WordPress.org

Plugin Directory

Changeset 586511


Ignore:
Timestamp:
08/16/12 20:20:54 (5 years ago)
Author:
garyc40
Message:

Fix: Improper escaping of user input. Props Justin Sainton for initial patch.

Fixes issue 1111.

Location:
wp-e-commerce/branches/branch-3.8
Files:
35 edited

Legend:

Unmodified
Added
Removed
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/admin-form-functions.php

    r586505 r586511  
    285285                            echo "  <tr><td>".esc_html__('State', 'wpsc').":</td><td>".wpsc_get_region($purch_data['billing_region'])."</td></tr>\n\r"; 
    286286 
    287                          echo " <tr><td>".wp_kses($form_field['name'], array() ).":</td><td>".htmlentities(stripslashes($rekeyed_input[$form_field['id']]['value']), ENT_QUOTES, 'UTF-8')."</td></tr>\n\r"; 
     287                         echo " <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>" . esc_html(  $rekeyed_input[$form_field['id']]['value'] ) . "</td></tr>\n\r"; 
    288288                    break; 
    289289 
    290290                    case 'delivery_country': 
    291  
    292291                        if(is_numeric($purch_data['shipping_region']) && ($delivery_region_count > 0)) 
    293292                            echo "  <tr><td>".esc_html__('State', 'wpsc').":</td><td>".wpsc_get_region($purch_data['shipping_region'])."</td></tr>\n\r"; 
    294293 
    295                          echo " <tr><td>".wp_kses($form_field['name'], array() ).":</td><td>".htmlentities(stripslashes($rekeyed_input[$form_field['id']]['value']), ENT_QUOTES, 'UTF-8')."</td></tr>\n\r"; 
     294                         echo " <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>" . esc_html( $rekeyed_input[ $form_field['id']]['value'] ) . "</td></tr>\n\r"; 
    296295                    break; 
    297296 
     
    301300                          continue; 
    302301                        else 
    303                           echo "    <tr class='heading'><td colspan='2'><strong>".wp_kses($form_field['name'], array()).":</strong></td></tr>\n\r"; 
     302                          echo "    <tr class='heading'><td colspan='2'><strong>" . esc_html( $form_field['name'] ) . ":</strong></td></tr>\n\r"; 
    304303                    break; 
    305304 
    306305                    default: 
    307                             if ($form_field['name']=="State" && !empty($purch_data['billing_region']) || $form_field['name']=="State" && !empty($purch_data['billing_region'])) 
    308                                 echo ""; 
    309                             else 
    310                                 echo "  <tr><td>".wp_kses($form_field['name'], array() ).":</td><td>". 
    311                                     ( isset( $rekeyed_input[$form_field['id']] ) ? htmlentities(stripslashes($rekeyed_input[$form_field['id']]['value']), ENT_QUOTES, 'UTF-8') : '' ). 
    312                                     "</td></tr>\n\r"; 
     306                        if ($form_field['name']=="State" && !empty($purch_data['billing_region']) || $form_field['name']=="State" && !empty($purch_data['billing_region'])) 
     307                            echo ""; 
     308                        else 
     309                            echo "  <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>". 
     310                                ( isset( $rekeyed_input[$form_field['id']] ) ? esc_html( $rekeyed_input[$form_field['id']]['value'] ) : '' ) . 
     311                                "</td></tr>\n\r"; 
    313312                    break; 
    314313                } 
     
    400399            echo " <td>"; 
    401400            echo apply_filters( 'the_title', $cart_row['name'] ); 
    402             echo stripslashes($variation_list); 
     401            echo $variation_list; 
    403402            echo " </td>"; 
    404403 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/display-sales-logs.php

    r586449 r586511  
    139139               <div class='inside'> 
    140140                  <?php 
    141                   foreach( (array) $purchlogitem->customcheckoutfields as $key => $value ) { 
    142                      $value['value'] = maybe_unserialize ($value['value'] ); 
    143                      if( is_array( $value['value'] ) ) { 
     141                  foreach( (array) $purchlogitem->customcheckoutfields as $key => $value ){ 
     142                     $value['value'] = maybe_unserialize($value['value']); 
     143                     if(is_array($value['value'])){ 
    144144                     ?> 
    145                         <p><strong><?php echo $key; ?> :</strong> <?php echo implode( stripslashes( $value['value'] ), ',' ); ?></p> 
     145                        <p><strong><?php echo $key; ?> :</strong> <?php echo implode( $value['value'], ','); ?></p> 
    146146                     <?php 
    147147                     }else{ 
    148148                     ?> 
    149                         <p><strong><?php echo $key; ?> :</strong> <?php echo stripslashes( $value['value'] ); ?></p> 
     149                        <p><strong><?php echo $key; ?> :</strong> <?php echo $value['value']; ?></p> 
    150150                     <?php 
    151151                     } 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/display-items-functions.php

    r586480 r586511  
    264264    if ( !isset( $product_data['meta']['_wpsc_sku'] ) ) 
    265265        $product_data['meta']['_wpsc_sku'] = $wpsc_product_defaults['meta']['sku']; ?><br /> 
    266             <input size='32' type='text' class='text' id="wpsc_sku" name='meta[_wpsc_sku]' value='<?php echo htmlentities( stripslashes( $product_data['meta']['_wpsc_sku'] ), ENT_QUOTES, 'UTF-8' ); ?>' /> 
     266            <input size='32' type='text' class='text' id="wpsc_sku" name='meta[_wpsc_sku]' value='<?php echo esc_html( $product_data['meta']['_wpsc_sku'] ); ?>' /> 
    267267            <br style="clear:both" /> 
    268268            <?php 
     
    611611            <textarea cols='40' rows='3' name='meta[_wpsc_product_metadata][merchant_notes]' id='merchant_notes'><?php 
    612612                if ( isset( $product_meta['merchant_notes'] ) ) 
    613                 echo stripslashes( trim( $product_meta['merchant_notes'] ) ); 
     613                echo esc_textarea( trim( $product_meta['merchant_notes'] ) ); 
    614614            ?></textarea> 
    615615            <small><?php esc_html_e( 'These notes are only available here.', 'wpsc' ); ?></small> 
     
    719719    global $post; 
    720720?> 
    721     <textarea name='additional_description' id='additional_description' cols='40' rows='5' ><?php echo esc_textarea( stripslashes( trim( $post->post_excerpt ) ) ); ?></textarea> 
     721    <textarea name='additional_description' id='additional_description' cols='40' rows='5' ><?php echo esc_textarea( $post->post_excerpt ); ?></textarea> 
    722722<?php 
    723723 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/product-functions.php

    r586480 r586511  
    2525 
    2626    //Type-casting ( not so much sanitization, which would be good to do ) 
    27     $post_data = $_POST; 
     27    $post_data = stripslashes_deep( $_POST ); 
    2828    $product_id = $post_ID; 
    2929    $post_data['additional_description'] = isset($post_data['additional_description']) ? $post_data['additional_description'] : ''; 
     
    132132 
    133133        if($post_data[$column] !== null) { 
    134             $update_values[$column] = stripslashes($post_data[$column]); 
     134            $update_values[$column] = $post_data[$column]; 
    135135        } else if(($update != true) && ($default !== null)) { 
    136             $update_values[$column] = stripslashes($default); 
     136            $update_values[$column] = ($default); 
    137137        } 
    138138    } 
     
    252252        $post_data = &$_POST; 
    253253    } 
     254 
     255    $post_data = stripslashes_deep( $post_data ); 
    254256 
    255257    $post_data['name'] = isset($post_data['post_title']) ? $post_data['post_title'] : ''; 
     
    343345 
    344346        if($post_data[$column] !== null) { 
    345             $update_values[$column] = stripslashes($post_data[$column]); 
     347            $update_values[$column] = $post_data[$column]; 
    346348        } else if(($update != true) && ($default !== null)) { 
    347             $update_values[$column] = stripslashes($default); 
     349            $update_values[$column] = $default; 
    348350        } 
    349351    } 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/purchase-logs-page/item-details.php

    r586449 r586511  
    106106                            <input type='hidden' name='purchlog_id' value='<?php echo $this->log_id; ?>' /> 
    107107                            <p> 
    108                                 <textarea name="purchlog_notes" rows="3" wrap="virtual" id="purchlog_notes" style="width:100%;"> 
    109                                     <?php 
     108                                <textarea name="purchlog_notes" rows="3" wrap="virtual" id="purchlog_notes" style="width:100%;"><?php 
    110109                                        if ( isset( $_POST['purchlog_notes'] ) ) { 
    111                                             echo esc_html( $_POST['purchlog_notes'] ); 
     110                                            echo esc_textarea( stripslashes( $_POST['purchlog_notes'] ) ); 
    112111                                        } else { 
    113112                                            echo wpsc_display_purchlog_notes(); 
    114113                                        } 
    115                                     ?> 
    116                                 </textarea> 
     114                                    ?></textarea> 
    117115                            </p> 
    118116                            <p><input class="button" type="submit" name="button" id="button" value="<?php _e( 'Update Notes', 'wpsc' ); ?>" /></p> 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/save-data.functions.php

    r586472 r586511  
    9393 
    9494  if( !empty( $image ) ) 
    95       $image = "<img src=\"".WPSC_CATEGORY_URL.stripslashes( $image )."\" title='".$name."' alt='".$name."' width='30' height='30' />"; 
     95      $image = "<img src=\"".WPSC_CATEGORY_URL . $image . "\" title='" . esc_attr( $name ) . "' alt='" . esc_attr( $name ) . "' width='30' height='30' />"; 
    9696   else 
    97       $image = "<img src='".WPSC_CORE_IMAGES_URL."/no-image-uploaded.gif' title='".$name."' alt='".$name."' width='30' height='30' />"; 
    98  
     97      $image = "<img src='" . WPSC_CORE_IMAGES_URL . "/no-image-uploaded.gif' title='" . esc_attr( $name ) . "' alt='" . esc_attr( $name ) . "' width='30' height='30' />"; 
    9998 
    10099    return $image; 
     
    254253                                $selected_state = "selected='selected'"; 
    255254                             ?> 
    256                                 <option <?php echo $selected_state; ?> value='<?php echo $key; ?>'><?php echo esc_html_e( stripslashes( $value ) ); ?></option> 
     255                                <option <?php echo $selected_state; ?> value='<?php echo $key; ?>'><?php echo esc_html( $value ); ?></option> 
    257256                            <?php 
    258257                            } 
     
    455454                                $selected_state = "selected='selected'"; 
    456455                     ?> 
    457                     <option <?php echo $selected_state; ?> value='<?php echo esc_attr( $key ); ?>'><?php echo esc_html( stripslashes( $value ) ); ?></option> 
     456                    <option <?php echo $selected_state; ?> value='<?php echo $key; ?>'><?php echo esc_html( $value ); ?></option> 
    458457                    <?php 
    459458                        } 
     
    541540 
    542541        if ( isset( $_POST['image_height'] ) ) 
    543             wpsc_update_categorymeta($category_id, 'image_height', esc_sql(stripslashes($_POST['image_height']))); 
     542            wpsc_update_categorymeta( $category_id, 'image_height', absint( $_POST['image_height'] ) ); 
    544543 
    545544        if ( isset( $_POST['image_width'] ) ) 
    546             wpsc_update_categorymeta($category_id, 'image_width', esc_sql(stripslashes($_POST['image_width']))); 
    547  
     545            wpsc_update_categorymeta( $category_id, 'image_width', absint($_POST['image_width'] ) ); 
    548546 
    549547        if ( ! empty( $_POST['use_additional_form_set'] ) ) { 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/settings-tabs/admin.php

    r586449 r586511  
    100100                    </th> 
    101101                    <td> 
    102                     <textarea name='wpsc_options[terms_and_conditions]' cols='' rows='' style='width: 300px; height: 200px;'><?php echo esc_textarea( stripslashes( trim( get_option( 'terms_and_conditions' ) ) ) ); ?></textarea> 
     102                    <textarea name='wpsc_options[terms_and_conditions]' cols='' rows='' style='width: 300px; height: 200px;'><?php echo esc_textarea( get_option( 'terms_and_conditions' ) ); ?></textarea> 
    103103                    </td> 
    104104                </tr> 
     
    121121                <tr> 
    122122                    <th><strong><?php esc_html_e( 'Purchase Receipt', 'wpsc' ); ?></strong></th> 
    123                     <td><textarea name="wpsc_options[wpsc_email_receipt]" cols='' rows=''   style='width: 300px; height: 200px;'><?php echo esc_textarea( stripslashes( trim( get_option( 'wpsc_email_receipt' ) ) ) );?></textarea></td> 
     123                    <td><textarea name="wpsc_options[wpsc_email_receipt]" cols='' rows=''   style='width: 300px; height: 200px;'><?php esc_textarea( get_option( 'wpsc_email_receipt' ) );?></textarea></td> 
    124124                </tr> 
    125125                <tr> 
     
    132132                <tr> 
    133133                    <th><strong><?php esc_html_e( 'Admin Report', 'wpsc' ); ?></strong></th> 
    134                     <td><textarea name="wpsc_options[wpsc_email_admin]" cols='' rows='' style='width: 300px; height: 200px;'><?php echo esc_textarea( stripslashes( trim( get_option( 'wpsc_email_admin' ) ) ) );?></textarea></td> 
     134                    <td><textarea name="wpsc_options[wpsc_email_admin]" cols='' rows='' style='width: 300px; height: 200px;'><?php esc_textarea( get_option( 'wpsc_email_admin' ) );?></textarea></td> 
    135135                </tr> 
    136136            </table> 
     
    147147                <tr> 
    148148                    <th><strong><?php esc_html_e( 'Tracking Email Subject', 'wpsc' );?></strong></th> 
    149                     <td><input name="wpsc_options[wpsc_trackingid_subject]" type='text' value='<?php echo esc_attr( stripslashes( get_option( 'wpsc_trackingid_subject' ) ) ); ?>' /></td> 
     149                    <td><input name="wpsc_options[wpsc_trackingid_subject]" type='text' value='<?php echo esc_attr( get_option( 'wpsc_trackingid_subject' ) );?>' /></td> 
    150150                </tr> 
    151151                <tr> 
    152152                    <th><strong><?php esc_html_e( 'Tracking Email Message', 'wpsc' );?></strong></th> 
    153                     <td><textarea name="wpsc_options[wpsc_trackingid_message]" cols='' rows='' style='width: 300px; height: 200px;'><?php echo esc_textarea( stripslashes( trim( get_option( 'wpsc_trackingid_message' ) ) ) );?></textarea></td> 
     153                    <td><textarea name="wpsc_options[wpsc_trackingid_message]" cols='' rows=''   style='width: 300px; height: 200px;'><?php esc_textarea( get_option( 'wpsc_trackingid_message' ) );?></textarea></td> 
    154154                </tr> 
    155155            </table> 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/settings-tabs/general.php

    r586472 r586511  
    184184                <th scope="row"><?php esc_html_e( 'Thousands and decimal separators', 'wpsc' ); ?>:</th> 
    185185                    <td> 
    186                         <?php esc_html_e( 'Thousands separator', 'wpsc' ); ?>: <input name="wpsc_options[wpsc_thousands_separator]" type="text" maxlength="1" size="1" value="<?php echo esc_attr( stripslashes( get_option( 'wpsc_thousands_separator' ) ) ); ?>" /> <br /> 
    187                         <?php esc_html_e( 'Decimal separator', 'wpsc' ); ?>: <input name="wpsc_options[wpsc_decimal_separator]" type="text" maxlength="1" size="1" value="<?php echo esc_attr( stripslashes( get_option( 'wpsc_decimal_separator' ) ) ); ?>" /> <br /> 
    188                         <?php esc_html_e( 'Preview', 'wpsc' ); ?>: <?php printf( _x( '10%1$s000%2$s00', 'Thousands / Decimal Separator Preview', 'wpsc' ), esc_html( get_option( 'wpsc_thousands_separator' ) ), esc_html( get_option( 'wpsc_decimal_separator' ) ) ); ?> 
     186                        <?php esc_html_e( 'Thousands separator', 'wpsc' ); ?>: <input name="wpsc_options[wpsc_thousands_separator]" type="text" maxlength="1" size="1" value="<?php echo esc_attr(  get_option( 'wpsc_thousands_separator' ) ); ?>" /> <br /> 
     187                        <?php esc_html_e( 'Decimal separator', 'wpsc' ); ?>: <input name="wpsc_options[wpsc_decimal_separator]" type="text" maxlength="1" size="1" value="<?php echo esc_attr( get_option( 'wpsc_decimal_separator' ) ); ?>" /> <br /> 
     188                        <?php esc_html_e( 'Preview:', 'wpsc' ); ?> 10<?php echo esc_attr(  get_option( 'wpsc_thousands_separator' ) ); ?>000<?php echo esc_attr( get_option( 'wpsc_decimal_separator' ) ); ?>00 
    189189                    </td> 
    190190                </tr> 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/includes/settings-tabs/marketing.php

    r586449 r586511  
    122122            <p><?php esc_html_e( 'To import your products into <a href="http://www.google.com/merchants/" target="_blank">Google Merchant Centre</a> so that they appear within Google Product Search results, sign up for a Google Merchant Centre account and add a scheduled data feed with the following URL:', 'wpsc' ); ?></p> 
    123123 
    124             <?php $google_feed_url = get_bloginfo( 'url' ) . "/index.php?rss=true&action=product_list&xmlformat=google"; ?> 
     124            <?php $google_feed_url = add_query_arg( array( 'rss' => 'true', 'action' => 'product_list', 'xmlformat' => 'google' ), home_url( '/' ) ); ?> 
    125125 
    126             <?php echo make_clickable( esc_url( $google_feed_url ) ); ?> 
     126            <a href="<?php echo esc_url( $google_feed_url ); ?>"><?php echo esc_url( $google_feed_url ); ?></a> 
    127127 
    128128        <?php 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/init.php

    r586504 r586511  
    372372        if ( ($purchlog_id == '') && ($purchlog_notes == '') ) { 
    373373            $purchlog_id = absint( $_POST['purchlog_id'] ); 
    374             $purchlog_notes = $wpdb->escape( $_POST['purchlog_notes'] ); 
     374            $purchlog_notes = stripslashes( $_POST['purchlog_notes'] ); 
    375375        } 
    376376        $wpdb->update( 
  • wp-e-commerce/branches/branch-3.8/wpsc-admin/settings-page.php

    r586409 r586511  
    638638        //To update options 
    639639        if ( isset( $_POST['wpsc_options'] ) ) { 
     640            $_POST['wpsc_options'] = stripslashes_deep( $_POST['wpsc_options'] ); 
    640641            // make sure stock keeping time is a number 
    641642            if ( isset( $_POST['wpsc_options']['wpsc_stock_keeping_time'] ) ) { 
     
    668669                        $option_name = $wpsc_gateways[$selected_gateway]['supported_currencies']['option_name']; 
    669670 
    670                         if ( !in_array( $option_name, $already_changed ) ) { 
     671                        if ( ! in_array( $option_name, $already_changed ) ) { 
    671672                            update_option( $option_name, $currency_code ); 
    672673                            $already_changed[] = $option_name; 
     
    681682                $shipping->submit_form(); 
    682683        } 
    683  
    684684 
    685685        //This is for submitting shipping details to the shipping module 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/ajax.functions.php

    r586484 r586511  
    746746function wpsc_show_terms_and_conditions() { 
    747747 
    748     echo wpautop( stripslashes( wp_kses_post( get_option( 'terms_and_conditions' ) ) ) ); 
     748    echo wpautop( wp_kses_post( get_option( 'terms_and_conditions' ) ) ); 
    749749    die(); 
    750750} 
     
    10741074                header( 'Content-Length: ' . filesize( $file_path ) ); 
    10751075                header( 'Content-Transfer-Encoding: binary' ); 
    1076                 header( 'Content-Disposition: attachment; filename="' . stripslashes( $file_name ) . '"' ); 
     1076                header( 'Content-Disposition: attachment; filename="' . $file_name . '"' ); 
    10771077                if ( isset( $_SERVER["HTTPS"] ) && ($_SERVER["HTTPS"] != '') ) { 
    10781078                    /* 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/breadcrumbs.class.php

    r586468 r586511  
    168168        if(!empty($query_data['product']) && !empty($wp_query->post)) { 
    169169            $this->breadcrumbs[] = array( 
    170                 'name' => htmlentities($wp_query->post->post_title, ENT_QUOTES, 'UTF-8'), 
    171                 'url' => '', 
     170                'name' => esc_html( $wp_query->post->post_title ), 
     171                'url'  => '', 
    172172                'slug' => $query_data['product'] 
    173173            ); 
     
    189189        if( $term_data != false) { 
    190190            $this->breadcrumbs[] = array( 
    191                 'name' => htmlentities( $term_data->name, ENT_QUOTES, 'UTF-8'), 
    192                 'url' => get_term_link( $term_data->slug, 'wpsc_product_category'), 
     191                'name' => esc_html( $term_data->name ), 
     192                'url'  => get_term_link( $term_data->slug, 'wpsc_product_category'), 
    193193                'slug' => $term_data->slug 
    194194            ); 
     
    199199                $term_data = get_term($term_data->parent, 'wpsc_product_category'); 
    200200                $this->breadcrumbs[] = array( 
    201                     'name' => htmlentities( $term_data->name, ENT_QUOTES, 'UTF-8'), 
    202                     'url' => get_term_link( $term_data->slug, 'wpsc_product_category') 
     201                    'name' => esc_html( $term_data->name ), 
     202                    'url'  => get_term_link( $term_data->slug, 'wpsc_product_category') 
    203203                ); 
    204204                $i++; 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/category.functions.php

    r586478 r586511  
    269269            $start_element = $query['description_container']['start_element']; 
    270270            $end_element = $query['description_container']['end_element']; 
    271             $category_description =  $start_element.wpautop(wptexturize( wp_kses(stripslashes($category_row->description), $allowedtags ))).$end_element; 
     271            $category_description =  $start_element.wpautop(wptexturize( wp_kses( $category_row->description, $allowedtags ))).$end_element; 
    272272        } 
    273273 
     
    364364        esc_html($category_row->name), 
    365365        $category_description, 
    366         get_term_link($category_row->slug, 'wpsc_product_category'), 
     366        esc_url( get_term_link( $category_row->slug, 'wpsc_product_category' ) ), 
    367367        $category_row->term_id, 
    368368        $category_classes, 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/checkout.class.php

    r586476 r586511  
    642642    function form_name() { 
    643643        if ( $this->form_name_is_required() && ($this->checkout_item->type != 'heading') ) 
    644             return esc_html( stripslashes( $this->checkout_item->name ) ) . ' <span class="asterix">*</span> '; 
     644            return esc_html( $this->checkout_item->name ) . ' <span class="asterix">*</span> '; 
    645645        else 
    646             return esc_html( stripslashes( $this->checkout_item->name ) ); 
     646            return esc_html( $this->checkout_item->name ); 
    647647    } 
    648648 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/display.functions.php

    r586468 r586511  
    9696                } else { 
    9797                    if ( get_option( 'product_image_width' ) != '' ) { 
    98                         $output .= "<img src='" . WPSC_CORE_IMAGES_URL . "/no-image-uploaded.gif' title='" . get_the_title($also_bought_data['ID']) . "' alt='" . $also_bought_data['name'] . "' width='$image_display_height' height='$image_display_height' id='product_image_" . $also_bought_data['ID'] . "' class='product_image' />"; 
     98                        $output .= "<img src='" . WPSC_CORE_IMAGES_URL . "/no-image-uploaded.gif' title='" . esc_attr( get_the_title( $also_bought_data['ID'] ) ) . "' alt='" . esc_attr( $also_bought_data['name'] ) . "' width='$image_display_height' height='$image_display_height' id='product_image_" . $also_bought_data['ID'] . "' class='product_image' />"; 
    9999                    } else { 
    100                         $output .= "<img src='" . WPSC_CORE_IMAGES_URL . "/no-image-uploaded.gif' title='" . get_the_title($also_bought_data['ID']) . "' alt='" . htmlentities( stripslashes( get_the_title($also_bought_data['ID']) ), ENT_QUOTES, 'UTF-8' ) . "' id='product_image_" . $also_bought_data['ID'] . "' class='product_image' />"; 
     100                        $output .= "<img src='" . WPSC_CORE_IMAGES_URL . "/no-image-uploaded.gif' title='" . esc_attr( get_the_title( $also_bought_data['ID'] ) ) . "' alt='" . esc_attr( get_the_title( $also_bought_data['ID'] ) ) . "' id='product_image_" . $also_bought_data['ID'] . "' class='product_image' />"; 
    101101                    } 
    102102                } 
     
