Show
Ignore:
Timestamp:
05/25/07 22:33:48 (1 year ago)
Author:
markjaquith
Message:

attribute_escape()s and int casts for 2.0.x: see #4333

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/2.0/wp-admin/edit-form-advanced.php

    r4843 r5550  
    11<?php 
     2if ( isset($_GET['message']) ) 
     3    $_GET['message'] = (int) $_GET['message']; 
    24$messages[1] = __('Post updated'); 
    35$messages[2] = __('Custom field updated'); 
     
    57?> 
    68<?php if (isset($_GET['message'])) : ?> 
    7 <div id="message" class="updated fade"><p><?php echo $messages[$_GET['message']]; ?></p></div> 
     9<div id="message" class="updated fade"><p><?php echo wp_specialchars($messages[$_GET['message']]); ?></p></div> 
    810<?php endif; ?> 
    911 
     
    2527    wp_nonce_field('add-post'); 
    2628} else { 
     29    $post_ID = (int) $post_ID; 
    2730    $form_action = 'editpost'; 
    2831    $form_extra = "<input type='hidden' name='post_ID' value='$post_ID' />"; 
     
    3033} 
    3134 
    32 $form_pingback = '<input type="hidden" name="post_pingback" value="' . get_option('default_pingback_flag') . '" id="post_pingback" />'; 
    33  
    34 $form_prevstatus = '<input type="hidden" name="prev_status" value="' . $post->post_status . '" />'; 
    35  
    36 $form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. str_replace("\n", ' ', $post->to_ping) .'" />'; 
     35$form_pingback = '<input type="hidden" name="post_pingback" value="' . (int) get_option('default_pingback_flag') . '" id="post_pingback" />';  
     36 
     37$form_prevstatus = '<input type="hidden" name="prev_status" value="' . attribute_escape( $post->post_status ) . '" />';  
     38 
     39$form_trackback = '<input type="text" name="trackback_url" style="width: 415px" id="trackback" tabindex="7" value="'. attribute_escape( str_replace("\n", ' ', $post->to_ping) ) .'" />'; 
    3740 
    3841if ('' != $post->pinged) { 
     
    4548} 
    4649 
    47 $saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . __('Save and Continue Editing') . '" />'; 
     50$saveasdraft = '<input name="save" type="submit" id="save" tabindex="3" value="' . attribute_escape(__('Save and Continue Editing')) . '" />'; 
    4851 
    4952if (empty($post->post_status)) $post->post_status = 'draft'; 
     
    5154?> 
    5255 
    53 <input type="hidden" name="user_ID" value="<?php echo $user_ID ?>" /> 
     56<input type="hidden" name="user_ID" value="<?php echo (int) $user_ID ?>" /> 
    5457<input type="hidden" name="action" value="<?php echo $form_action ?>" /> 
    55 <input type="hidden" name="post_author" value="<?php echo $post->post_author ?>" /> 
     58<input type="hidden" name="post_author" value="<?php echo attribute_escape($post->post_author) ?>" /> 
    5659 
    5760<?php echo $form_extra ?> 
     
    8386<fieldset id="passworddiv" class="dbx-box"> 
    8487<h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3>  
    85 <div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div> 
     88<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password) ?>" /></div> 
    8689</fieldset> 
    8790 
    8891<fieldset id="slugdiv" class="dbx-box"> 
    8992<h3 class="dbx-handle"><?php _e('Post slug') ?></h3>  
    90 <div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div> 
     93<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name) ?>" /></div> 
    9194</fieldset> 
    9295 
     
    124127if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"'; 
    125128else $selected = ''; 
    126 echo "<option value='$o->ID' $selected>$o->display_name</option>"; 
     129echo "<option value='" . (int) $o->ID . "' $selected>" . wp_specialchars($o->display_name) . "</option>"; 
    127130endforeach; 
    128131?> 
     
    139142<fieldset id="titlediv"> 
    140143  <legend><?php _e('Title') ?></legend>  
    141   <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div> 
     144  <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div> 
    142145</fieldset> 
    143146 
     
    222225<?php 
    223226if (current_user_can('upload_files')) { 
    224     $uploading_iframe_ID = (0 == $post_ID ? $temp_ID : $post_ID); 
     227    $uploading_iframe_ID = (int) (0 == $post_ID ? $temp_ID : $post_ID); 
    225228    $uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&amp;post=$uploading_iframe_ID", 'inlineuploading'); 
    226229    $uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);