Int casting and misc escaping for 2.2 Props g30rg3x. fixes #4333 for 2.2
git-svn-id: http://svn.automattic.com/wordpress/branches/2.2@5589 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
14f5c0289c
commit
9074d62a78
|
@ -347,6 +347,8 @@ function get_post_to_edit( $id ) {
|
|||
$post->post_title = apply_filters( 'title_edit_pre', $post->post_title );
|
||||
|
||||
$post->post_password = format_to_edit( $post->post_password );
|
||||
|
||||
$post->menu_order = (int) $post->menu_order;
|
||||
|
||||
if ( $post->post_type == 'page' )
|
||||
$post->page_template = get_post_meta( $id, '_wp_page_template', true );
|
||||
|
@ -396,12 +398,17 @@ function get_default_post_to_edit() {
|
|||
|
||||
function get_comment_to_edit( $id ) {
|
||||
$comment = get_comment( $id );
|
||||
|
||||
$comment->comment_ID = (int) $comment->comment_ID;
|
||||
$comment->comment_post_ID = (int) $comment->comment_post_ID;
|
||||
|
||||
$comment->comment_content = format_to_edit( $comment->comment_content, user_can_richedit() );
|
||||
$comment->comment_content = apply_filters( 'comment_edit_pre', $comment->comment_content);
|
||||
$comment->comment_content = apply_filters( 'comment_text', $comment->comment_content );
|
||||
|
||||
$comment->comment_author = format_to_edit( $comment->comment_author );
|
||||
$comment->comment_author_email = format_to_edit( $comment->comment_author_email );
|
||||
$comment->comment_author_url = clean_url($comment->comment_author_url);
|
||||
$comment->comment_author_url = format_to_edit( $comment->comment_author_url );
|
||||
|
||||
return $comment;
|
||||
|
@ -409,6 +416,9 @@ function get_comment_to_edit( $id ) {
|
|||
|
||||
function get_category_to_edit( $id ) {
|
||||
$category = get_category( $id );
|
||||
|
||||
$category->term_id = (int) $category->term_id;
|
||||
$category->parent = (int) $category->parent;
|
||||
|
||||
return $category;
|
||||
}
|
||||
|
@ -1026,6 +1036,7 @@ function list_meta( $meta ) {
|
|||
$key_js = js_escape( $entry['meta_key'] );
|
||||
$entry['meta_key'] = attribute_escape($entry['meta_key']);
|
||||
$entry['meta_value'] = attribute_escape($entry['meta_value']);
|
||||
$entry['meta_id'] = (int) $entry['meta_id'];
|
||||
$r .= "\n\t<tr id='meta-{$entry['meta_id']}' class='$style'>";
|
||||
$r .= "\n\t\t<td valign='top'><input name='meta[{$entry['meta_id']}][key]' tabindex='6' type='text' size='20' value='{$entry['meta_key']}' /></td>";
|
||||
$r .= "\n\t\t<td><textarea name='meta[{$entry['meta_id']}][value]' tabindex='6' rows='2' cols='30'>{$entry['meta_value']}</textarea></td>";
|
||||
|
@ -1078,7 +1089,7 @@ function meta_form() {
|
|||
<?php
|
||||
|
||||
foreach ( $keys as $key ) {
|
||||
$key = attribute_escape( $key);
|
||||
$key = attribute_escape( $key );
|
||||
echo "\n\t<option value='$key'>$key</option>";
|
||||
}
|
||||
?>
|
||||
|
|
|
@ -39,7 +39,7 @@ case 'mac':
|
|||
$nonce_action = 'cdc' == $action ? 'delete-comment_' : 'approve-comment_';
|
||||
$nonce_action .= $comment;
|
||||
|
||||
if ( ! $comment = get_comment($comment) )
|
||||
if ( ! $comment = get_comment_to_edit($comment) )
|
||||
wp_die(__('Oops, no comment with this ID.').sprintf(' <a href="%s">'.__('Go back').'</a>!', 'edit.php'));
|
||||
|
||||
if ( !current_user_can('edit_post', $comment->comment_post_ID) )
|
||||
|
@ -96,7 +96,7 @@ case 'mac':
|
|||
<?php } ?>
|
||||
<tr>
|
||||
<th scope="row" valign="top"><p><?php _e('Comment:'); ?></p></th>
|
||||
<td><?php echo apply_filters( 'comment_text', $comment->comment_content ); ?></td>
|
||||
<td><?php echo $comment->comment_content; ?></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
@ -155,7 +155,7 @@ case 'unapprovecomment':
|
|||
if ((wp_get_referer() != "") && (false == $noredir)) {
|
||||
wp_redirect(wp_get_referer());
|
||||
} else {
|
||||
wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
|
||||
wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='. (int) $comment->comment_post_ID.'&c=1#comments');
|
||||
}
|
||||
exit();
|
||||
break;
|
||||
|
@ -185,7 +185,7 @@ case 'approvecomment':
|
|||
if ((wp_get_referer() != "") && (false == $noredir)) {
|
||||