    367367 
    368368    if ( isset( $full_product_name ) && ($full_product_name != null) ) 
    369         $output = htmlentities( stripslashes( $full_product_name ), ENT_QUOTES, 'UTF-8' ); 
     369        $output = esc_html(  $full_product_name ); 
    370370    $seperator = ' | '; 
    371371    $seperator = apply_filters('wpsc_the_wp_title_seperator' , $seperator); 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/form-display.functions.php

    r586450 r586511  
    9595            } 
    9696 
    97             $output .= "<option $selected value='" . $option->term_id . "'>" . str_repeat( "-", $iteration ) . stripslashes( $option->name ) . "</option>\r\n"; 
     97            $output .= "<option $selected value='" . $option->term_id . "'>" . str_repeat( "-", $iteration ) . esc_html( $option->name ) . "</option>\r\n"; 
    9898            $output .= wpsc_category_options( $option->term_id, $this_category, $option->term_id, $iteration + 1, $selected_id ); 
    9999            $selected = ""; 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/misc.functions.php

    r586484 r586511  
    9898} 
    9999 
     100/** 
     101 * WPSC product has variations function 
     102 * @since 3.7 
     103 * @param int product id 
     104 * @return bool true or false 
     105 */ 
     106function wpsc_product_has_variations( $product_id ) { 
     107    _deprecated_function( __FUNCTION__, '3.8', 'wpsc_have_variations()' ); 
     108    global $wpdb; 
     109    if ( $product_id > 0 ) { 
     110        $variation_count = $wpdb->get_var( "SELECT COUNT(`id`) FROM `" . WPSC_TABLE_VARIATION_ASSOC . "` WHERE `type` IN('product') AND `associated_id` IN('{$product_id}')" ); 
     111        if ( $variation_count > 0 ) { 
     112            return true; 
     113        } 
     114    } 
     115    return false; 
     116} 
     117 
     118/** 
     119 * Deprecated function 
     120 * 
     121 * @deprecated 3.8.9 
     122 */ 
    100123function wpsc_post_title_seo( $title ) { 
    101124    global $wpdb, $page_id, $wp_query; 
     
    104127        $title = $new_title; 
    105128    } 
    106     return stripslashes( $title ); 
     129    return esc_html( $title ); 
    107130} 
    108131 
     
    771794 
    772795} 
     796 
     797/** 
     798 * Destroys checkout field values on logout. 
     799 */ 
     800 
     801function wpsc_kill_user_session() { 
     802    unset( $_SESSION['wpsc_checkout_saved_values'] ); 
     803} 
     804 
     805add_action( 'wp_logout', 'wpsc_kill_user_session' ); 
     806 
     807?> 
     808>>>>>>> Fix: Improper escaping of user input. Props Justin Sainton for initial patch. 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/processing.functions.php

    r586470 r586511  
    3232        $decimal_separator = '.'; 
    3333    else 
    34         $decimal_separator = stripslashes( get_option('wpsc_decimal_separator') ); 
     34        $decimal_separator = get_option( 'wpsc_decimal_separator' ); 
    3535 
    3636    if('' == get_option('wpsc_thousands_separator')) 
    3737        $thousands_separator = '.'; 
    3838    else 
    39         $thousands_separator = stripslashes( get_option('wpsc_thousands_separator') ); 
     39        $thousands_separator = get_option( 'wpsc_thousands_separator' ); 
    4040 
    4141    // Format the price for output 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/product-template.php

    r586498 r586511  
    14901490function wpsc_the_variation_name() { 
    14911491    global $wpsc_variations; 
    1492     return stripslashes( $wpsc_variations->variation->name ); 
     1492    return esc_html( $wpsc_variations->variation->name ); 
    14931493} 
    14941494 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/purchaselogs.class.php

    r586470 r586511  
    301301function wpsc_purchaselog_details_name() { 
    302302   global $purchlogitem; 
    303   return esc_attr( stripslashes( $purchlogitem->purchitem->name ) ); 
     303   return esc_html( $purchlogitem->purchitem->name ); 
    304304} 
    305305 
  • wp-e-commerce/branches/branch-3.8/wpsc-includes/shopping_cart_functions.php

    r586493 r586511  
    125125                $selected = "selected='selected'"; 
    126126            } 
    127             $output .= "<option value='" . $country['isocode'] . "' $selected>" . htmlentities( $country['country'], ENT_QUOTES, 'UTF-8' ) . "</option>\n\r"; 
     127            $output .= "<option value='" . $country['isocode'] . "' $selected>" . esc_html( $country['country'] ) . "</option>\n\r"; 
    128128        } 
    129129    } 
     
    155155                $selected = ""; 
    156156            } 
    157             $output .= "<option value='" . $region['id'] . "' $selected>" . htmlentities( $region['name'], ENT_QUOTES, 'UTF-8' ) . "</option>\n\r"; 
     157            $output .= "<option value='" . $region['id'] . "' $selected>" . esc_html( $region['name'] ) . "</option>\n\r"; 
    158158        } 
    159159        $output .= "</select>\n\r"; 
  • wp-e-commerce/branches/branch-3.8/wpsc-merchants/library/googlerequest.php

    r343833 r586511  
    188188      if($amount!=0) { 
    189189        $postargs .= "<amount currency=\"" . $this->currency . "\">"; 
    190     $postargs .= htmlentities($amount, ENT_QUOTES, 'UTF-8')."</amount>"; 
    191       } 
    192       $postargs .= "<comment>". htmlentities($comment, ENT_QUOTES, 'UTF-8') . "</comment> 
     190    $postargs .= esc_html( $amount ) . "</amount>"; 
     191      } 
     192      $postargs .= "<comment>". esc_html( $comment ) . "</comment> 
    193193                  </refund-order>"; 
    194194      return $this->SendReq($this->request_url,  
     
    212212                  "\" google-order-number=\"". $google_order. "\"> 
    213213                  <reason>". 
    214                     (substr(htmlentities(strip_tags($reason), ENT_QUOTES, 'UTF-8'),0,GOOGLE_REASON_LENGTH)) . 
     214                    (substr(esc_html(strip_tags($reason)),0,GOOGLE_REASON_LENGTH)) . 
    215215                  "</reason> 
    216216                  <comment>". 
    217                     (substr(htmlentities(strip_tags($comment), ENT_QUOTES, 'UTF-8'),0,GOOGLE_REASON_LENGTH)) .                    
     217                    (substr(esc_html(strip_tags($comment)),0,GOOGLE_REASON_LENGTH)) .                    
    218218                  "</comment> 
    219219                  </cancel-order>"; 
     
    241241                  "\" google-order-number=\"". $google_order . "\"> 
    242242                  <tracking-data> 
    243                   <carrier>". htmlentities($carrier, ENT_QUOTES, 'UTF-8') . "</carrier> 
     243                  <carrier>". esc_html($carrier) . "</carrier> 
    244244                  <tracking-number>". $tracking_no . "</tracking-number> 
    245245                  </tracking-data> 
     
    293293                  "\" google-order-number=\"". $google_order . "\"> 
    294294                  <message>" .  
    295             (substr(htmlentities(strip_tags($message), ENT_QUOTES, 'UTF-8'),0,GOOGLE_MESSAGE_LENGTH))  
     295            (substr(esc_html(strip_tags($message)),0,GOOGLE_MESSAGE_LENGTH))  
    296296               . "</message> 
    297297                  <send-email>" . strtolower($send_mail) . "</send-email> 
     
    344344      if($carrier != "" && $tracking_no != "") { 
    345345         $postargs .= "<tracking-data> 
    346                   <carrier>". htmlentities($carrier, ENT_QUOTES, 'UTF-8') . "</carrier> 
    347             <tracking-number>". htmlentities($tracking_no, ENT_QUOTES, 'UTF-8') . "</tracking-number> 
     346                  <carrier>". esc_html($carrier) . "</carrier> 
     347            <tracking-number>". esc_html($tracking_no) . "</tracking-number> 
    348348                  </tracking-data>"; 
    349349      } 
     
    429429          foreach($item->tracking_data_list as $tracking_data) { 
    430430            $postargs .= "<tracking-data> 
    431                             <carrier>". htmlentities($tracking_data['carrier'], ENT_QUOTES, 'UTF-8') . "</carrier> 
     431                            <carrier>". esc_html($tracking_data['carrier']) . "</carrier> 
    432432                            <tracking-number>". $tracking_data['tracking-number'] . "</tracking-number> 
    433433                          </tracking-data>\n"; 
     
    506506      $postargs .= "<send-email>". strtolower($send_mail) . "</send-email> 
    507507                  <reason>". 
    508                     (substr(htmlentities(strip_tags($reason), ENT_QUOTES, 'UTF-8'),0,GOOGLE_REASON_LENGTH)) . 
     508                    (substr(esc_html(strip_tags($reason)),0,GOOGLE_REASON_LENGTH)) . 
    509509                  "</reason> 
    510510                  <comment>". 
    511                     (substr(htmlentities(strip_tags($comment), ENT_QUOTES, 'UTF-8'),0,GOOGLE_REASON_LENGTH)) .                    
     511                    (substr(esc_html(strip_tags($comment)),0,GOOGLE_REASON_LENGTH)) .                    
    512512                  "</comment> 
    513513                  </cancel-items>"; 
     
    657657        case 503: 
    658658            $this->log->LogError($response); 
    659             return array(503, htmlentities($body, ENT_QUOTES, 'UTF-8')); 
     659            return array(503, esc_html($body)); 
    660660          break; 
    661661        case 403: 
    662662            $this->log->LogError($response); 
    663             return array(403, htmlentities($body, ENT_QUOTES, 'UTF-8')); 
     663            return array(403, esc_html($body)); 
    664664          break; 
    665665        case 400: 
    666666            $this->log->LogError($response); 
    667             return array(400, htmlentities($body, ENT_QUOTES, 'UTF-8')); 
     667            return array(400, esc_html($body)); 
    668668          break; 
    669669        default: 
    670670            $this->log->LogError($response); 
    671             return array("ERR", htmlentities($body, ENT_QUOTES, 'UTF-8')); 
     671            return array("ERR", esc_html($body)); 
    672672          break; 
    673673      } 
  • wp-e-commerce/branches/branch-3.8/wpsc-merchants/library/xml-processing/gc_xmlbuilder.php

    r343833 r586511  
    4848      $this->xml .= '<'.$element; 
    4949      foreach ($attributes as $key => $value) { 
    50         $this->xml .= ' '.$key.'="'.htmlentities($value, ENT_QUOTES, 'UTF-8').'"'; 
     50        $this->xml .= ' '.$key.'="'.esc_html($value).'"'; 
    5151      } 
    5252      $this->xml .= ">\n"; 
     
    6161      $this->xml .= '<'.$element; 
    6262      foreach ($attributes as $key => $value) { 
    63         $this->xml .= ' '.$key.'="'.htmlentities($value, ENT_QUOTES, 'UTF-8').'"'; 
     63        $this->xml .= ' '.$key.'="'.esc_html($value).'"'; 
    6464      } 
    65       $this->xml .= '>'.htmlentities($content, ENT_QUOTES, 'UTF-8').'</'.$element.'>'."\n"; 
     65      $this->xml .= '>'.esc_html($content).'</'.$element.'>'."\n"; 
    6666    } 
    6767 
     
    7070      $this->xml .= '<'.$element; 
    7171      foreach ($attributes as $key => $value) { 
    72         $this->xml .= ' '.$key.'="'.htmlentities($value, ENT_QUOTES, 'UTF-8').'"'; 
     72        $this->xml .= ' '.$key.'="'.esc_html($value).'"'; 
    7373      } 
    7474      $this->xml .= " />\n"; 
  • wp-e-commerce/branches/branch-3.8/wpsc-merchants/paypal-pro.merchant.php

    r586507 r586511  
    222222                    case 'LONGMESSAGE': 
    223223                        // Oddly, this comes with two levels of slashes, so strip them twice 
    224                         $error_data[$error_number]['error_message'] = htmlentities( stripslashes( stripslashes( $response_value ) ), ENT_QUOTES, 'UTF-8' ); 
     224                        $error_data[$error_number]['error_message'] = esc_html( stripslashes( stripslashes( $response_value ) ) ); 
    225225                        break; 
    226226                } 
  • wp-e-commerce/branches/branch-3.8/wpsc-merchants/testmode.merchant.php

    r586460 r586511  
    5050 
    5151    $output .= "<strong>".__('Enter the payment instructions that you wish to display to your customers when they make a purchase', 'wpsc').":</strong><br />\n\r"; 
    52     $output .= "<textarea cols='40' rows='9' name='wpsc_options[payment_instructions]'>".stripslashes(get_option('payment_instructions'))."</textarea><br />\n\r"; 
     52    $output .= "<textarea cols='40' rows='9' name='wpsc_options[payment_instructions]'>" . esc_textarea( get_option( 'payment_instructions' ) ) . "</textarea><br />\n\r"; 
    5353    $output .= "<em>".__('For example, this is where you the Shop Owner might enter your bank account details or address so that your customer can make their manual payment.', 'wpsc')."</em>\n\r"; 
    5454    $output .= "    </td>\n\r"; 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/functions/wpsc-user_log_functions.php

    r586479 r586511  
    152152            $ff_tag = $form_field['unique_name']; 
    153153        } else { 
    154             $ff_tag = htmlentities( stripslashes( strtolower( str_replace( ' ', '-', $form_field['name'] ) ) ), ENT_QUOTES, 'UTF-8' ); 
     154            $ff_tag = esc_html( strtolower( str_replace( ' ', '-', $form_field['name'] ) ) ); 
    155155        } 
    156156 
    157157        if(!empty($meta_data[$form_field['id']]) && !is_array($meta_data[$form_field['id']])) 
    158             $meta_data[$form_field['id']] = htmlentities( stripslashes( $meta_data[$form_field['id']] ), ENT_QUOTES, 'UTF-8' ); 
     158            $meta_data[$form_field['id']] = esc_html( $meta_data[$form_field['id']] ); 
    159159 
    160160        if ( $form_field['type'] == 'heading' ) { 
     
    162162    <tr> 
    163163      <td colspan='2'>\n\r"; 
    164             echo "<strong>" . apply_filters( 'wpsc_account_form_field_' . $ff_tag, $form_field['name'] ) . "</strong>"; 
     164            echo "<strong>" . apply_filters( 'wpsc_account_form_field_' . $ff_tag, esc_html( $form_field['name'] ) ) . "</strong>"; 
    165165            echo " 
    166166      </td> 
     
    193193                  <tr> 
    194194                    <td align='left'>\n\r"; 
    195                         echo apply_filters( 'wpsc_account_form_field_' . $ff_tag, $form_field['name'] ); 
     195                        echo apply_filters( 'wpsc_account_form_field_' . $ff_tag, esc_html( $form_field['name'] ) ); 
    196196                        if ( $form_field['mandatory'] == 1 ) 
    197197                        echo " *"; 
     
    636636                    // If its a heading display the Name otherwise continue on 
    637637                    if( 'heading' == $form_field['type'] ){ 
    638                         echo "  <tr><td colspan='2'>" . $form_field['name'] . ":</td></tr>"; 
     638                        echo "  <tr><td colspan='2'>" . esc_html( $form_field['name'] ) . ":</td></tr>"; 
    639639                        continue; 
    640640                    } 
     
    649649                                $country = $form_field['value']; 
    650650 
    651                              echo "  <tr><td>" . $form_field['name'] . ":</td><td>".$country ."</td></tr>"; 
     651                             echo "  <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>" . esc_html( $country ) . "</td></tr>"; 
    652652                            break; 
    653653 
     
