From 42f915273daca2248e9613f8397ca86c55b95056 Mon Sep 17 00:00:00 2001 From: Scott Taylor Date: Sun, 30 Aug 2015 04:47:22 +0000 Subject: [PATCH] Improve/update escaping in `WP_Widget_Pages`. Props welcher. See #23012. Built from https://develop.svn.wordpress.org/trunk@33813 git-svn-id: http://core.svn.wordpress.org/trunk@33781 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/default-widgets.php | 18 ++++++++++-------- wp-includes/version.php | 2 +- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/wp-includes/default-widgets.php b/wp-includes/default-widgets.php index 22e61e532c..ab7a977ea5 100644 --- a/wp-includes/default-widgets.php +++ b/wp-includes/default-widgets.php @@ -78,14 +78,14 @@ class WP_Widget_Pages extends WP_Widget { */ public function update( $new_instance, $old_instance ) { $instance = $old_instance; - $instance['title'] = strip_tags($new_instance['title']); + $instance['title'] = sanitize_text_field( $new_instance['title'] ); if ( in_array( $new_instance['sortby'], array( 'post_title', 'menu_order', 'ID' ) ) ) { $instance['sortby'] = $new_instance['sortby']; } else { $instance['sortby'] = 'menu_order'; } - $instance['exclude'] = strip_tags( $new_instance['exclude'] ); + $instance['exclude'] = sanitize_text_field( $new_instance['exclude'] ); return $instance; } @@ -96,20 +96,22 @@ class WP_Widget_Pages extends WP_Widget { public function form( $instance ) { //Defaults $instance = wp_parse_args( (array) $instance, array( 'sortby' => 'post_title', 'title' => '', 'exclude' => '') ); - $title = esc_attr( $instance['title'] ); - $exclude = esc_attr( $instance['exclude'] ); ?> -

- - +

+

+ +

- + +

diff --git a/wp-includes/version.php b/wp-includes/version.php index 74a02e1016..b288d75c8e 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.4-alpha-33812'; +$wp_version = '4.4-alpha-33813'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.