diff options
| author | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-03-19 13:04:29 +0000 |
|---|---|---|
| committer | donncha <donncha@7be80a69-a1ef-0310-a953-fb0f7c49ff36> | 2007-03-19 13:04:29 +0000 |
| commit | e08e3e006e1482c91ed76b24291f47f872f913ff (patch) | |
| tree | eb2ddf9b5b8eb5a46e412ded50090a1ef54143ee /wp-includes/functions.php | |
| parent | 98190363e52787ef578afddbdd8d927ab703b286 (diff) | |
| download | wordpress-mu-e08e3e006e1482c91ed76b24291f47f872f913ff.tar.gz wordpress-mu-e08e3e006e1482c91ed76b24291f47f872f913ff.tar.xz wordpress-mu-e08e3e006e1482c91ed76b24291f47f872f913ff.zip | |
WP Merge to rev 5061
git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@920 7be80a69-a1ef-0310-a953-fb0f7c49ff36
Diffstat (limited to 'wp-includes/functions.php')
| -rw-r--r-- | wp-includes/functions.php | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/wp-includes/functions.php b/wp-includes/functions.php index 0cb1eed..e93bf7a 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1019,9 +1019,11 @@ function wp_nonce_url($actionurl, $action = -1) { return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl)); } -function wp_nonce_field($action = -1) { - echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />'; - wp_referer_field(); +function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) { + $name = attribute_escape($name); + echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />'; + if ( $referer ) + wp_referer_field(); } function wp_referer_field() { @@ -1289,7 +1291,7 @@ function wp_nonce_ays($action) { $adminurl = get_option('siteurl') . '/wp-admin'; if ( wp_get_referer() ) - $adminurl = attribute_escape(wp_get_referer()); + $adminurl = clean_url(wp_get_referer()); $title = __('WordPress Confirmation'); // Remove extra layer of slashes. @@ -1297,7 +1299,7 @@ function wp_nonce_ays($action) { if ( $_POST ) { $q = http_build_query($_POST); $q = explode( ini_get('arg_separator.output'), $q); - $html .= "\t<form method='post' action='$pagenow'>\n"; + $html .= "\t<form method='post' action='" . attribute_escape($pagenow) . "'>\n"; foreach ( (array) $q as $a ) { $v = substr(strstr($a, '='), 1); $k = substr($a, 0, -(strlen($v)+1)); @@ -1306,7 +1308,7 @@ function wp_nonce_ays($action) { $html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n"; $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n"; } else { - $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n"; + $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n"; } $html .= "</body>\n</html>"; wp_die($html, $title); |