Navigation

← Previous Changeset
Next Changeset →

Changeset 5057

Timestamp:

03/17/07 08:47:29 (1 year ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

Files:

branches/2.1/wp-admin/admin-functions.php (modified) (5 diffs)
branches/2.1/wp-admin/bookmarklet.php (modified) (1 diff)
branches/2.1/wp-admin/edit-comments.php (modified) (6 diffs)
branches/2.1/wp-admin/edit-form-advanced.php (modified) (1 diff)
branches/2.1/wp-admin/edit-page-form.php (modified) (1 diff)
branches/2.1/wp-admin/link-manager.php (modified) (1 diff)
branches/2.1/wp-admin/page.php (modified) (1 diff)
branches/2.1/wp-admin/post.php (modified) (1 diff)
branches/2.1/wp-admin/upgrade.php (modified) (2 diffs)
branches/2.1/wp-admin/upload-functions.php (modified) (3 diffs)
branches/2.1/wp-admin/upload.php (modified) (1 diff)
branches/2.1/wp-admin/user-edit.php (modified) (1 diff)
branches/2.1/wp-includes/bookmark-template.php (modified) (2 diffs)
branches/2.1/wp-includes/comment.php (modified) (1 diff)
branches/2.1/wp-includes/functions.php (modified) (2 diffs)
branches/2.1/wp-includes/general-template.php (modified) (4 diffs)
branches/2.1/wp-includes/link-template.php (modified) (2 diffs)
branches/2.1/wp-includes/script-loader.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

branches/2.1/wp-admin/admin-functions.php

r5007	r5057
359	359	$text = wp_specialchars( stripslashes( urldecode( $_REQUEST['text'] ) ) );
360	360	$text = funky_javascript_fix( $text);
361		$popupurl = ~~attribute_escape~~($_REQUEST['popupurl']);
	361	$popupurl = clean_url($_REQUEST['popupurl']);
362	362	$post_content = '<a href="'.$popupurl.'">'.$post_title.'</a>'."\n$text";
363	363	}
…	…
418	418	$user->user_login = attribute_escape($user->user_login);
419	419	$user->user_email = attribute_escape($user->user_email);
420		$user->user_url = ~~attribute_escape~~($user->user_url);
	420	$user->user_url = clean_url($user->user_url);
421	421	$user->first_name = attribute_escape($user->first_name);
422	422	$user->last_name = attribute_escape($user->last_name);
…	…
563	563	$link = get_link( $link_id );
564	564
565		$link->link_url = ~~attribute_escape~~($link->link_url);
	565	$link->link_url = clean_url($link->link_url);
566	566	$link->link_name = attribute_escape($link->link_name);
567	567	$link->link_image = attribute_escape($link->link_image);
568	568	$link->link_description = attribute_escape($link->link_description);
569		$link->link_rss = ~~attribute_escape~~($link->link_rss);
	569	$link->link_rss = clean_url($link->link_rss);
570	570	$link->link_rel = attribute_escape($link->link_rel);
571	571	$link->link_notes = wp_specialchars($link->link_notes);
…	…
577	577	function get_default_link_to_edit() {
578	578	if ( isset( $_GET['linkurl'] ) )
579		$link->link_url = ~~attribute_escape~~( $_GET['linkurl']);
	579	$link->link_url = clean_url( $_GET['linkurl']);
580	580	else
581	581	$link->link_url = '';
…	…
868	868	$r .= "</td>\n\t\t<td>";
869	869	if ( current_user_can( 'edit_user', $user_object->ID ) ) {
870		$edit_link = ~~attribute_escape~~( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
	870	$edit_link = clean_url( add_query_arg( 'wp_http_referer', urlencode( stripslashes( $_SERVER['REQUEST_URI'] ) ), "user-edit.php?user_id=$user_object->ID" ));
871	871	$r .= "<a href='$edit_link' class='edit'>".__( 'Edit' )."</a>";
872	872	}

