Properly escape comment_author_url when displaying, for 2.8

git-svn-id: http://svn.automattic.com/wordpress/branches/2.8@11720 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
azaozz 2009-07-18 23:21:00 +00:00
parent 63c713caf6
commit 3d3957f592
5 changed files with 9 additions and 17 deletions

View File

@ -22,7 +22,7 @@ if ( isset( $_POST['deletecomment'] ) )
* *
* @param string $msg Error Message. Assumed to contain HTML and be sanitized. * @param string $msg Error Message. Assumed to contain HTML and be sanitized.
*/ */
function comment_footer_die( $msg ) { // function comment_footer_die( $msg ) {
echo "<div class='wrap'><p>$msg</p></div>"; echo "<div class='wrap'><p>$msg</p></div>";
include('admin-footer.php'); include('admin-footer.php');
die; die;
@ -119,7 +119,7 @@ if ( 'spam' == $_GET['dt'] ) {
<?php if ( $comment->comment_author_url ) { ?> <?php if ( $comment->comment_author_url ) { ?>
<tr> <tr>
<th scope="row"><?php _e('URL'); ?></th> <th scope="row"><?php _e('URL'); ?></th>
<td><a href='<?php echo $comment->comment_author_url; ?>'><?php echo $comment->comment_author_url; ?></a></td> <td><a href="<?php echo $comment->comment_author_url; ?>"><?php echo $comment->comment_author_url; ?></a></td>
</tr> </tr>
<?php } ?> <?php } ?>
<tr> <tr>

View File

@ -24,12 +24,6 @@ $form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . esc_attr(
<div id="poststuff" class="metabox-holder has-right-sidebar"> <div id="poststuff" class="metabox-holder has-right-sidebar">
<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" /> <input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' /> <input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
<?php
$email = esc_attr( $comment->comment_author_email );
$url = esc_attr( $comment->comment_author_url );
// add_meta_box('submitdiv', __('Save'), 'comment_submit_meta_box', 'comment', 'side', 'core');
?>
<div id="side-info-column" class="inner-sidebar"> <div id="side-info-column" class="inner-sidebar">
<div id="submitdiv" class="stuffbox" > <div id="submitdiv" class="stuffbox" >
@ -95,20 +89,19 @@ $date = date_i18n( $datef, strtotime( $comment->comment_date ) );
<tr valign="top"> <tr valign="top">
<td class="first"> <td class="first">
<?php <?php
if ( $email ) { if ( $comment->comment_author_email ) {
printf( __( 'E-mail (%s):' ), get_comment_author_email_link( __( 'send e-mail' ), '', '' ) ); printf( __( 'E-mail (%s):' ), get_comment_author_email_link( __( 'send e-mail' ), '', '' ) );
} else { } else {
_e( 'E-mail:' ); _e( 'E-mail:' );
} }
?></td> ?></td>
<td><input type="text" name="newcomment_author_email" size="30" value="<?php echo esc_attr($email); ?>" tabindex="2" id="email" /></td> <td><input type="text" name="newcomment_author_email" size="30" value="<?php echo $comment->comment_author_email; ?>" tabindex="2" id="email" /></td>
</tr> </tr>
<tr valign="top"> <tr valign="top">
<td class="first"> <td class="first">
<?php <?php
$url = get_comment_author_url(); if ( ! empty( $comment->comment_author_url ) && 'http://' != $comment->comment_author_url ) {
if ( ! empty( $url ) && 'http://' != $url ) { $link = '<a href="' . $comment->comment_author_url . '" rel="external nofollow" target="_blank">' . __('visit site') . '</a>';
$link = "<a href='$url' rel='external nofollow' target='_blank'>" . __('visit site') . "</a>";
printf( __( 'URL (%s):' ), apply_filters('get_comment_author_link', $link ) ); printf( __( 'URL (%s):' ), apply_filters('get_comment_author_link', $link ) );
} else { } else {
_e( 'URL:' ); _e( 'URL:' );

View File

@ -89,8 +89,8 @@ function get_comment_to_edit( $id ) {
$comment->comment_author = format_to_edit( $comment->comment_author ); $comment->comment_author = format_to_edit( $comment->comment_author );
$comment->comment_author_email = format_to_edit( $comment->comment_author_email ); $comment->comment_author_email = format_to_edit( $comment->comment_author_email );
$comment->comment_author_url = esc_url($comment->comment_author_url);
$comment->comment_author_url = format_to_edit( $comment->comment_author_url ); $comment->comment_author_url = format_to_edit( $comment->comment_author_url );
$comment->comment_author_url = esc_url($comment->comment_author_url);
return $comment; return $comment;
} }

View File

@ -2085,9 +2085,7 @@ function _wp_comment_row( $comment_id, $mode, $comment_status, $checkbox = true,
$author_url = get_comment_author_url(); $author_url = get_comment_author_url();
if ( 'http://' == $author_url ) if ( 'http://' == $author_url )
$author_url = ''; $author_url = '';
$author_url_display = $author_url; $author_url_display = preg_replace('|http://(www\.)?|i', '', $author_url);
$author_url_display = str_replace('http://www.', '', $author_url_display);
$author_url_display = str_replace('http://', '', $author_url_display);
if ( strlen($author_url_display) > 50 ) if ( strlen($author_url_display) > 50 )
$author_url_display = substr($author_url_display, 0, 49) . '...'; $author_url_display = substr($author_url_display, 0, 49) . '...';

View File

@ -194,6 +194,7 @@ function comment_author_IP() {
function get_comment_author_url() { function get_comment_author_url() {
global $comment; global $comment;
$url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url; $url = ('http://' == $comment->comment_author_url) ? '' : $comment->comment_author_url;
$url = esc_url( $url, array('http', 'https') );
return apply_filters('get_comment_author_url', $url); return apply_filters('get_comment_author_url', $url);
} }