wp_redirect(wp_get_referer());
|
||||
} else {
|
||||
wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='.$comment->comment_post_ID.'&c=1#comments');
|
||||
wp_redirect(get_option('siteurl') .'/wp-admin/edit.php?p='. (int) $comment->comment_post_ID.'&c=1#comments');
|
||||
}
|
||||
exit();
|
||||
break;
|
||||
|
|
|
@ -1,10 +1,12 @@
|
|||
<?php
|
||||
if ( isset($_GET['message']) )
|
||||
$_GET['message'] = (int) $_GET['message'];
|
||||
$messages[1] = __('Post updated');
|
||||
$messages[2] = __('Custom field updated');
|
||||
$messages[3] = __('Custom field deleted.');
|
||||
?>
|
||||
<?php if (isset($_GET['message'])) : ?>
|
||||
<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
|
||||
<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div>
|
||||
<?php endif; ?>
|
||||
|
||||
<form name="post" action="post.php" method="post" id="post">
|
||||
|
@ -21,16 +23,17 @@ if (0 == $post_ID) {
|
|||
$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
|
||||
wp_nonce_field('add-post');
|
||||
} else {
|
||||
$post_ID = (int) $post_ID;
|
||||
$form_action = 'editpost';
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
|
||||
wp_nonce_field('update-post_' . $post_ID);
|
||||
}
|
||||
|
||||
$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
|
||||
$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';
|
||||
|
||||
$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
|
||||
$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';
|
||||
|
||||
$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
|
||||
$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />';
|
||||
|
||||
if ('' != $post->pinged) {
|
||||
$pings = '<p>'. __('Already pinged:') . '</p><ul>';
|
||||
|
@ -41,16 +44,16 @@ if ('' != $post->pinged) {
|
|||
$pings .= '</ul>';
|
||||
}
|
||||
|
||||
$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
|
||||
$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape( __('Save and Continue Editing') ) . '" />';
|
||||
|
||||
if (empty($post->post_status)) $post->post_status = 'draft';
|
||||
|
||||
?>
|
||||
|
||||
<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
|
||||
<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
|
||||
<input type="hidden" id="hiddenaction" name="action" value="<?php echo $form_action ?>" />
|
||||
<input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
|
||||
<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
|
||||
<input type="hidden" name="post_author" value="<?php echo attribute_escape( $post->post_author ); ?>" />
|
||||
<input type="hidden" id="post_type" name="post_type" value="post" />
|
||||
|
||||
<?php echo $form_extra ?>
|
||||
|
@ -88,12 +91,12 @@ addLoadEvent(focusit);
|
|||
|
||||
<fieldset id="passworddiv" class="dbx-box">
|
||||
<h3 class="dbx-handle"><?php _e('Post Password') ?></h3>
|
||||
<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
|
||||
<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
|
||||
</fieldset>
|
||||
|
||||
<fieldset id="slugdiv" class="dbx-box">
|
||||
<h3 class="dbx-handle"><?php _e('Post Slug') ?></h3>
|
||||
<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
|
||||
<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
|
||||
</fieldset>
|
||||
|
||||
<fieldset id="poststatusdiv" class="dbx-box">
|
||||
|
@ -125,7 +128,7 @@ foreach ($authors as $o) :
|
|||
$o = get_userdata( $o->ID );
|
||||
if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
|
||||
else $selected = '';
|
||||
echo "<option value='$o->ID' $selected>$o->display_name</option>";
|
||||
echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars( $o->display_name ) . "</option>";
|
||||
endforeach;
|
||||
?>
|
||||
</select>
|
||||
|
@ -140,7 +143,7 @@ endforeach;
|
|||
|
||||
<fieldset id="titlediv">
|
||||
<legend><?php _e('Title') ?></legend>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
|
||||
</fieldset>
|
||||
|
||||
<fieldset id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>">
|
||||
|
@ -168,7 +171,7 @@ endforeach;
|
|||
if ('publish' != $post->post_status || 0 == $post_ID) {
|
||||
?>
|
||||
<?php if ( current_user_can('publish_posts') ) : ?>
