root/branches/2.1/wp-admin/link-manager.php

Revision 5057, 7.4 kB (checked in by markjaquith, 2 years ago)

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

  • Property svn:eol-style set to native
  • Property svn:keywords set to Author Date Id Revision
Line 
1 <?php
2
3
4 // Links
5 // Copyright (C) 2002, 2003 Mike Little -- mike@zed1.com
6
7 require_once ('admin.php');
8
9 wp_enqueue_script( 'listman' );
10
11 wp_reset_vars(array('action', 'cat_id', 'linkurl', 'name', 'image', 'description', 'visible', 'target', 'category', 'link_id', 'submit', 'order_by', 'links_show_cat_id', 'rating', 'rel', 'notes', 'linkcheck[]'));
12
13 if (empty ($cat_id))
14     $cat_id = 'all';
15
16 if (empty ($order_by))
17     $order_by = 'order_name';
18
19 $title = __('Manage Blogroll');
20 $this_file = $parent_file = 'link-manager.php';
21 include_once ("./admin-header.php");
22
23 if (!current_user_can('manage_links'))
24     wp_die(__("You do not have sufficient permissions to edit the links for this blog."));
25
26 switch ($order_by) {
27     case 'order_id' :
28         $sqlorderby = 'id';
29         break;
30     case 'order_url' :
31         $sqlorderby = 'url';
32         break;
33     case 'order_desc' :
34         $sqlorderby = 'description';
35         break;
36     case 'order_owner' :
37         $sqlorderby = 'owner';
38         break;
39     case 'order_rating' :
40         $sqlorderby = 'rating';
41         break;
42     case 'order_name' :
43     default :
44         $sqlorderby = 'name';
45         break;
46 }
47 ?>
48 <script type="text/javascript">
49 <!--
50 function checkAll(form)
51 {
52     for (i = 0, n = form.elements.length; i < n; i++) {
53         if(form.elements[i].type == "checkbox") {
54             if(form.elements[i].checked == true)
55                 form.elements[i].checked = false;
56             else
57                 form.elements[i].checked = true;
58         }
59     }
60 }
61 //-->
62 </script>
63
64 <?php
65 if ( isset($_GET['deleted']) ) {
66     echo '<div style="background-color: rgb(207, 235, 247);" id="message" class="updated fade"><p>';
67     $deleted = (int) $_GET['deleted'];
68     printf(__ngettext('%s link deleted.', '%s links deleted', $deleted), $deleted);
69     echo '</p></div>';
70 }
71 ?>
72
73 <div class="wrap">
74
75 <h2><?php _e('Blogroll Management'); ?></h2>
76 <p><?php _e('Here you <a href="link-add.php">add links</a> to sites that you visit often and share them on your blog. When you have a list of links in your sidebar to other blogs, it&#8217;s called a &#8220;blogroll.&#8221;'); ?></p>
77 <form id="cats" method="get" action="">
78 <p><?php
79 $categories = get_categories("hide_empty=1&type=link");
80 $select_cat = "<select name=\"cat_id\">\n";
81 $select_cat .= '<option value="all"'  . (($cat_id == 'all') ? " selected='selected'" : '') . '>' . __('All') . "</option>\n";
82 foreach ((array) $categories as $cat)
83     $select_cat .= '<option value="' . $cat->cat_ID . '"' . (($cat->cat_ID == $cat_id) ? " selected='selected'" : '') . '>' . wp_specialchars($cat->cat_name) . "</option>\n";
84 $select_cat .= "</select>\n";
85
86 $select_order = "<select name=\"order_by\">\n";
87 $select_order .= '<option value="order_id"' . (($order_by == 'order_id') ? " selected='selected'" : '') . '>' __('Link ID') . "</option>\n";
88 $select_order .= '<option value="order_name"' . (($order_by == 'order_name') ? " selected='selected'" : '') . '>' __('Name') . "</option>\n";
89 $select_order .= '<option value="order_url"' . (($order_by == 'order_url') ? " selected='selected'" : '') . '>' __('Address') . "</option>\n";
90 $select_order .= '<option value="order_rating"' . (($order_by == 'order_rating') ? " selected='selected'" : '') . '>' __('Rating') . "</option>\n";
91 $select_order .= "</select>\n";
92
93 printf(__('Currently showing %1$s links ordered by %2$s'), $select_cat, $select_order);
94 ?>
95 <input type="submit" name="action" value="<?php _e('Update &raquo;') ?>" /></p>
96 </form>
97 <?php
98 $link_columns = array(
99     'name'       => '<th width="15%">' . __('Name') . '</th>',
100     'url'       => '<th>' . __('URL') . '</th>',
101     'categories' => '<th>' . __('Categories') . '</th>',
102     'rel'      => '<th style="text-align: center">' . __('rel') . '</th>',
103     'visible'   => '<th style="text-align: center">' . __('Visible') . '</th>',
104     'action'   => '<th colspan="2" style="text-align: center">' . __('Action') . '</th>',
105 );
106 $link_columns = apply_filters('manage_link_columns', $link_columns);
107 ?>
108
109 <?php
110 if ( 'all' == $cat_id )
111     $cat_id = '';
112 $links = get_bookmarks( "category=$cat_id&hide_invisible=0&orderby=$sqlorderby&hide_empty=0" );
113 if ( $links ) {