    659659                                $state = $form_field['value']; 
    660660 
    661                              echo "  <tr><td>" . $form_field['name'] . ":</td><td>".$state ."</td></tr>"; 
     661                             echo "  <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>" . esc_html( $state ) . "</td></tr>"; 
    662662                            break; 
    663663 
    664664                        default: 
    665                             echo "  <tr><td>" . $form_field['name'] . ":</td><td>" . esc_html( $form_field['value'] ) . "</td></tr>"; 
     665                            echo "  <tr><td>" . esc_html( $form_field['name'] ) . ":</td><td>" . esc_html( $form_field['value'] ) . "</td></tr>"; 
    666666 
    667667                    } 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-cart_widget.php

    r586474 r586511  
    1919        <?php while(wpsc_have_cart_items()): wpsc_the_cart_item(); ?> 
    2020            <tr> 
    21                     <td colspan='2' class='product-name'><?php do_action ( "wpsc_before_cart_widget_item_name" ); ?><a href="<?php echo wpsc_cart_item_url(); ?>"><?php echo wpsc_cart_item_name(); ?></a><?php do_action ( "wpsc_after_cart_widget_item_name" ); ?></td> 
     21                    <td colspan='2' class='product-name'><?php do_action ( "wpsc_before_cart_widget_item_name" ); ?><a href="<?php echo esc_url( wpsc_cart_item_url() ); ?>"><?php echo wpsc_cart_item_name(); ?></a><?php do_action ( "wpsc_after_cart_widget_item_name" ); ?></td> 
    2222                    <td><?php echo wpsc_cart_item_quantity(); ?></td> 
    2323                    <td><?php echo wpsc_cart_item_price(); ?></td> 
     
    4343            <tr> 
    4444                <td id='cart-widget-links' colspan="5"> 
    45                     <a target="_parent" href="<?php echo get_option('shopping_cart_url'); ?>" title="<?php esc_attr_e('Checkout', 'wpsc'); ?>" class="gocheckout"><?php _e('Checkout', 'wpsc'); ?></a> 
     45                    <a target="_parent" href="<?php echo esc_url( get_option( 'shopping_cart_url' ) ); ?>" title="<?php esc_html_e('Checkout', 'wpsc'); ?>" class="gocheckout"><?php esc_html_e('Checkout', 'wpsc'); ?></a> 
    4646                    <form action="" method="post" class="wpsc_empty_the_cart"> 
    4747                        <input type="hidden" name="wpsc_ajax_action" value="empty_cart" /> 
    48                             <a target="_parent" href="<?php echo htmlentities(add_query_arg('wpsc_ajax_action', 'empty_cart', remove_query_arg('ajax')), ENT_QUOTES, 'UTF-8'); ?>" class="emptycart" title="<?php _e('Empty Your Cart', 'wpsc'); ?>"><?php _e('Clear cart', 'wpsc'); ?></a> 
     48                            <a target="_parent" href="<?php echo esc_url( add_query_arg( 'wpsc_ajax_action', 'empty_cart', remove_query_arg( 'ajax' ) ) ); ?>" class="emptycart" title="<?php esc_html_e('Empty Your Cart', 'wpsc'); ?>"><?php esc_html_e('Clear cart', 'wpsc'); ?></a> 
    4949                    </form> 
    5050                </td> 
     
    5656    <p class="empty"> 
    5757        <?php _e('Your shopping cart is empty', 'wpsc'); ?><br /> 
    58         <a target="_parent" href="<?php echo get_option('product_list_url'); ?>" class="visitshop" title="<?php _e('Visit Shop', 'wpsc'); ?>"><?php _e('Visit the shop', 'wpsc'); ?></a> 
     58        <a target="_parent" href="<?php echo esc_url( get_option( 'product_list_url' ) ); ?>" class="visitshop" title="<?php esc_html_e('Visit Shop', 'wpsc'); ?>"><?php esc_html_e('Visit the shop', 'wpsc'); ?></a> 
    5959    </p> 
    6060<?php endif; ?> 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-category_widget.php

    r377694 r586511  
    99    if ( $grid ) : ?> 
    1010 
    11         <a href="<?php echo $link; ?>" style="padding: 4px 4px 0 0; width:<?php echo $width; ?>px; height:<?php echo $height; ?>px;" title="<?php echo $curr_cat['name']; ?>" class="wpsc_category_grid_item"> 
     11        <a href="<?php echo esc_url( $link ); ?>" style="padding: 4px 4px 0 0; width:<?php echo $width; ?>px; height:<?php echo $height; ?>px;" title="<?php echo $curr_cat['name']; ?>" class="wpsc_category_grid_item"> 
    1212            <?php wpsc_parent_category_image( $show_thumbnails, $category_image , $width, $height, true ,$show_name); ?> 
    1313        </a> 
     
    2828                <li class="wpsc_category_<?php echo $curr_cat['term_id']; wpsc_print_category_classes($curr_cat);  ?>"> 
    2929                    <?php if(! ($category_image == WPSC_CATEGORY_URL) ){ ?> 
    30                         <a href="<?php echo $link; ?>" class="wpsc_category_image_link"><?php  
     30                        <a href="<?php echo esc_url( $link ); ?>" class="wpsc_category_image_link"><?php  
    3131                        wpsc_parent_category_image( $show_thumbnails, $category_image , $width, $height, false, $show_name ); ?></a> 
    3232                    <?php } ?> 
    3333                     
    34                     <a href="<?php echo $link; ?>"><?php echo esc_html( $curr_cat['name'] ); ?></a> 
     34                    <a href="<?php echo esc_url( $link ); ?>"><?php echo esc_html( $curr_cat['name'] ); ?></a> 
    3535 
    3636                    <ul class="wpsc_categories wpsc_second_level_categories"> 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-products_page.php

    r586478 r586511  
    7171                                <?php echo wpsc_the_product_title(); ?> 
    7272                            <?php else: ?> 
    73                                 <a class="wpsc_product_title" href="<?php echo wpsc_the_product_permalink(); ?>"><?php echo wpsc_the_product_title(); ?></a> 
     73                                <a class="wpsc_product_title" href="<?php echo esc_url( wpsc_the_product_permalink() ); ?>"><?php echo wpsc_the_product_title(); ?></a> 
    7474                            <?php endif; ?> 
    7575                        </h2> 
     
    7878                        <?php if(wpsc_the_product_thumbnail()) : 
    7979                        ?> 
    80                             <a rel="<?php echo wpsc_the_product_title(); ?>" class="<?php echo wpsc_the_product_image_link_classes(); ?>" href="<?php echo wpsc_the_product_image(); ?>"> 
     80                            <a rel="<?php echo wpsc_the_product_title(); ?>" class="<?php echo wpsc_the_product_image_link_classes(); ?>" href="<?php echo esc_url( wpsc_the_product_image() ); ?>"> 
    8181                                <img class="product_image" id="product_image_<?php echo wpsc_the_product_id(); ?>" alt="<?php echo wpsc_the_product_title(); ?>" title="<?php echo wpsc_the_product_title(); ?>" src="<?php echo wpsc_the_product_thumbnail(); ?>"/> 
    8282 
    8383                            </a> 
    8484                        <?php else: ?> 
    85                                 <a href="<?php echo wpsc_the_product_permalink(); ?>"> 
     85                                <a href="<?php echo esc_url( wpsc_the_product_permalink() ); ?>"> 
    8686                                <img class="no-image" id="product_image_<?php echo wpsc_the_product_id(); ?>" alt="<?php esc_attr_e( 'No Image', 'wpsc' ); ?>" title="<?php echo wpsc_the_product_title(); ?>" src="<?php echo WPSC_CORE_THEME_URL; ?>wpsc-images/noimage.png" width="<?php echo get_option('product_image_width'); ?>" height="<?php echo get_option('product_image_height'); ?>" /> 
    8787                                </a> 
     
    110110                        <?php if(wpsc_the_product_additional_description()) : ?> 
    111111                        <div class="additional_description_container"> 
    112  
    113                                 <img class="additional_description_button"  src="<?php echo WPSC_CORE_THEME_URL; ?>wpsc-images/icon_window_expand.gif" alt="<?php esc_attr_e( 'Additional Description', 'wpsc' ); ?>" /><a href="<?php echo wpsc_the_product_permalink(); ?>" class="additional_description_link"><?php _e('More Details', 'wpsc'); ?> 
     112                                <img class="additional_description_button"  src="<?php echo WPSC_CORE_THEME_URL; ?>wpsc-images/icon_window_expand.gif" alt="<?php esc_html_e( 'Additional Description', 'wpsc' ); ?>" /><a href="<?php echo esc_url( wpsc_the_product_permalink() ); ?>" class="additional_description_link"><?php esc_html_e('More Details', 'wpsc'); ?> 
    114113                            </a> 
    115114                            <div class="additional_description"> 
     
    122121                            <?php $action =  wpsc_product_external_link(wpsc_the_product_id()); ?> 
    123122                        <?php else: ?> 
    124                         <?php $action = htmlentities(wpsc_this_page_url(), ENT_QUOTES, 'UTF-8' ); ?> 
     123                        <?php $action = wpsc_this_page_url(); ?> 
    125124                        <?php endif; ?> 
    126                         <form class="product_form"  enctype="multipart/form-data" action="<?php echo $action; ?>" method="post" name="product_<?php echo wpsc_the_product_id(); ?>" id="product_<?php echo wpsc_the_product_id(); ?>" > 
     125                        <form class="product_form"  enctype="multipart/form-data" action="<?php echo esc_url( $action ); ?>" method="post" name="product_<?php echo wpsc_the_product_id(); ?>" id="product_<?php echo wpsc_the_product_id(); ?>" > 
    127126                        <?php do_action ( 'wpsc_product_form_fields_begin' ); ?> 
    128127                        <?php /** the variation group HTML and loop */?> 
     
    197196                                            <?php if(wpsc_product_external_link(wpsc_the_product_id()) != '') : ?> 
    198197                                            <?php $action = wpsc_product_external_link( wpsc_the_product_id() ); ?> 
    199                                             <input class="wpsc_buy_button" type="submit" value="<?php echo wpsc_product_external_link_text( wpsc_the_product_id(), __( 'Buy Now', 'wpsc' ) ); ?>" onclick="return gotoexternallink('<?php echo $action; ?>', '<?php echo wpsc_product_external_link_target( wpsc_the_product_id() ); ?>')"> 
     198                                            <input class="wpsc_buy_button" type="submit" value="<?php echo wpsc_product_external_link_text( wpsc_the_product_id(), __( 'Buy Now', 'wpsc' ) ); ?>" onclick="return gotoexternallink('<?php echo esc_url( $action ); ?>', '<?php echo wpsc_product_external_link_target( wpsc_the_product_id() ); ?>')"> 
    200199                                            <?php else: ?> 
    201200                                        <input type="submit" value="<?php _e('Add To Cart', 'wpsc'); ?>" name="Buy" class="wpsc_buy_button" id="product_<?php echo wpsc_the_product_id(); ?>_submit_button"/> 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-shopping_cart_page.php

    r586469 r586511  
    99 
    1010if(wpsc_cart_item_count() < 1) : 
    11    _e('Oops, there is nothing in your cart.', 'wpsc') . "<a href=".get_option("product_list_url").">" . __('Please visit our shop', 'wpsc') . "</a>"; 
     11   _e('Oops, there is nothing in your cart.', 'wpsc') . "<a href=" . esc_url( get_option( "product_list_url" ) ) . ">" . __('Please visit our shop', 'wpsc') . "</a>"; 
    1212   return; 
    1313endif; 
     
    4646            <div class="item_no_image"> 
    4747                <?php do_action ( "wpsc_before_checkout_cart_item_image" ); ?> 
    48                <a href="<?php echo wpsc_the_product_permalink(); ?>"> 
     48               <a href="<?php echo esc_url( wpsc_the_product_permalink() ); ?>"> 
    4949               <span><?php _e('No Image','wpsc'); ?></span> 
    5050 
     
    5757         <td class="wpsc_product_name wpsc_product_name_<?php echo wpsc_the_cart_item_key(); ?>"> 
    5858            <?php do_action ( "wpsc_before_checkout_cart_item_name" ); ?> 
    59             <a href="<?php echo wpsc_cart_item_url();?>"><?php echo wpsc_cart_item_name(); ?></a> 
     59            <a href="<?php echo esc_url( wpsc_cart_item_url() );?>"><?php echo wpsc_cart_item_name(); ?></a> 
    6060            <?php do_action ( "wpsc_after_checkout_cart_item_name" ); ?> 
    6161         </td> 
    6262 
    6363         <td class="wpsc_product_quantity wpsc_product_quantity_<?php echo wpsc_the_cart_item_key(); ?>"> 
    64             <form action="<?php echo get_option('shopping_cart_url'); ?>" method="post" class="adjustform qty"> 
     64            <form action="<?php echo esc_url( get_option( 'shopping_cart_url' ) ); ?>" method="post" class="adjustform qty"> 
    6565               <input type="text" name="quantity" size="2" value="<?php echo wpsc_cart_item_quantity(); ?>" /> 
    6666               <input type="hidden" name="key" value="<?php echo wpsc_the_cart_item_key(); ?>" /> 
     
    7575 
    7676         <td class="wpsc_product_remove wpsc_product_remove_<?php echo wpsc_the_cart_item_key(); ?>"> 
    77             <form action="<?php echo get_option('shopping_cart_url'); ?>" method="post" class="adjustform remove"> 
     77            <form action="<?php echo esc_url( get_option( 'shopping_cart_url' ) ); ?>" method="post" class="adjustform remove"> 
    7878               <input type="hidden" name="quantity" value="0" /> 
    7979               <input type="hidden" name="key" value="<?php echo wpsc_the_cart_item_key(); ?>" /> 
     
    9797         <td colspan="2"><?php _e('Enter coupon code :', 'wpsc'); ?></td> 
    9898         <td  colspan="4" class="coupon_code"> 
    99             <form  method="post" action="<?php echo get_option('shopping_cart_url'); ?>"> 
     99            <form  method="post" action="<?php echo esc_url( get_option( 'shopping_cart_url' ) ); ?>"> 
    100100               <input type="text" name="coupon_num" id="coupon_num" value="<?php echo $wpsc_cart->coupons_name; ?>" /> 
    101101               <input type="submit" value="<?php _e('Update', 'wpsc') ?>" /> 
     
    276276   </table> 
    277277 
    278     <form class='wpsc_checkout_forms' action='<?php echo get_option('shopping_cart_url'); ?>' method='post' enctype="multipart/form-data"> 
    279  
     278    <form class='wpsc_checkout_forms' action='<?php echo esc_url( get_option( 'shopping_cart_url' ) ); ?>' method='post' enctype="multipart/form-data"> 
    280279      <?php 
    281280      /** 
     
    299298                <input type="password" name="pwd" id="pwd" value="" size="20" /><br /> 
    300299 
    301                 <label><?php _e('Email:', 'wpsc'); ?></label> 
    302                 <input type="text" name="user_email" id="user_email" value="<?php echo attribute_escape(stripslashes($user_email)); ?>" size="20" /><br /> 
    303  
     300                <label><?php _e('E-mail', 'wpsc'); ?>:</label> 
     301                <input type="text" name="user_email" id="user_email" value="<?php echo esc_attr( $user_email ); ?>" size="20" /><br /> 
    304302                <div class="wpsc_signup_text"><?php _e('Signing up is free and easy! please fill out your details your registration will happen automatically as you checkout. Don\'t forget to use your details to login with next time!', 'wpsc');?></div> 
    305303            </fieldset> 
     
    485483         <tr> 
    486484            <td colspan='2'> 
    487                 <label for="agree"><input id="agree" type='checkbox' value='yes' name='agree' /> <?php printf(__("I agree to the <a class='thickbox' target='_blank' href='%s' class='termsandconds'>Terms and Conditions</a>", "wpsc"), site_url("?termsandconds=true&amp;width=360&amp;height=400")); ?> <span class="asterix">*</span></label> 
     485                <label for="agree"><input id="agree" type='checkbox' value='yes' name='agree' /> <?php printf(__("I agree to the <a class='thickbox' target='_blank' href='%s' class='termsandconds'>Terms and Conditions</a>", "wpsc"), esc_url( site_url( "?termsandconds=true&amp;width=360&amp;height=400" ) ); ?> <span class="asterix">*</span></label> 
    488486               </td> 
    489487         </tr> 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-single_product.php

    r586418 r586511  
    3030                    <div class="imagecol"> 
    3131                        <?php if ( wpsc_the_product_thumbnail() ) : ?> 
    32                                 <a rel="<?php echo wpsc_the_product_title(); ?>" class="<?php echo wpsc_the_product_image_link_classes(); ?>" href="<?php echo wpsc_the_product_image(); ?>"> 
     32                                <a rel="<?php echo wpsc_the_product_title(); ?>" class="<?php echo wpsc_the_product_image_link_classes(); ?>" href="<?php echo esc_url( wpsc_the_product_image() ); ?>"> 
    3333                                    <img class="product_image" id="product_image_<?php echo wpsc_the_product_id(); ?>" alt="<?php echo wpsc_the_product_title(); ?>" title="<?php echo wpsc_the_product_title(); ?>" src="<?php echo wpsc_the_product_thumbnail(get_option('product_image_width'),get_option('product_image_height'),'','single'); ?>"/> 
    3434                                </a> 
     