|
||||
<input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
|
||||
<input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish'); ?>" />
|
||||
<?php endif; ?>
|
||||
<?php
|
||||
}
|
||||
|
@ -186,7 +189,7 @@ else
|
|||
|
||||
<?php
|
||||
if (current_user_can('upload_files')) {
|
||||
$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
|
||||
$uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID);
|
||||
$uploading_iframe_src = wp_nonce_url("upload.php?style=inline&tab=upload&post_id=$uploading_iframe_ID", 'inlineuploading');
|
||||
$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
|
||||
if ( false != $uploading_iframe_src )
|
||||
|
|
|
@ -2,13 +2,13 @@
|
|||
$submitbutton_text = __('Edit Comment »');
|
||||
$toprow_title = sprintf(__('Editing Comment # %s'), $comment->comment_ID);
|
||||
$form_action = 'editedcomment';
|
||||
$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='".$comment->comment_post_ID;
|
||||
$form_extra = "' />\n<input type='hidden' name='comment_ID' value='" . $comment->comment_ID . "' />\n<input type='hidden' name='comment_post_ID' value='" . $comment->comment_post_ID;
|
||||
?>
|
||||
|
||||
<form name="post" action="comment.php" method="post" id="post">
|
||||
<?php wp_nonce_field('update-comment_' . $comment->comment_ID) ?>
|
||||
<div class="wrap">
|
||||
<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
|
||||
<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
|
||||
<input type="hidden" name="action" value='<?php echo $form_action . $form_extra ?>' />
|
||||
|
||||
<script type="text/javascript">
|
||||
|
@ -20,19 +20,19 @@ addLoadEvent(focusit);
|
|||
<fieldset id="namediv">
|
||||
<legend><label for="name"><?php _e('Name:') ?></label></legend>
|
||||
<div>
|
||||
<input type="text" name="newcomment_author" size="25" value="<?php echo $comment->comment_author ?>" tabindex="1" id="name" />
|
||||
<input type="text" name="newcomment_author" size="25" value="<?php echo attribute_escape( $comment->comment_author ); ?>" tabindex="1" id="name" />
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset id="emaildiv">
|
||||
<legend><label for="email"><?php _e('E-mail:') ?></label></legend>
|
||||
<div>
|
||||
<input type="text" name="newcomment_author_email" size="20" value="<?php echo $comment->comment_author_email ?>" tabindex="2" id="email" />
|
||||
<input type="text" name="newcomment_author_email" size="20" value="<?php echo attribute_escape( $comment->comment_author_email ); ?>" tabindex="2" id="email" />
|
||||
</div>
|
||||
</fieldset>
|
||||
<fieldset id="uridiv">
|
||||
<legend><label for="newcomment_author_url"><?php _e('URL:') ?></label></legend>
|
||||
<div>
|
||||
<input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo $comment->comment_author_url ?>" tabindex="3" />
|
||||
<input type="text" id="newcomment_author_url" name="newcomment_author_url" size="35" value="<?php echo attribute_escape( $comment->comment_author_url ); ?>" tabindex="3" />
|
||||
</div>
|
||||
</fieldset>
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
<?php if (isset($mode) && 'bookmarklet' == $mode) : ?>
|
||||
<input type="hidden" name="mode" value="bookmarklet" />
|
||||
<?php endif; ?>
|
||||
<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
|
||||
<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" />
|
||||
<input type="hidden" name="action" value='post' />
|
||||
|
||||
<script type="text/javascript">
|
||||
|
@ -21,7 +21,7 @@ addLoadEvent(focusit);
|
|||
<div id="poststuff">
|
||||
<fieldset id="titlediv">
|
||||
<legend><a href="http://wordpress.org/docs/reference/post/#title" title="<?php _e('Help on titles') ?>"><?php _e('Title') ?></a></legend>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
|
||||
</fieldset>
|
||||
|
||||
<fieldset id="categorydiv">
|
||||
|
@ -49,7 +49,7 @@ edCanvas = document.getElementById('content');
|
|||
//-->
|
||||
</script>
|
||||
|
||||
<input type="hidden" name="post_pingback" value="<?php echo get_option('default_pingback_flag') ?>" id="post_pingback" />
|
||||