114 ?>
115
116 <form id="links" method="post" action="link.php">
117 <?php wp_nonce_field('bulk-bookmarks') ?>
118 <input type="hidden" name="link_id" value="" />
119 <input type="hidden" name="action" value="" />
120 <input type="hidden" name="order_by" value="<?php echo attribute_escape($order_by); ?>" />
121 <input type="hidden" name="cat_id" value="<?php echo (int) $cat_id ?>" />
122 <table class="widefat">
123     <thead>
124     <tr>
125 <?php foreach($link_columns as $column_display_name) {
126     echo $column_display_name;
127 } ?>
128     <th style="text-align: center"><input type="checkbox" onclick="checkAll(document.getElementById('links'));" /></th>
129     </tr>
130     </thead>
131     <tbody id="the-list">
132 <?php
133     foreach ($links as $link) {
134         $link->link_name = attribute_escape($link->link_name);
135         $link->link_description = wp_specialchars($link->link_description);
136         $link->link_url = clean_url($link->link_url);
137         $link->link_category = wp_get_link_cats($link->link_id);
138         $short_url = str_replace('http://', '', $link->link_url);
139         $short_url = str_replace('www.', '', $short_url);
140         if ('/' == substr($short_url, -1))
141             $short_url = substr($short_url, 0, -1);
142         if (strlen($short_url) > 35)
143             $short_url = substr($short_url, 0, 32).'...';
144
145         $visible = ($link->link_visible == 'Y') ? __('Yes') : __('No');
146         ++ $i;
147         $style = ($i % 2) ? '' : ' class="alternate"';
148         ?><tr id="link-<?php echo $link->link_id; ?>" valign="middle" <?php echo $style; ?>><?php
149         foreach($link_columns as $column_name=>$column_display_name) {
150             switch($column_name) {
151                 case 'name':
152                     ?><td><strong><?php echo $link->link_name; ?></strong><br /><?php
153                     echo $link->link_description . "</td>";
154                     break;
155                 case 'url':
156                     echo "<td><a href='$link->link_url' title='".sprintf(__('Visit %s'), $link->link_name)."'>$short_url</a></td>";
157                     break;
158                 case 'categories':
159                     ?><td><?php
160                     $cat_names = array();
161                     foreach ($link->link_category as $category) {
162                         $cat_name = get_the_category_by_ID($category);
163                         $cat_name = wp_specialchars($cat_name);
164                         if ( $cat_id != $category )
165                             $cat_name = "<a href='link-manager.php?cat_id=$category'>$cat_name</a>";
166                         $cat_names[] = $cat_name;
167                     }
168                     echo implode(', ', $cat_names);
169                     ?> </td><?php
170                     break;
171                 case 'rel':
172                     ?><td><?php echo $link->link_rel; ?></td><?php
173                     break;
174                 case 'visible':
175                     ?><td align='center'><?php echo $visible; ?></td><?php
176                     break;
177                 case 'action':
178                     echo '<td><a href="link.php?link_id='.$link->link_id.'&amp;action=edit" class="edit">'.__('Edit').'</a></td>';
179                     echo '<td><a href="' . wp_nonce_url('link.php?link_id='.$link->link_id.'&amp;action=delete', 'delete-bookmark_' . $link->link_id ) . '"'." onclick=\"return deleteSomething( 'link', $link->link_id , '".js_escape(sprintf(__("You are about to delete the '%s' link to %s.\n'Cancel' to stop, 'OK' to delete."), $link->link_name, $link->link_url )).'\' );" class="delete">'.__('Delete').'</a></td>';
180                     break;
181                 default:
182                     ?>
183                     <td><?php do_action('manage_link_custom_column', $column_name, $id); ?></td>
184                     <?php
185                     break;
186
187             }
188         }
189         echo '<td align="center"><input type="checkbox" name="linkcheck[]" value="'.$link->link_id.'" /></td>';
190         echo "\n    </tr>\n";
191     }
192 ?>
193     </tbody>
194 </table>
195
196 <div id="ajax-response"></div>
197
198 <p class="submit"><input type="submit" class="button" name="deletebookmarks" id="deletebookmarks" value="<?php _e('Delete Checked Links') ?> &raquo;" onclick="return confirm('<?php echo js_escape(__("You are about to delete these links permanently.\n'Cancel' to stop, 'OK' to delete.")); ?>')" /></p>
199 </form>
200
201 <?php } ?>
202
203 </div>
204
205 <?php include('admin-footer.php'); ?>
206
Note: See TracBrowser for help on using the browser.