WordPress.org

Plugin Directory

Changeset 428887


Ignore:
Timestamp:
08/26/11 05:55:38 (3 years ago)
Author:
dd32
Message:

Add some HTML Escaping and rawurlencode()'s See http://wordpress.org/support/topic/deprecated-function-and-characters-not-properly-escaped

File:
1 edited

Legend:

Unmodified
Added
Removed
  • add-from-server/trunk/class.add-from-server.php

    r428881 r428887  
    249249                $id = $this->handle_import_file($filename, $post_id, $import_date); 
    250250                if ( is_wp_error($id) ) { 
    251                     echo '<div class="updated error"><p>' . sprintf(__('<em>%s</em> was <strong>not</strong> imported due to an error: %s', 'add-from-server'), $file, $id->get_error_message() ) . '</p></div>'; 
     251                    echo '<div class="updated error"><p>' . sprintf(__('<em>%s</em> was <strong>not</strong> imported due to an error: %s', 'add-from-server'), esc_html($file), $id->get_error_message() ) . '</p></div>'; 
    252252                } else { 
    253253                    //increment the gallery count 
    254254                    if ( $import_to_gallery ) 
    255255                        echo "<script type='text/javascript'>jQuery('#attachments-count').text(1 * jQuery('#attachments-count').text() + 1);</script>"; 
    256                     echo '<div class="updated"><p>' . sprintf(__('<em>%s</em> has been added to Media library', 'add-from-server'), $file) . '</p></div>'; 
     256                    echo '<div class="updated"><p>' . sprintf(__('<em>%s</em> has been added to Media library', 'add-from-server'), esc_html($file)) . '</p></div>'; 
    257257                } 
    258258                flush(); 
     
    492492                    if ( strlen($adir) > 1 ) 
    493493                        $adir = ltrim($adir, '/'); 
    494                     $durl = add_query_arg(array('adirectory' => addslashes($adir)), $url); 
     494                    $durl = add_query_arg(array('adirectory' => rawurlencode($adir)), $url); 
    495495                    $pieces[] = "<a href='$durl'>$text</a>"; 
    496496                } 
     
    522522                <td>&nbsp;</td> 
    523523                <?php /*  <td class='check-column'><input type='checkbox' id='file-<?php echo $sanname; ?>' name='files[]' value='<?php echo esc_attr($file) ?>' /></td> */ ?> 
    524                 <td><a href="<?php echo add_query_arg(array('adirectory' => $parent), $url) ?>" title="<?php echo esc_attr(dirname($cwd)) ?>"><?php _e('Parent Folder', 'add-from-server') ?></a></td> 
     524                <td><a href="<?php echo add_query_arg(array('adirectory' => rawurlencode($parent)), $url) ?>" title="<?php echo esc_attr(dirname($cwd)) ?>"><?php _e('Parent Folder', 'add-from-server') ?></a></td> 
    525525            </tr> 
    526526        <?php endif; ?> 
     
    540540                $filename = preg_replace('!^' . preg_quote($cwd) . '!i', '', $file); 
    541541                $filename = ltrim($filename, '/'); 
    542                 $folder_url = add_query_arg(array('directory' => $filename, 'import-date' => $import_date, 'gallery' => $import_to_gallery ), $url); 
     542                $folder_url = add_query_arg(array('directory' => rawurlencode($filename), 'import-date' => $import_date, 'gallery' => $import_to_gallery ), $url); 
    543543        ?> 
    544544            <tr> 
    545545                <td>&nbsp;</td> 
    546546                <?php /* <td class='check-column'><input type='checkbox' id='file-<?php echo $sanname; ?>' name='files[]' value='<?php echo esc_attr($file) ?>' /></td> */ ?> 
    547                 <td><a href="<?php echo $folder_url ?>"><?php echo rtrim($filename, '/') . DIRECTORY_SEPARATOR ?></a></td> 
     547                <td><a href="<?php echo $folder_url ?>"><?php echo esc_html( rtrim($filename, '/') . DIRECTORY_SEPARATOR ); ?></a></td> 
    548548            </tr> 
    549549        <?php 
     
    592592            <tr class="<?php echo esc_attr(implode(' ', $classes)); ?>" title="<?php if ( ! $file_meets_guidelines ) { _e('Sorry, this file type is not permitted for security reasons. Please see the FAQ.', 'add-from-server'); } elseif ($unreadable) { _e('Sorry, but this file is unreadable by your Webserver. Perhaps check your File Permissions?', 'add-from-server'); } ?>"> 
    593593                <th class='check-column'><input type='checkbox' id='file-<?php echo $sanname; ?>' name='files[]' value='<?php echo esc_attr($filename) ?>' <?php disabled(!$file_meets_guidelines || $unreadable); ?> /></th> 
    594                 <td><label for='file-<?php echo $sanname; ?>'><?php echo $filename ?></label></td> 
     594                <td><label for='file-<?php echo $sanname; ?>'><?php echo esc_html($filename) ?></label></td> 
    595595            </tr> 
    596596            <?php endforeach; endforeach;?> 
Note: See TracChangeset for help on using the changeset viewer.