<input type="hidden" name="post_pingback" value="<?php echo (int) get_option('default_pingback_flag') ?>" id="post_pingback" />
|
||||
|
||||
<p><label for="trackback"> <?php printf(__('<a href="%s" title="Help on trackbacks"><strong>TrackBack</strong> a <abbr title="Universal Resource Locator">URL</abbr></a>:</label> (Separate multiple <abbr title="Universal Resource Locator">URL</abbr>s with spaces.)'), 'http://wordpress.org/docs/reference/post/#trackback'); echo '<br />'; ?>
|
||||
<input type="text" name="trackback_url" style="width: 360px" id="trackback" tabindex="7" /></p>
|
||||
|
@ -64,7 +64,7 @@ edCanvas = document.getElementById('content');
|
|||
<?php if ('bookmarklet' != $mode) {
|
||||
echo '<input name="advanced" type="submit" id="advancededit" tabindex="7" value="' . __('Advanced Editing »') . '" />';
|
||||
} ?>
|
||||
<input name="referredby" type="hidden" id="referredby" value="<?php if ( wp_get_referer() ) echo urlencode(wp_get_referer()); ?>" />
|
||||
<input name="referredby" type="hidden" id="referredby" value="<?php if ( $refby = wp_get_referer() ) echo urlencode($refby); ?>" />
|
||||
</p>
|
||||
|
||||
<?php do_action('simple_edit_form', ''); ?>
|
||||
|
|
|
@ -2,17 +2,22 @@
|
|||
<div class="wrap">
|
||||
<h2 id="write-post"><?php _e('Write Page'); ?></h2>
|
||||
<?php
|
||||
|
||||
if (0 == $post_ID) {
|
||||
$form_action = 'post';
|
||||
$nonce_action = 'add-page';
|
||||
$temp_ID = -1 * time(); // don't change this formula without looking at wp_write_post()
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
|
||||
} else {
|
||||
$post_ID = (int) $post_ID;
|
||||
$form_action = 'editpost';
|
||||
$nonce_action = 'update-page_' . $post_ID;
|
||||
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
|
||||
}
|
||||
|
||||
$temp_ID = (int) $temp_ID;
|
||||
$user_ID = (int) $user_ID;
|
||||
|
||||
$sendto = clean_url(stripslashes(wp_get_referer()));
|
||||
|
||||
if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
|
||||
|
@ -68,7 +73,7 @@ addLoadEvent(focusit);
|
|||
|
||||
<fieldset id="passworddiv" class="dbx-box">
|
||||
<h3 class="dbx-handle"><?php _e('Page Password') ?></h3>
|
||||
<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
|
||||
<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape( $post->post_password ); ?>" /></div>
|
||||
</fieldset>
|
||||
|
||||
<fieldset id="pageparent" class="dbx-box">
|
||||
|
@ -93,7 +98,7 @@ addLoadEvent(focusit);
|
|||
|
||||
<fieldset id="slugdiv" class="dbx-box">
|
||||
<h3 class="dbx-handle"><?php _e('Page Slug') ?></h3>
|
||||
<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
|
||||
<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape( $post->post_name ); ?>" /></div>
|
||||
</fieldset>
|
||||
|
||||
<?php if ( $authors = get_editable_authors( $current_user->id ) ) : // TODO: ROLE SYSTEM ?>
|
||||
|
@ -106,6 +111,8 @@ foreach ($authors as $o) :
|
|||
$o = get_userdata( $o->ID );
|
||||
if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
|
||||
else $selected = '';
|
||||
$o->ID = (int) $o->ID;
|
||||
$o->display_name = wp_specialchars( $o->display_name );
|
||||
echo "<option value='$o->ID' $selected>$o->display_name</option>";
|
||||
endforeach;
|
||||
?>
|
||||
|
@ -126,7 +133,7 @@ endforeach;
|
|||
|
||||
<fieldset id="titlediv">
|
||||
<legend><?php _e('Page Title') ?></legend>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
|
||||
<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape( $post->post_title ); ?>" id="title" /></div>
|
||||
</fieldset>
|
||||
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ include ('admin-header.php');
|
|||
<form name="profile" id="your-profile" action="user-edit.php" method="post">
|
||||
<?php wp_nonce_field('update-user_' . $user_id) ?>
|
||||
<?php if ( $wp_http_referer ) : ?>
|
||||
<input type="hidden" name="wp_http_referer" value="<?php echo wp_specialchars($wp_http_referer); ?>" />
|
||||
<input type="hidden" name="wp_http_referer" value="<?php echo clean_url($wp_http_referer); ?>" />
|
||||
<?php endif; ?>
|
||||
<p>
|
||||
<input type="hidden" name="from" value="profile" />
|
||||
|
|
Loading…
Reference in New Issue