branches/2.1/wp-admin/bookmarklet.php

r4656	r5057
38	38
39	39	$content = wp_specialchars($_REQUEST['content']);
40		$popupurl = ~~attribute_escape~~($_REQUEST['popupurl']);
	40	$popupurl = clean_url($_REQUEST['popupurl']);
41	41	if ( !empty($content) ) {
42	42	$post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );

branches/2.1/wp-admin/edit-comments.php

r5007	r5057
102	102	if ( 1 < $page ) {
103	103	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
104		$r .= '<a class="prev" href="' . ~~attribute_escape~~(add_query_arg( $args )) . '">« '. __('Previous Page') .'</a>' . "\n";
	104	$r .= '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">« '. __('Previous Page') .'</a>' . "\n";
105	105	}
106	106	if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
…	…
112	112	if ( $page_num < 3 \|\| ( $page_num >= $page - 3 && $page_num <= $page + 3 ) \|\| $page_num > $total_pages - 3 ) :
113	113	$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
114		$r .= '<a class="page-numbers" href="' . ~~attribute_escape~~(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
	114	$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
115	115	$in = true;
116	116	elseif ( $in == true ) :
…	…
123	123	if ( ( $page ) * 20 < $total \|\| -1 == $total ) {
124	124	$args['apage'] = $page + 1;
125		$r .= '<a class="next" href="' . ~~attribute_escape~~(add_query_arg($args)) . '">'. __('Next Page') .' »</a>' . "\n";
	125	$r .= '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' »</a>' . "\n";
126	126	}
127	127	echo "<p class='pagenav'>$r</p>";
…	…
249	249	if ( 1 < $page ) {
250	250	$args['apage'] = ( 1 == $page - 1 ) ? FALSE : $page - 1;
251		$r .= '<a class="prev" href="' . ~~attribute_escape~~(add_query_arg( $args )) . '">« '. __('Previous Page') .'</a>' . "\n";
	251	$r .= '<a class="prev" href="' . clean_url(add_query_arg( $args )) . '">« '. __('Previous Page') .'</a>' . "\n";
252	252	}
253	253	if ( ( $total_pages = ceil( $total / 20 ) ) > 1 ) {
…	…
259	259	if ( $page_num < 3 \|\| ( $page_num >= $page - 3 && $page_num <= $page + 3 ) \|\| $page_num > $total_pages - 3 ) :
260	260	$args['apage'] = ( 1 == $page_num ) ? FALSE : $page_num;
261		$r .= '<a class="page-numbers" href="' . ~~attribute_escape~~(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
	261	$r .= '<a class="page-numbers" href="' . clean_url(add_query_arg($args)) . '">' . ( $page_num ) . "</a>\n";
262	262	$in = true;
263	263	elseif ( $in == true ) :
…	…
270	270	if ( ( $page ) * 20 < $total \|\| -1 == $total ) {
271	271	$args['apage'] = $page + 1;
272		$r .= '<a class="next" href="' . ~~attribute_escape~~(add_query_arg($args)) . '">'. __('Next Page') .' »</a>' . "\n";
	272	$r .= '<a class="next" href="' . clean_url(add_query_arg($args)) . '">'. __('Next Page') .' »</a>' . "\n";
273	273	}
274	274	echo "<p class='pagenav'>$r</p>";

branches/2.1/wp-admin/edit-form-advanced.php

r4760	r5057
169	169	<input name="referredby" type="hidden" id="referredby" value="<?php
170	170	if ( !empty($_REQUEST['popupurl']) )
171		echo ~~attribute_escape~~(stripslashes($_REQUEST['popupurl']));
	171	echo clean_url(stripslashes($_REQUEST['popupurl']));
172	172	else if ( url_to_postid(wp_get_referer()) == $post_ID )
173	173	echo 'redo';
174	174	else
175		echo ~~attribute_escape~~(stripslashes(wp_get_referer()));
	175	echo clean_url(stripslashes(wp_get_referer()));
176	176	?>" /></p>
177	177