    3838                                ?> 
    3939                        <?php else: ?> 
    40                                     <a href="<?php echo wpsc_the_product_permalink(); ?>"> 
     40                                    <a href="<?php echo esc_url( wpsc_the_product_permalink() ); ?>"> 
    4141                                    <img class="no-image" id="product_image_<?php echo wpsc_the_product_id(); ?>" alt="No Image" title="<?php echo wpsc_the_product_title(); ?>" src="<?php echo WPSC_CORE_THEME_URL; ?>wpsc-images/noimage.png" width="<?php echo get_option('product_image_width'); ?>" height="<?php echo get_option('product_image_height'); ?>" /> 
    4242                                    </a> 
     
    7474                         */ 
    7575                        ?> 
    76  
    77                         <form class="product_form" enctype="multipart/form-data" action="<?php echo wpsc_this_page_url(); ?>" method="post" name="1" id="product_<?php echo wpsc_the_product_id(); ?>"> 
     76                        <form class="product_form" enctype="multipart/form-data" action="<?php echo esc_url( wpsc_this_page_url() ); ?>" method="post" name="1" id="product_<?php echo wpsc_the_product_id(); ?>"> 
    7877                            <?php do_action ( 'wpsc_product_form_fields_begin' ); ?> 
    7978                            <?php if ( wpsc_product_has_personal_text() ) : ?> 
     
    171170                                            <?php if(wpsc_product_external_link(wpsc_the_product_id()) != '') : ?> 
    172171                                            <?php $action = wpsc_product_external_link( wpsc_the_product_id() ); ?> 
    173                                             <input class="wpsc_buy_button" type="submit" value="<?php echo wpsc_product_external_link_text( wpsc_the_product_id(), __( 'Buy Now', 'wpsc' ) ); ?>" onclick="return gotoexternallink('<?php echo $action; ?>', '<?php echo wpsc_product_external_link_target( wpsc_the_product_id() ); ?>')"> 
     172                                            <input class="wpsc_buy_button" type="submit" value="<?php echo wpsc_product_external_link_text( wpsc_the_product_id(), __( 'Buy Now', 'wpsc' ) ); ?>" onclick="return gotoexternallink('<?php echo esc_url( $action ); ?>', '<?php echo wpsc_product_external_link_target( wpsc_the_product_id() ); ?>')"> 
    174173                                            <?php else: ?> 
    175174                                        <input type="submit" value="<?php _e('Add To Cart', 'wpsc'); ?>" name="Buy" class="wpsc_buy_button" id="product_<?php echo wpsc_the_product_id(); ?>_submit_button"/> 
     
    201200                        <?php endif; ?> 
    202201                    </div><!--close productcol--> 
    203  
    204                     <form onsubmit="submitform(this);return false;" action="<?php echo wpsc_this_page_url(); ?>" method="post" name="product_<?php echo wpsc_the_product_id(); ?>" id="product_extra_<?php echo wpsc_the_product_id(); ?>"> 
     202                    <form onsubmit="submitform(this);return false;" action="<?php echo esc_url( wpsc_this_page_url() ); ?>" method="post" name="product_<?php echo wpsc_the_product_id(); ?>" id="product_extra_<?php echo wpsc_the_product_id(); ?>"> 
    205203                        <input type="hidden" value="<?php echo wpsc_the_product_id(); ?>" name="prodid"/> 
    206204                        <input type="hidden" value="<?php echo wpsc_the_product_id(); ?>" name="item"/> 
  • wp-e-commerce/branches/branch-3.8/wpsc-theme/wpsc-user-log.php

    r463445 r586511  
    1515    <?php if ( is_user_logged_in() ) : ?> 
    1616        <div class="user-profile-links"> 
    17             <a href="<?php echo get_option( 'user_account_url' ); ?>"><?php _e('Purchase History','wpsc'); ?></a> | 
    18             <a href="<?php echo get_option( 'user_account_url' ) . $separator . "edit_profile=true"; ?>"><?php _e('Your Details','wpsc'); ?></a> | 
    19             <a href="<?php echo get_option( 'user_account_url' ) . $separator . "downloads=true"; ?>"><?php _e('Your Downloads','wpsc'); ?></a> 
     17            <a href="<?php echo esc_url( get_option( 'user_account_url' ) ); ?>"><?php _e('Purchase History','wpsc'); ?></a> | 
     18            <a href="<?php echo esc_url( get_option( 'user_account_url' ) ) . $separator . "edit_profile=true"; ?>"><?php _e('Your Details','wpsc'); ?></a> | 
     19            <a href="<?php echo esc_url( get_option( 'user_account_url' ) ) . $separator . "downloads=true"; ?>"><?php _e('Your Downloads','wpsc'); ?></a> 
    2020            <?php do_action('wpsc_additional_user_profile_links', '|'); ?> 
    2121        </div> 
     
    7070                        if ( $products[$i]['downloads'] > 0 ) 
    7171                         
    72                             echo "<a href = " . get_option('siteurl')."?downloadid=".$products[$i]['uniqueid'] . ">" . $file['post_title'] . "</a>"; 
     72                            echo "<a href = " . esc_url( site_url() ) . "?downloadid=".$products[$i]['uniqueid'] . ">" . $file['post_title'] . "</a>"; 
    7373                        else 
    7474                            echo $file['post_title'] . ""; 
     
    145145            <?php _e( 'You must be logged in to use this page. Please use the form below to login to your account.', 'wpsc' ); ?> 
    146146 
    147             <form name="loginform" id="loginform" action="<?php echo wp_login_url(); ?>" method="post"> 
     147            <form name="loginform" id="loginform" action="<?php echo esc_url( wp_login_url() ); ?>" method="post"> 
    148148                <p> 
    149149                    <label><?php _e( 'Username:', 'wpsc' ); ?><br /><input type="text" name="log" id="log" value="" size="20" tabindex="1" /></label> 
  • wp-e-commerce/branches/branch-3.8/wpsc-widgets/category_widget.php

    r377668 r586511  
    174174        $checked = ''; ?> 
    175175 
    176     <input type="checkbox" class="checkbox" id="<?php echo $fieldconfig['id']; ?>-<?php echo $category->term_id; ?>" name="<?php echo $fieldconfig['name']; ?>[<?php echo $category->term_id; ?>]" <?php echo $checked; ?>></input> <label for="<?php echo $fieldconfig['id']; ?>-<?php echo $category->term_id; ?>"><?php echo htmlentities($category->name, ENT_QUOTES, 'UTF-8' ); ?></label><br /> 
     176    <input type="checkbox" class="checkbox" id="<?php echo esc_attr( $fieldconfig['id'] ); ?>-<?php echo esc_attr( $category->term_id ); ?>" name="<?php echo esc_attr( $fieldconfig['name'] ); ?>[<?php echo esc_attr( $category->term_id ); ?>]" <?php echo $checked; ?>></input> <label for="<?php echo esc_attr( $fieldconfig['id'] ); ?>-<?php echo esc_attr( $category->term_id ); ?>"><?php echo esc_html( $category->name ); ?></label><br /> 
    177177 
    178178<?php  
  • wp-e-commerce/branches/branch-3.8/wpsc-widgets/latest_product_widget.php

    r586492 r586511  
    156156            } 
    157157            // Link 
    158             $output .= '<a href="' . wpsc_product_url( $latest_product->ID, null ) . '" class="wpsc-product-title">'.stripslashes( $latest_product->post_title ).'</a>'; 
     158            $output .= '<a href="' . esc_url( wpsc_product_url( $latest_product->ID, null ) ) . '" class="wpsc-product-title">'.esc_html( $latest_product->post_title ).'</a>'; 
    159159            $output .= '</li>'; 
    160160        } 
Note: See TracChangeset for help on using the changeset viewer.