Skip to:
Content

bbPress.org

Changeset 5040


Ignore:
Timestamp:
07/18/2013 07:16:23 AM (12 years ago)
Author:
johnjamesjacoby
Message:

More esc_url() improvements, and practice late-escaping where we were otherwise passing around escaped URL variables. See #2367.

Location:
trunk/includes
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/includes/admin/replies.php

    r4995 r5040  
    724724
    725725        // Reply view links to topic
    726         $actions['view'] = '<a href="' . bbp_get_reply_url( $reply->ID ) . '" title="' . esc_attr( sprintf( __( 'View &#8220;%s&#8221;', 'bbpress' ), bbp_get_reply_title( $reply->ID ) ) ) . '" rel="permalink">' . esc_html__( 'View', 'bbpress' ) . '</a>';
     726        $actions['view'] = '<a href="' . esc_url( bbp_get_reply_url( $reply->ID ) ) . '" title="' . esc_attr( sprintf( __( 'View &#8220;%s&#8221;', 'bbpress' ), bbp_get_reply_title( $reply->ID ) ) ) . '" rel="permalink">' . esc_html__( 'View', 'bbpress' ) . '</a>';
    727727
    728728        // User cannot view replies in trash
  • trunk/includes/admin/topics.php

    r5021 r5040  
    775775        // Show view link if it's not set, the topic is trashed and the user can view trashed topics
    776776        if ( empty( $actions['view'] ) && ( bbp_get_trash_status_id() === $topic->post_status ) && current_user_can( 'view_trash' ) )
    777             $actions['view'] = '<a href="' . bbp_get_topic_permalink( $topic->ID ) . '" title="' . esc_attr( sprintf( __( 'View &#8220;%s&#8221;', 'bbpress' ), bbp_get_topic_title( $topic->ID ) ) ) . '" rel="permalink">' . esc_html__( 'View', 'bbpress' ) . '</a>';
     777            $actions['view'] = '<a href="' . esc_url( bbp_get_topic_permalink( $topic->ID ) ) . '" title="' . esc_attr( sprintf( __( 'View &#8220;%s&#8221;', 'bbpress' ), bbp_get_topic_title( $topic->ID ) ) ) . '" rel="permalink">' . esc_html__( 'View', 'bbpress' ) . '</a>';
    778778
    779779        // Only show the actions if the user is capable of viewing them :)
     
    798798                    $actions['stick'] = '<a href="' . esc_url( $stick_uri ) . '" title="' . esc_attr__( 'Unstick this topic', 'bbpress' ) . '">' . esc_html__( 'Unstick', 'bbpress' ) . '</a>';
    799799                } else {
    800                     $super_uri        = esc_url( wp_nonce_url( add_query_arg( array( 'topic_id' => $topic->ID, 'action' => 'bbp_toggle_topic_stick', 'super' => '1' ), remove_query_arg( array( 'bbp_topic_toggle_notice', 'topic_id', 'failed', 'super' ) ) ), 'stick-topic_'  . $topic->ID ) );
    801                     $actions['stick'] = '<a href="' . esc_url( $stick_uri ) . '" title="' . esc_attr__( 'Stick this topic to its forum', 'bbpress' ) . '">' . esc_html__( 'Stick', 'bbpress' ) . '</a> (<a href="' . $super_uri . '" title="' . esc_attr__( 'Stick this topic to front', 'bbpress' ) . '">' . esc_html__( 'to front', 'bbpress' ) . '</a>)';
     800                    $super_uri        = wp_nonce_url( add_query_arg( array( 'topic_id' => $topic->ID, 'action' => 'bbp_toggle_topic_stick', 'super' => '1' ), remove_query_arg( array( 'bbp_topic_toggle_notice', 'topic_id', 'failed', 'super' ) ) ), 'stick-topic_'  . $topic->ID );
     801                    $actions['stick'] = '<a href="' . esc_url( $stick_uri ) . '" title="' . esc_attr__( 'Stick this topic to its forum', 'bbpress' ) . '">' . esc_html__( 'Stick', 'bbpress' ) . '</a> (<a href="' . esc_url( $super_uri ) . '" title="' . esc_attr__( 'Stick this topic to front', 'bbpress' ) . '">' . esc_html__( 'to front', 'bbpress' ) . '</a>)';
    802802                }
    803803            }
  • trunk/includes/common/template-tags.php

    r5037 r5040  
    21772177            // If capable, include a link to edit the tag
    21782178            if ( current_user_can( 'manage_topic_tags' ) ) {
    2179                 $tag_data[] = '<a href="' . bbp_get_topic_tag_edit_link() . '" class="bbp-edit-topic-tag-link">' . esc_html__( '(Edit)', 'bbpress' ) . '</a>';
     2179                $tag_data[] = '<a href="' . esc_url( bbp_get_topic_tag_edit_link() ) . '" class="bbp-edit-topic-tag-link">' . esc_html__( '(Edit)', 'bbpress' ) . '</a>';
    21802180            }
    21812181
     
    22522252
    22532253            // Add the breadcrumb
    2254             $crumbs[] = '<a href="' . $root_url . '" class="bbp-breadcrumb-root">' . $r['root_text'] . '</a>';
     2254            $crumbs[] = '<a href="' . esc_url( $root_url ) . '" class="bbp-breadcrumb-root">' . $r['root_text'] . '</a>';
    22552255        }
    22562256
     
    22732273                    // Forum
    22742274                    case bbp_get_forum_post_type() :
    2275                         $crumbs[] = '<a href="' . bbp_get_forum_permalink( $parent->ID ) . '" class="bbp-breadcrumb-forum">' . bbp_get_forum_title( $parent->ID ) . '</a>';
     2275                        $crumbs[] = '<a href="' . esc_url( bbp_get_forum_permalink( $parent->ID ) ) . '" class="bbp-breadcrumb-forum">' . bbp_get_forum_title( $parent->ID ) . '</a>';
    22762276                        break;
    22772277
    22782278                    // Topic
    22792279                    case bbp_get_topic_post_type() :
    2280                         $crumbs[] = '<a href="' . bbp_get_topic_permalink( $parent->ID ) . '" class="bbp-breadcrumb-topic">' . bbp_get_topic_title( $parent->ID ) . '</a>';
     2280                        $crumbs[] = '<a href="' . esc_url( bbp_get_topic_permalink( $parent->ID ) ) . '" class="bbp-breadcrumb-topic">' . bbp_get_topic_title( $parent->ID ) . '</a>';
    22812281                        break;
    22822282
    22832283                    // Reply (Note: not in most themes)
    22842284                    case bbp_get_reply_post_type() :
    2285                         $crumbs[] = '<a href="' . bbp_get_reply_permalink( $parent->ID ) . '" class="bbp-breadcrumb-reply">' . bbp_get_reply_title( $parent->ID ) . '</a>';
     2285                        $crumbs[] = '<a href="' . esc_url( bbp_get_reply_permalink( $parent->ID ) ) . '" class="bbp-breadcrumb-reply">' . bbp_get_reply_title( $parent->ID ) . '</a>';
    22862286                        break;
    22872287
    22882288                    // WordPress Post/Page/Other
    22892289                    default :
    2290                         $crumbs[] = '<a href="' . get_permalink( $parent->ID ) . '" class="bbp-breadcrumb-item">' . get_the_title( $parent->ID ) . '</a>';
     2290                        $crumbs[] = '<a href="' . esc_url( get_permalink( $parent->ID ) ) . '" class="bbp-breadcrumb-item">' . get_the_title( $parent->ID ) . '</a>';
    22912291                        break;
    22922292                }
     
    22952295        // Edit topic tag
    22962296        } elseif ( bbp_is_topic_tag_edit() ) {
    2297             $crumbs[] = '<a href="' . get_term_link( bbp_get_topic_tag_id(), bbp_get_topic_tag_tax_id() ) . '" class="bbp-breadcrumb-topic-tag">' . sprintf( __( 'Topic Tag: %s', 'bbpress' ), bbp_get_topic_tag_name() ) . '</a>';
     2297            $crumbs[] = '<a href="' . esc_url( get_term_link( bbp_get_topic_tag_id(), bbp_get_topic_tag_tax_id() ) ) . '" class="bbp-breadcrumb-topic-tag">' . sprintf( __( 'Topic Tag: %s', 'bbpress' ), bbp_get_topic_tag_name() ) . '</a>';
    22982298
    22992299        // Search
    23002300        } elseif ( bbp_is_search() && bbp_get_search_terms() ) {
    2301             $crumbs[] = '<a href="' . bbp_get_search_url() . '" class="bbp-breadcrumb-search">' . esc_html__( 'Search', 'bbpress' ) . '</a>';
     2301            $crumbs[] = '<a href="' . esc_url( bbp_get_search_url() ) . '" class="bbp-breadcrumb-search">' . esc_html__( 'Search', 'bbpress' ) . '</a>';
    23022302        }
    23032303
  • trunk/includes/topics/template-tags.php

    r5037 r5040  
    25432543        $display = bbp_is_topic_open( $topic->ID ) ? $r['close_text'] : $r['open_text'];
    25442544        $uri     = add_query_arg( array( 'action' => 'bbp_toggle_topic_close', 'topic_id' => $topic->ID ) );
    2545         $uri     = esc_url( wp_nonce_url( $uri, 'close-topic_' . $topic->ID ) );
    2546         $retval  = $r['link_before'] . '<a href="' . $uri . '">' . $display . '</a>' . $r['link_after'];
     2545        $uri     = wp_nonce_url( $uri, 'close-topic_' . $topic->ID );
     2546        $retval  = $r['link_before'] . '<a href="' . esc_url( $uri ) . '">' . $display . '</a>' . $r['link_after'];
    25472547
    25482548        return apply_filters( 'bbp_get_topic_close_link', $retval, $r );
     
    26052605
    26062606        $stick_uri = add_query_arg( array( 'action' => 'bbp_toggle_topic_stick', 'topic_id' => $topic->ID ) );
    2607         $stick_uri = esc_url( wp_nonce_url( $stick_uri, 'stick-topic_' . $topic->ID ) );
     2607        $stick_uri = wp_nonce_url( $stick_uri, 'stick-topic_' . $topic->ID );
    26082608
    26092609        $stick_display = true === $is_sticky ? $r['unstick_text'] : $r['stick_text'];
    2610         $stick_display = '<a href="' . $stick_uri . '">' . $stick_display . '</a>';
     2610        $stick_display = '<a href="' . esc_url( $stick_uri ) . '">' . $stick_display . '</a>';
    26112611
    26122612        if ( empty( $is_sticky ) ) {
    26132613            $super_uri = add_query_arg( array( 'action' => 'bbp_toggle_topic_stick', 'topic_id' => $topic->ID, 'super' => 1 ) );
    2614             $super_uri = esc_url( wp_nonce_url( $super_uri, 'stick-topic_' . $topic->ID ) );
    2615 
    2616             $super_display = ' (<a href="' . $super_uri . '">' . $r['super_text'] . '</a>)';
     2614            $super_uri = wp_nonce_url( $super_uri, 'stick-topic_' . $topic->ID );
     2615
     2616            $super_display = ' (<a href="' . esc_url( $super_uri ) . '">' . $r['super_text'] . '</a>)';
    26172617        } else {
    26182618            $super_display = '';
     
    26712671            return;
    26722672
    2673         $uri    = esc_url( add_query_arg( array( 'action' => 'merge' ), bbp_get_topic_edit_url( $topic->ID ) ) );
    2674         $retval = $r['link_before'] . '<a href="' . $uri . '">' . $r['merge_text'] . '</a>' . $r['link_after'];
     2673        $uri    = add_query_arg( array( 'action' => 'merge' ), bbp_get_topic_edit_url( $topic->ID ) );
     2674        $retval = $r['link_before'] . '<a href="' . esc_url( $uri ) . '">' . $r['merge_text'] . '</a>' . $r['link_after'];
    26752675
    26762676        return apply_filters( 'bbp_get_topic_merge_link', $retval, $args );
     
    27302730        $display = bbp_is_topic_spam( $topic->ID ) ? $r['unspam_text'] : $r['spam_text'];
    27312731        $uri     = add_query_arg( array( 'action' => 'bbp_toggle_topic_spam', 'topic_id' => $topic->ID ) );
    2732         $uri     = esc_url( wp_nonce_url( $uri, 'spam-topic_' . $topic->ID ) );
    2733         $retval  = $r['link_before'] . '<a href="' . $uri . '">' . $display . '</a>' . $r['link_after'];
     2732        $uri     = wp_nonce_url( $uri, 'spam-topic_' . $topic->ID );
     2733        $retval  = $r['link_before'] . '<a href="' . esc_url( $uri ) . '">' . $display . '</a>' . $r['link_after'];
    27342734
    27352735        return apply_filters( 'bbp_get_topic_spam_link', $retval, $r );
Note: See TracChangeset for help on using the changeset viewer.