branches/2.1/wp-admin/edit-page-form.php

r4760	r5057
14	14	}
15	15
16		$sendto = ~~attribute_escape~~(stripslashes(wp_get_referer()));
	16	$sendto = clean_url(stripslashes(wp_get_referer()));
17	17
18	18	if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )

branches/2.1/wp-admin/link-manager.php

r4700	r5057
134	134	$link->link_name = attribute_escape($link->link_name);
135	135	$link->link_description = wp_specialchars($link->link_description);
136		$link->link_url = ~~attribute_escape~~($link->link_url);
	136	$link->link_url = clean_url($link->link_url);
137	137	$link->link_category = wp_get_link_cats($link->link_id);
138	138	$short_url = str_replace('http://', '', $link->link_url);

branches/2.1/wp-admin/page.php

r4780	r5057
64	64	<div id='preview' class='wrap'>
65	65	<h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
66		<iframe src="<?php echo ~~attribute_escape~~(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
	66	<iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
67	67	</div>
68	68	<?php

branches/2.1/wp-admin/post.php

r4780	r5057
70	70	<div id='preview' class='wrap'>
71	71	<h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
72		<iframe src="<?php echo ~~attribute_escape~~(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
	72	<iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
73	73	</div>
74	74	<?php

branches/2.1/wp-admin/upgrade.php

r4656	r5057
29	29	switch($step) {
30	30	case 0:
31		$goback = ~~attribute_escape~~(stripslashes(wp_get_referer()));
	31	$goback = clean_url(stripslashes(wp_get_referer()));
32	32	?>
33	33	<p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p>
…	…
41	41	$backto = __get_option('home');
42	42	else
43		$backto = ~~attribute_escape~~(stripslashes($_GET['backto']));
	43	$backto = clean_url(stripslashes($_GET['backto']));
44	44	?>
45	45	<h2><?php _e('Step 1'); ?></h2>

branches/2.1/wp-admin/upload-functions.php

r5007	r5057
36	36
37	37	if ( $href )
38		$r .= "<a id='file-link-$id' href='" . ~~attribute_escape~~($href) ."' title='$post_title' class='file-link $class'>\n";
	38	$r .= "<a id='file-link-$id' href='" . clean_url($href) ."' title='$post_title' class='file-link $class'>\n";
39	39	if ( $href \|\| $image_src )
40	40	$r .= "\t\t\t$innerHTML";
…	…
84	84	echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
85	85	echo ' \| ';
86		echo '<a href="' . ~~attribute_escape~~(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
	86	echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
87	87	echo ' \| ';
88		echo '<a href="' . ~~attribute_escape~~(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
	88	echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
89	89	echo ' ]'; ?></span>
90	90	</div>
…	…
124	124	echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
125	125	echo ' \| ';
126		echo '<a href="' . ~~attribute_escape~~(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
	126	echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
127	127	echo ' \| ';
128		echo '<a href="' . ~~attribute_escape~~(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
	128	echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
129	129	echo ' ]'; ?></span>
130	130	</div>

branches/2.1/wp-admin/upload.php

r4708	r5057
91	91	if ( isset($tab_array[4]) && is_array($tab_array[4]) )
92	92	add_query_arg( $tab_array[4], $href );
93		$_href = ~~attribute_escape~~( $href);
	93	$_href = clean_url( $href);
94	94	$page_links = '';
95	95	$class = 'upload-tab alignleft';

branches/2.1/wp-admin/user-edit.php

r4758	r5057
56	56	<p><strong><?php _e('User updated.') ?></strong></p>
57	57	<?php if ( $wp_http_referer ) : ?>
58		<p><a href="<?php echo ~~attribute_escape~~($wp_http_referer); ?>"><?php _e('« Back to Authors and Users'); ?></a></p>
	58	<p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('« Back to Authors and Users'); ?></a></p>
59	59	<?php endif; ?>
60	60	</div>

