Ticket #3937: add_query_arg_output_sanitization.001.diff

File add_query_arg_output_sanitization.001.diff, 13.6 kB (added by markjaquith, 1 year ago)

Patch for entire /wordpress/ family

  • trunk/wp-includes/script-loader.php

    old new  
    150150                                                $ver .= '&' . $this->args[$handle]; 
    151151                                        $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src; 
    152152                                        $src = add_query_arg('ver', $ver, $src); 
    153                                         $src = apply_filters( 'script_loader_src', $src ); 
     153                                        $src = attribute_escape(apply_filters( 'script_loader_src', $src )); 
    154154                                        echo "<script type='text/javascript' src='$src'></script>\n"; 
    155155                                        $this->print_scripts_l10n( $handle ); 
    156156                                } 

  • trunk/wp-admin/edit-comments.php

    old new  
    101101$r = ''; 
    102102if ( 1 < $page ) { 
    103103        $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; 
    104         $r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
     104        $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
    105105} 
    106106if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { 
    107107        for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : 
     
    111111                        $p = false; 
    112112                        if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : 
    113113                                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; 
    114                                 $r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n"; 
     114                                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n"; 
    115115                                $in = true; 
    116116                        elseif ( $in == true ) : 
    117117                                $r .= "...\n"; 
     
    122122} 
    123123if ( ( $page ) * 20 < $total || -1 == $total ) { 
    124124        $args['apage'] = $page + 1; 
    125         $r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
     125        $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
    126126} 
    127127echo "<p class='pagenav'>$r</p>"; 
    128128?> 
     
    248248$r = ''; 
    249249if ( 1 < $page ) { 
    250250        $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; 
    251         $r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
     251        $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
    252252} 
    253253if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { 
    254254        for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : 
     
    258258                        $p = false; 
    259259                        if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : 
    260260                                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; 
    261                                 $r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n"; 
     261                                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n"; 
    262262                                $in = true; 
    263263                        elseif ( $in == true ) : 
    264264                                $r .= "...\n"; 
     
    269269} 
    270270if ( ( $page ) * 20 < $total || -1 == $total ) { 
    271271        $args['apage'] = $page + 1; 
    272         $r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
     272        $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
    273273} 
    274274echo "<p class='pagenav'>$r</p>"; 
    275275?> 

  • trunk/wp-admin/admin-functions.php

    old new  
    19351935        if (strpos($size, 'g') !== false) 
    19361936                $bytes = $size * 1024 * 1024 * 1024; 
    19371937?> 
    1938 <form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo $action ?>"> 
     1938<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>"> 
    19391939<p> 
    19401940<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> ) 
    19411941<input type="file" id="upload" name="import" size="25" /> 

  • trunk/wp-admin/custom-header.php

    old new  
    174174<h2><?php _e('Upload New Header Image'); ?></h2><p><?php _e('Here you can upload a custom header image to be shown at the top of your blog instead of the default one. On the next screen you will be able to crop the image.'); ?></p> 
    175175<p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p> 
    176176 
    177 <form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo add_query_arg('step', 2) ?>" style="margin: auto; width: 50%;"> 
     177<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;"> 
    178178<label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" /> 
    179179<input type="hidden" name="action" value="save" /> 
    180180<p class="submit"> 
     
    188188<div class="wrap"> 
    189189<h2><?php _e('Reset Header Image and Color'); ?></h2> 
    190190<p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p> 
    191 <form method="post" action="<?php echo add_query_arg('step', 1) ?>"> 
     191<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>"> 
    192192<input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" /> 
    193193</form> 
    194194</div> 
     
    240240 
    241241<div class="wrap"> 
    242242 
    243 <form method="POST" action="<?php echo add_query_arg('step', 3) ?>"> 
     243<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>"> 
    244244 
    245245<p><?php _e('Choose the part of the image you want to use as your header.'); ?></p> 
    246246<div id="testWrap"> 

  • branches/2.0/wp-admin/admin-functions.php

    old new  
    18101810o.submit(); 
    18111811} 
    18121812</script> 
    1813 <form enctype="multipart/form-data" id="uploadForm" method="post" action="<?php echo $action ?>"> 
     1813<form enctype="multipart/form-data" id="uploadForm" method="post" action="<?php echo attribute_escape($action) ?>"> 
    18141814<label for="upload"><?php _e('File:'); ?></label><input type="file" id="upload" name="import" /> 
    18151815<input type="hidden" name="action" value="save" /> 
    18161816<div id="buttons"> 

  • branches/2.1/wp-includes/script-loader.php

    old new  
    7878                                        if ( isset($this->args[$handle]) ) 
    7979                                                $ver .= '&amp;' . $this->args[$handle]; 
    8080                                        $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src; 
    81                                         $src = add_query_arg('ver', $ver, $src); 
     81                                        $src = attribute_escape(add_query_arg('ver', $ver, $src)); 
    8282                                        echo "<script type='text/javascript' src='$src'></script>\n"; 
    8383                                } 
    8484                                $this->printed[] = $handle; 

  • branches/2.1/wp-admin/edit-comments.php

    old new  
    101101$r = ''; 
    102102if ( 1 < $page ) { 
    103103        $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; 
    104         $r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
     104        $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
    105105} 
    106106if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { 
    107107        for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : 
     
    111111                        $p = false; 
    112112                        if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : 
    113113                                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; 
    114                                 $r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n"; 
     114                                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n"; 
    115115                                $in = true; 
    116116                        elseif ( $in == true ) : 
    117117                                $r .= "...\n"; 
     
    122122} 
    123123if ( ( $page ) * 20 < $total || -1 == $total ) { 
    124124        $args['apage'] = $page + 1; 
    125         $r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
     125        $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
    126126} 
    127127echo "<p class='pagenav'>$r</p>"; 
    128128?> 
     
    248248$r = ''; 
    249249if ( 1 < $page ) { 
    250250        $args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1; 
    251         $r .=  '<a class="prev" href="' . add_query_arg( $args ) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
     251        $r .=  '<a class="prev" href="' . attribute_escape(add_query_arg( $args )) . '">&laquo; '. __('Previous Page') .'</a>' . "\n"; 
    252252} 
    253253if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) { 
    254254        for ( $page_num = 1; $page_num <= $total_pages; $page_num++ ) : 
     
    258258                        $p = false; 
    259259                        if ( $page_num < 3 || ( $page_num >= $page - 3 && $page_num <= $page + 3 ) || $page_num > $total_pages - 3 ) : 
    260260                                $args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num; 
    261                                 $r .= '<a class="page-numbers" href="' . add_query_arg($args) . '">' . ( $page_num ) . "</a>\n"; 
     261                                $r .= '<a class="page-numbers" href="' . attribute_escape(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n"; 
    262262                                $in = true; 
    263263                        elseif ( $in == true ) : 
    264264                                $r .= "...\n"; 
     
    269269} 
    270270if ( ( $page ) * 20 < $total || -1 == $total ) { 
    271271        $args['apage'] = $page + 1; 
    272         $r .=  '<a class="next" href="' . add_query_arg($args) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
     272        $r .=  '<a class="next" href="' . attribute_escape(add_query_arg($args)) . '">'. __('Next Page') .' &raquo;</a>' . "\n"; 
    273273} 
    274274echo "<p class='pagenav'>$r</p>"; 
    275275?> 

  • branches/2.1/wp-admin/admin-functions.php

    old new  
    19221922        if ( strstr( $size, 'g' ) ) 
    19231923                $bytes = $size * 1024 * 1024 * 1024; 
    19241924?> 
    1925 <form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo $action ?>"> 
     1925<form enctype="multipart/form-data" id="import-upload-form" method="post" action="<?php echo attribute_escape($action) ?>"> 
    19261926<p> 
    19271927<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?> ) 
    19281928<input type="file" id="upload" name="import" size="25" /> 

  • branches/2.1/wp-admin/custom-header.php

    old new  
    174174<h2><?php _e('Upload New Header Image'); ?></h2><p><?php _e('Here you can upload a custom header image to be shown at the top of your blog instead of the default one. On the next screen you will be able to crop the image.'); ?></p> 
    175175<p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p> 
    176176 
    177 <form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo add_query_arg('step', 2) ?>" style="margin: auto; width: 50%;"> 
     177<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;"> 
    178178<label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" /> 
    179179<input type="hidden" name="action" value="save" /> 
    180180<p class="submit"> 
     
    188188<div class="wrap"> 
    189189<h2><?php _e('Reset Header Image and Color'); ?></h2> 
    190190<p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p> 
    191 <form method="post" action="<?php echo add_query_arg('step', 1) ?>"> 
     191<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>"> 
    192192<input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" /> 
    193193</form> 
    194194</div> 
     
    240240 
    241241<div class="wrap"> 
    242242 
    243 <form method="POST" action="<?php echo add_query_arg('step', 3) ?>"> 
     243<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>"> 
    244244 
    245245<p><?php _e('Choose the part of the image you want to use as your header.'); ?></p> 
    246246<div id="testWrap"> 

  • branches/2.1/wp-admin/upload-functions.php

    old new  
    3535        $r = ''; 
    3636 
    3737        if ( $href ) 
    38                 $r .= "<a id='file-link-$id' href='$href' title='$post_title' class='file-link $class'>\n"; 
     38                $r .= "<a id='file-link-$id' href='" . attribute_escape($href) ."' title='$post_title' class='file-link $class'>\n"; 
    3939        if ( $href || $image_src ) 
    4040                $r .= "\t\t\t$innerHTML"; 
    4141        if ( $href )