() ?>
|
||||||
<p><?php comment_date('M j, g:i A'); ?> — [ <?php
|
<p><?php comment_date('M j, g:i A'); ?> — [ <?php
|
||||||
echo '<a href="comment.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';
|
echo '<a href="comment.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';
|
||||||
echo " <a href=\"post.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete ') . "</a> | "; ?>
|
echo " <a href=\"post.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), js_escape($comment->comment_author)) . "' );\">" . __('Delete ') . "</a> | "; ?>
|
||||||
<?php
|
<?php
|
||||||
$post = get_post($comment->comment_post_ID);
|
$post = get_post($comment->comment_post_ID);
|
||||||
$post_title = wp_specialchars( $post->post_title, 'double' );
|
$post_title = wp_specialchars( $post->post_title, 'double' );
|
||||||
|
|
|
@ -1040,4 +1040,9 @@ function htmlentities2($myHTML) {
|
||||||
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($myHTML, $translation_table));
|
return preg_replace("/&(?![A-Za-z]{0,4}\w{2,3};|#[0-9]{2,3};)/","&" , strtr($myHTML, $translation_table));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Escape single quotes, specialchar double quotes, and fix line endings.
|
||||||
|
function js_escape($text) {
|
||||||
|
$text = wp_specialchars($text, 'double');
|
||||||
|
return preg_replace("/\r?\n/", "\\n", addslashes($text));
|
||||||
|
}
|
||||||
?>
|
?>
|
||||||
|
|
Loading…
Reference in New Issue