branches/2.1/wp-includes/bookmark-template.php

r4800	r5057
97	97	$the_link = '#';
98	98	if ( !empty($row->link_url) )
99		$the_link = ~~wp_specialchars~~($row->link_url);
	99	$the_link = clean_url($row->link_url);
100	100	$rel = $row->link_rel;
101	101	if ( '' != $rel )
…	…
261	261	$the_link = '#';
262	262	if ( !empty($bookmark->link_url) )
263		$the_link = ~~wp_specialchars~~($bookmark->link_url);
	263	$the_link = clean_url($bookmark->link_url);
264	264
265	265	$rel = $bookmark->link_rel;

branches/2.1/wp-includes/comment.php

r4705	r5057
170	170	$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
171	171	$comment_author_url = stripslashes($comment_author_url);
172		$comment_author_url = ~~attribute_escape~~($comment_author_url);
	172	$comment_author_url = clean_url($comment_author_url);
173	173	$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
174	174	}

branches/2.1/wp-includes/functions.php

r5050	r5057
1193	1193	$adminurl = get_option('siteurl') . '/wp-admin';
1194	1194	if ( wp_get_referer() )
1195		$adminurl = ~~attribute_escape~~(wp_get_referer());
	1195	$adminurl = clean_url(wp_get_referer());
1196	1196
1197	1197	$title = __('WordPress Confirmation');
…	…
1210	1210	$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
1211	1211	} else {
1212		$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . ~~attribute_escape~~(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
	1212	$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
1213	1213	}
1214	1214	$html .= "</body>\n</html>";

branches/2.1/wp-includes/general-template.php

r5027	r5057
290	290	$text = wptexturize($text);
291	291	$title_text = attribute_escape($text);
	292	$url = clean_url($url);
292	293
293	294	if ('link' == $format)
…	…
972	973	if ( $add_args )
973	974	$link = add_query_arg( $add_args, $link );
974		$page_links[] = "<a class='prev page-numbers' href='" . ~~attribute_escape~~($link) . "'>$prev_text</a>";
	975	$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
975	976	endif;
976	977	for ( $n = 1; $n <= $total; $n++ ) :
…	…
984	985	if ( $add_args )
985	986	$link = add_query_arg( $add_args, $link );
986		$page_links[] = "<a class='page-numbers' href='" . ~~attribute_escape~~($link) . "'>$n</a>";
	987	$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
987	988	$dots = true;
988	989	elseif ( $dots && !$show_all ) :
…	…
997	998	if ( $add_args )
998	999	$link = add_query_arg( $add_args, $link );
999		$page_links[] = "<a class='next page-numbers' href='" . ~~attribute_escape~~($link) . "'>$next_text</a>";
	1000	$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
1000	1001	endif;
1001	1002	switch ( $type ) :

branches/2.1/wp-includes/link-template.php

r5046	r5057
460	460
461	461	function next_posts($max_page = 0) {
462		echo ~~attribute_escape~~(get_next_posts_page_link($max_page));
	462	echo clean_url(get_next_posts_page_link($max_page));
463	463	}
464	464
…	…
490	490
491	491	function previous_posts() {
492		echo ~~attribute_escape~~(get_previous_posts_page_link());
	492	echo clean_url(get_previous_posts_page_link());
493	493	}
494	494

branches/2.1/wp-includes/script-loader.php

r5007	r5057
79	79	$ver .= '&' . $this->args[$handle];
80	80	$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
81		$src = ~~attribute_escape~~(add_query_arg('ver', $ver, $src));
	81	$src = clean_url(add_query_arg('ver', $ver, $src));
82	82	echo "<script type='text/javascript' src='$src'></script>\n";
83	83	}

Navigation

Changeset 5057

Legend:

Download in other formats: