From 9858249ed9d649e0e83a7a841c667b7f00035d8e Mon Sep 17 00:00:00 2001 From: Nikolay Bachiyski Date: Tue, 21 Jun 2016 14:58:32 +0000 Subject: [PATCH] Admin: escape URL-encoded permalinks Merge of [37801] to the 3.9 branch. Built from https://develop.svn.wordpress.org/branches/3.9@37820 git-svn-id: http://core.svn.wordpress.org/branches/3.9@37785 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/includes/post.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/wp-admin/includes/post.php b/wp-admin/includes/post.php index 30507c6ffe..e2a01d5ffe 100644 --- a/wp-admin/includes/post.php +++ b/wp-admin/includes/post.php @@ -1213,11 +1213,11 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) { } if ( false === strpos($permalink, '%postname%') && false === strpos($permalink, '%pagename%') ) { - $return = '' . __('Permalink:') . "\n" . '' . $permalink . "\n"; + $return = '' . __('Permalink:') . "\n" . '' . esc_html( $permalink ) . "\n"; if ( '' == get_option( 'permalink_structure' ) && current_user_can( 'manage_options' ) && !( 'page' == get_option('show_on_front') && $id == get_option('page_on_front') ) ) $return .= '' . __('Change Permalinks') . "\n"; if ( isset( $view_post ) ) - $return .= "$view_post\n"; + $return .= "$view_post\n"; /** * Filter the sample permalink HTML markup. @@ -1248,17 +1248,17 @@ function get_sample_permalink_html( $id, $new_title = null, $new_slug = null ) { } } - $post_name_html = '' . $post_name_abridged . ''; - $display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, $permalink); - $view_link = str_replace(array('%pagename%','%postname%'), $post_name, $permalink); + $post_name_html = '' . esc_html( $post_name_abridged ) . ''; + $display_link = str_replace(array('%pagename%','%postname%'), $post_name_html, esc_html( $permalink ) ); + $view_link = str_replace(array('%pagename%','%postname%'), $post_name, esc_html( $permalink ) ); $return = '' . __('Permalink:') . "\n"; $return .= '' . $display_link . "\n"; $return .= '‎'; // Fix bi-directional text display defect in RTL languages. $return .= '' . __('Edit') . "\n"; - $return .= '' . $post_name . "\n"; + $return .= '' . esc_html( $post_name ) . "\n"; if ( isset( $view_post ) ) { - $return .= "$view_post\n"; + $return .= "$view_post\n"; } /** This filter is documented in wp-admin/includes/post.php */