Sanitize option names in option.php, use current escaping functions. for trunk
git-svn-id: http://svn.automattic.com/wordpress/trunk@5832 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
ad81604c8c
commit
f28dad8261
|
@ -56,10 +56,11 @@ $options = $wpdb->get_results("SELECT * FROM $wpdb->options ORDER BY option_name
|
||||||
|
|
||||||
foreach ( (array) $options as $option) :
|
foreach ( (array) $options as $option) :
|
||||||
$disabled = '';
|
$disabled = '';
|
||||||
|
$option->option_name = attribute_escape($option->option_name);
|
||||||
if ( is_serialized($option->option_value) ) {
|
if ( is_serialized($option->option_value) ) {
|
||||||
if ( is_serialized_string($option->option_value) ) {
|
if ( is_serialized_string($option->option_value) ) {
|
||||||
// this is a serialized string, so we should display it
|
// this is a serialized string, so we should display it
|
||||||
$value = wp_specialchars(maybe_unserialize($option->option_value), 'single');
|
$value = maybe_unserialize($option->option_value);
|
||||||
$options_to_update[] = $option->option_name;
|
$options_to_update[] = $option->option_name;
|
||||||
$class = 'all-options';
|
$class = 'all-options';
|
||||||
} else {
|
} else {
|
||||||
|
@ -68,7 +69,7 @@ foreach ( (array) $options as $option) :
|
||||||
$class = 'all-options disabled';
|
$class = 'all-options disabled';
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
$value = wp_specialchars($option->option_value, 'single');
|
$value = $option->option_value;
|
||||||
$options_to_update[] = $option->option_name;
|
$options_to_update[] = $option->option_name;
|
||||||
$class = 'all-options';
|
$class = 'all-options';
|
||||||
}
|
}
|
||||||
|
@ -77,8 +78,8 @@ foreach ( (array) $options as $option) :
|
||||||
<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
|
<th scope='row'><label for='$option->option_name'>$option->option_name</label></th>
|
||||||
<td>";
|
<td>";
|
||||||
|
|
||||||
if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>$value</textarea>";
|
if (strpos($value, "\n") !== false) echo "<textarea class='$class' name='$option->option_name' id='$option->option_name' cols='30' rows='5'>" . wp_specialchars($value) . "</textarea>";
|
||||||
else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . $value . "'$disabled />";
|
else echo "<input class='$class' type='text' name='$option->option_name' id='$option->option_name' size='30' value='" . attribute_escape($value) . "'$disabled />";
|
||||||
|
|
||||||
echo "</td>
|
echo "</td>
|
||||||
<td>$option->option_description</td>
|
<td>$option->option_description</td>
|
||||||
|
@ -87,7 +88,7 @@ endforeach;
|
||||||
?>
|
?>
|
||||||
</table>
|
</table>
|
||||||
<?php $options_to_update = implode(',', $options_to_update); ?>
|
<?php $options_to_update = implode(',', $options_to_update); ?>
|
||||||
<p class="submit"><input type="hidden" name="page_options" value="<?php echo attribute_escape($options_to_update); ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p>
|
<p class="submit"><input type="hidden" name="page_options" value="<?php echo $options_to_update; ?>" /><input type="submit" name="Update" value="<?php _e('Update Options »') ?>" /></p>
|
||||||
</form>
|
</form>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue