edit-form-advanced.php

Revision 5057, 9.2 kB (checked in by markjaquith, 2 years ago)
use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`

Line
1	<?php
2	$messages[1] = __('Post updated');
3	$messages[2] = __('Custom field updated');
4	$messages[3] = __('Custom field deleted.');
5	?>
6	<?php if (isset($_GET['message'])) : ?>
7	<div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div>
8	<?php endif; ?>
9
10	<form name="post" action="post.php" method="post" id="post">
11	<?php if ( (isset($mode) && 'bookmarklet' == $mode) \|\| isset($_GET['popupurl']) ): ?>
12	<input type="hidden" name="mode" value="bookmarklet" />
13	<?php endif; ?>
14
15	<div class="wrap">
16	<?php
17
18	if (0 == $post_ID) {
19	$form_action = 'post';
20	$temp_ID = -1 * time(); // don't change this formula without looking at wp_write_post()
21	$form_extra = "<input type='hidden' id='post_ID' name='temp_ID' value='$temp_ID' />";
22	wp_nonce_field('add-post');
23	} else {
24	$form_action = 'editpost';
25	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
26	wp_nonce_field('update-post_' . $post_ID);
27	}
28
29	$form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />';
30
31	$form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />';
32
33	$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />';
34
35	if ('' != $post->pinged) {
36	$pings = '<p>'. __('Already pinged:') . '</p><ul>';
37	$already_pinged = explode("\n", trim($post->pinged));
38	foreach ($already_pinged as $pinged_url) {
39	$pings .= "\n\t<li>" . wp_specialchars($pinged_url) . "</li>";
40	}
41	$pings .= '</ul>';
42	}
43
44	$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />';
45
46	if (empty($post->post_status)) $post->post_status = 'draft';
47
48	?>
49
50	<input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" />
51	<input type="hidden" id="hiddenaction" name="action" value="<?php echo $form_action ?>" />
52	<input type="hidden" id="originalaction" name="originalaction" value="<?php echo $form_action ?>" />
53	<input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" />
54	<input type="hidden" id="post_type" name="post_type" value="post" />
55
56	<?php echo $form_extra ?>
57	<?php if (isset($_GET['message']) && 2 > $_GET['message']) : ?>
58	<script type="text/javascript">
59	function focusit() {
60	// focus on first input field
61	document.post.title.focus();
62	}
63	addLoadEvent(focusit);
64	</script>
65	<?php endif; ?>
66	<div id="poststuff">
67
68	<div id="moremeta">
69	<div id="grabit" class="dbx-group">
70
71	<fieldset id="categorydiv" class="dbx-box">
72	<h3 class="dbx-handle"><?php _e('Categories') ?></h3>
73	<div class="dbx-content">
74	<p id="jaxcat"></p>
75	<ul id="categorychecklist"><?php dropdown_categories(); ?></ul></div>
76	</fieldset>
77
78	<fieldset id="commentstatusdiv" class="dbx-box">
79	<h3 class="dbx-handle"><?php _e('Discussion') ?></h3>
80	<div class="dbx-content">
81	<input name="advanced_view" type="hidden" value="1" />
82	<label for="comment_status" class="selectit">
83	<input name="comment_status" type="checkbox" id="comment_status" value="open" <?php checked($post->comment_status, 'open'); ?> />
84	<?php _e('Allow Comments') ?></label>
85	<label for="ping_status" class="selectit"><input name="ping_status" type="checkbox" id="ping_status" value="open" <?php checked($post->ping_status, 'open'); ?> /> <?php _e('Allow Pings') ?></label>
86	</div>
87	</fieldset>
88
89	<fieldset id="passworddiv" class="dbx-box">
90	<h3 class="dbx-handle"><?php _e('Post Password') ?></h3>
91	<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
92	</fieldset>
93
94	<fieldset id="slugdiv" class="dbx-box">
95	<h3 class="dbx-handle"><?php _e('Post Slug') ?></h3>
96	<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
97	</fieldset>
98
99	<fieldset id="poststatusdiv" class="dbx-box">
100	<h3 class="dbx-handle"><?php _e('Post Status') ?></h3>
101	<div class="dbx-content"><?php if ( current_user_can('publish_posts') ) : ?>
102	<label for="post_status_publish" class="selectit"><input id="post_status_publish" name="post_status" type="radio" value="publish" <?php checked($post->post_status, 'publish'); checked($post->post_status, 'future'); ?> /> <?php _e('Published') ?></label>
103	<?php endif; ?>
104	<label for="post_status_draft" class="selectit"><input id="post_status_draft" name="post_status" type="radio" value="draft" <?php checked($post->post_status, 'draft'); ?> /> <?php _e('Draft') ?></label>
105	<label for="post_status_private" class="selectit"><input id="post_status_private" name="post_status" type="radio" value="private" <?php checked($post->post_status, 'private'); ?> /> <?php _e('Private') ?></label></div>
106	</fieldset>
107
108	<?php if ( current_user_can('edit_posts') ) : ?>
109	<fieldset id="posttimestampdiv" class="dbx-box">
110	<h3 class="dbx-handle"><?php _e('Post Timestamp'); ?>:</h3>
111	<div class="dbx-content"><?php touch_time(($action == 'edit')); ?></div>
112	</fieldset>
113	<?php endif; ?>
114
115	<?php
116	$authors = get_editable_authors( $current_user->id ); // TODO: ROLE SYSTEM
117	if ( $authors && count( $authors ) > 1 ) :
118	?>
119	<fieldset id="authordiv" class="dbx-box">
120	<h3 class="dbx-handle"><?php _e('Post Author'); ?>:</h3>
121	<div class="dbx-content">
122	<select name="post_author_override" id="post_author_override">
123	<?php
124	foreach ($authors as $o) :
125	$o = get_userdata( $o->ID );
126	if ( $post->post_author == $o->ID \|\| ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
127	else $selected = '';
128	echo "<option value='$o->ID' $selected>$o->display_name</option>";
129	endforeach;
130	?>
131	</select>
132	</div>
133	</fieldset>
134	<?php endif; ?>
135
136	<?php do_action('dbx_post_sidebar'); ?>
137
138	</div>
139	</div>
140
141	<fieldset id="titlediv">
142	<legend><?php _e('Title') ?></legend>
143	<div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
144	</fieldset>
145
146	<fieldset id="<?php echo user_can_richedit() ? 'postdivrich' : 'postdiv'; ?>">
147	<legend><?php _e('Post') ?></legend>
148
149	<?php the_editor($post->post_content); ?>
150	</fieldset>
151
152	<?php echo $form_pingback ?>
153	<?php echo $form_prevstatus ?>
154
155
156	<p class="submit">
157	<span id="autosave"></span>
158	<?php echo $saveasdraft; ?>
159	<input type="submit" name="submit" value="<?php _e('Save') ?>" style="font-weight: bold;" tabindex="4" />
160	<?php
161	if ('publish' != $post->post_status \|\| 0 == $post_ID) {
162	?>
163	<?php if ( current_user_can('publish_posts') ) : ?>
164	<input name="publish" type="submit" id="publish" tabindex="5" accesskey="p" value="<?php _e('Publish') ?>" />
165	<?php endif; ?>
166	<?php
167	}
168	?>
169	<input name="referredby" type="hidden" id="referredby" value="<?php
170	if ( !empty($_REQUEST['popupurl']) )
171	echo clean_url(stripslashes($_REQUEST['popupurl']));
172	else if ( url_to_postid(wp_get_referer()) == $post_ID )
173	echo 'redo';
174	else
175	echo clean_url(stripslashes(wp_get_referer()));
176	?>" /></p>
177
178	<?php do_action('edit_form_advanced'); ?>
179
180	<?php
181	if (current_user_can('upload_files')) {
182	$uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID);
183	$uploading_iframe_src = wp_nonce_url("upload.php?style=inline&tab=upload&post_id=$uploading_iframe_ID", 'inlineuploading');
184	$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
185	if ( false != $uploading_iframe_src )
186	echo '<iframe id="uploading" frameborder="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
187	}
188	?>
189
190	<div id="advancedstuff" class="dbx-group" >
191
192	<div class="dbx-b-ox-wrapper">
193	<fieldset id="postexcerpt" class="dbx-box">
194	<div class="dbx-h-andle-wrapper">
195	<h3 class="dbx-handle"><?php _e('Optional Excerpt') ?></h3>
196	</div>
197	<div class="dbx-c-ontent-wrapper">
198	<div class="dbx-content"><textarea rows="1" cols="40" name="excerpt" tabindex="6" id="excerpt"><?php echo $post->post_excerpt ?></textarea></div>
199	</div>
200	</fieldset>
201	</div>
202
203	<div class="dbx-b-ox-wrapper">
204	<fieldset id="trackbacksdiv" class="dbx-box">
205	<div class="dbx-h-andle-wrapper">
206	<h3 class="dbx-handle"><?php _e('Trackbacks') ?></h3>
207	</div>
208	<div class="dbx-c-ontent-wrapper">
209	<div class="dbx-content"><?php _e('Send trackbacks to:'); ?> <?php echo $form_trackback; ?> (<?php _e('Separate multiple URLs with spaces'); ?>)
210	<?php
211	if ( ! empty($pings) )
212	echo $pings;
213	?>
214	</div>
215	</div>
216	</fieldset>
217	</div>
218
219	<div class="dbx-b-ox-wrapper">
220	<fieldset id="postcustom" class="dbx-box">
221	<div class="dbx-h-andle-wrapper">
222	<h3 class="dbx-handle"><?php _e('Custom Fields') ?></h3>
223	</div>
224	<div class="dbx-c-ontent-wrapper">
225	<div id="postcustomstuff" class="dbx-content">
226	<table cellpadding="3">
227	<?php
228	$metadata = has_meta($post_ID);
229	list_meta($metadata);
230	?>
231
232	</table>
233	<?php
234	meta_form();
235	?>
236	<div id="ajax-response"></div>
237	</div>
238	</div>
239	</fieldset>
240	</div>
241
242	<?php do_action('dbx_post_advanced'); ?>
243
244	</div>
245
246	<?php if ('edit' == $action) : $delete_nonce = wp_create_nonce( 'delete-post_' . $post_ID ); ?>
247	<input name="deletepost" class="button delete" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this post') ?>" <?php echo "onclick=\"if ( confirm('" . js_escape(sprintf(__("You are about to delete this post '%s'\n 'Cancel' to stop, 'OK' to delete."), $post->post_title )) . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true;}return false;\""; ?> />
248	<?php endif; ?>
249
250	</div>
251
252	</div>
253
254	</form>
255

Note: See TracBrowser for help on using the browser.

root/branches/2.1/wp-admin/edit-form-advanced.php

Download in other formats: