WP Merge to rev 5061

git-svn-id: http://svn.automattic.com/wordpress-mu/trunk@920 7be80a69-a1ef-0310-a953-fb0f7c49ff36

11 files changed, 40 insertions, 22 deletions

diff --git a/wp-includes/bookmark-template.php b/wp-includes/bookmark-template.php
index 65e38aa..4249f7f 100644
--- a/wp-includes/bookmark-template.php
+++ b/wp-includes/bookmark-template.php
@@ -96,7 +96,7 @@ function get_links($category = -1,
 			$output .= get_option('links_recently_updated_prepend');
 		$the_link = '#';
 		if ( !empty($row->link_url) )
-			$the_link = wp_specialchars($row->link_url);
+			$the_link = clean_url($row->link_url);
 		$rel = $row->link_rel;
 		if ( '' != $rel )
 			$rel = ' rel="' . $rel . '"';
@@ -260,7 +260,7 @@ function _walk_bookmarks($bookmarks, $args = '' ) {
 
 		$the_link = '#';
 		if ( !empty($bookmark->link_url) )
-			$the_link = wp_specialchars($bookmark->link_url);
+			$the_link = clean_url($bookmark->link_url);
 
 		$rel = $bookmark->link_rel;
 		if ( '' != $rel )
diff --git a/wp-includes/classes.php b/wp-includes/classes.php
index dd387d3..6bdfb2e 100644
--- a/wp-includes/classes.php
+++ b/wp-includes/classes.php
@@ -149,7 +149,7 @@ class WP {
 			elseif (!empty($perma_query_vars[$wpvar]))
 				$this->query_vars[$wpvar] = $perma_query_vars[$wpvar];
 
-			if( empty( $this->query_vars[$wpvar] ) == false )
+			if ( !empty( $this->query_vars[$wpvar] ) )
 				$this->query_vars[$wpvar] = (string) $this->query_vars[$wpvar];
 		}
 
diff --git a/wp-includes/comment-template.php b/wp-includes/comment-template.php
index ba7c0cb..6ab6bc3 100644
--- a/wp-includes/comment-template.php
+++ b/wp-includes/comment-template.php
@@ -271,6 +271,12 @@ function pings_open() {
 		return false;
 }
 
+function wp_comment_form_unfiltered_html_nonce() {
+	global $post;
+	if ( current_user_can('unfiltered_html') )
+		wp_nonce_field('unfiltered-html-comment_' . $post->ID, '_wp_unfiltered_html_comment', false);
+}
+
 function comments_template( $file = '/comments.php' ) {
 	global $wp_query, $withcomments, $post, $wpdb, $id, $comment, $user_login, $user_ID, $user_identity;
 
diff --git a/wp-includes/comment.php b/wp-includes/comment.php
index 19218a7..7ed9d9c 100644
--- a/wp-includes/comment.php
+++ b/wp-includes/comment.php
@@ -169,7 +169,7 @@ function sanitize_comment_cookies() {
 	if ( isset($_COOKIE['comment_author_url_'.COOKIEHASH]) ) {
 		$comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
 		$comment_author_url = stripslashes($comment_author_url);
-		$comment_author_url = attribute_escape($comment_author_url);
+		$comment_author_url = clean_url($comment_author_url);
 		$_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
 	}
 }
diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php
index a02ae05..35cd104 100644
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -31,6 +31,8 @@ add_filter('pre_comment_author_name', 'wp_filter_kses');
 add_filter('pre_comment_author_email', 'wp_filter_kses');
 add_filter('pre_comment_author_url', 'wp_filter_kses');
 
+add_action('comment_form', 'wp_comment_form_unfiltered_html_nonce');
+
 // Default filters for these functions
 add_filter('comment_author', 'wptexturize');
 add_filter('comment_author', 'convert_chars');
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 0cb1eed..e93bf7a 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -1019,9 +1019,11 @@ function wp_nonce_url($actionurl, $action = -1) {
 	return wp_specialchars(add_query_arg('_wpnonce', wp_create_nonce($action), $actionurl));
 }
 
-function wp_nonce_field($action = -1) {
-	echo '<input type="hidden" name="_wpnonce" value="' . wp_create_nonce($action) . '" />';
-	wp_referer_field();
+function wp_nonce_field($action = -1, $name = "_wpnonce", $referer = true) {
+	$name = attribute_escape($name);
+	echo '<input type="hidden" name="' . $name . '" value="' . wp_create_nonce($action) . '" />';
+	if ( $referer )
+		wp_referer_field();
 }
 
 function wp_referer_field() {
@@ -1289,7 +1291,7 @@ function wp_nonce_ays($action) {
 
 	$adminurl = get_option('siteurl') . '/wp-admin';
 	if ( wp_get_referer() )
-		$adminurl = attribute_escape(wp_get_referer());
+		$adminurl = clean_url(wp_get_referer());
 
 	$title = __('WordPress Confirmation');
 	// Remove extra layer of slashes.
@@ -1297,7 +1299,7 @@ function wp_nonce_ays($action) {
 	if ( $_POST ) {
 		$q = http_build_query($_POST);
 		$q = explode( ini_get('arg_separator.output'), $q);
-		$html .= "\t<form method='post' action='$pagenow'>\n";
+		$html .= "\t<form method='post' action='" . attribute_escape($pagenow) . "'>\n";
 		foreach ( (array) $q as $a ) {
 			$v = substr(strstr($a, '='), 1);
 			$k = substr($a, 0, -(strlen($v)+1));
@@ -1306,7 +1308,7 @@ function wp_nonce_ays($action) {
 		$html .= "\t\t<input type='hidden' name='_wpnonce' value='" . wp_create_nonce($action) . "' />\n";
 		$html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
 	} else {
-		$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
+		$html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . clean_url(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
 	}
 	$html .= "</body>\n</html>";
 	wp_die($html, $title);
diff --git a/wp-includes/general-template.php b/wp-includes/general-template.php
index d320d67..37d80d6 100644
--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@@ -297,6 +297,7 @@ function single_month_title($prefix = '', $display = true ) {
 function get_archives_link($url, $text, $format = 'html', $before = '', $after = '') {
 	$text = wptexturize($text);
 	$title_text = attribute_escape($text);
+	$url = clean_url($url);
 
 	if ('link' == $format)
 		return "\t<link rel='archives' title='$title_text' href='$url' />\n";
@@ -415,7 +416,7 @@ function wp_get_archives($args = '') {
 		}
 	} elseif ( ( 'postbypost' == $type ) || ('alpha' == $type) ) {
 		('alpha' == $type) ? $orderby = "post_title ASC " : $orderby = "post_date DESC ";
-		$arcresults = $wpdb->get_results("SELECT * FROM $wpdb->posts $join $where $orderby $limit");
+		$arcresults = $wpdb->get_results("SELECT * FROM $wpdb->posts $join $where ORDER BY $orderby $limit");
 		if ( $arcresults ) {
 			foreach ( $arcresults as $arcresult ) {
 				if ( $arcresult->post_date != '0000-00-00 00:00:00' ) {
@@ -986,7 +987,7 @@ function paginate_links( $arg = '' ) {
 		$link = str_replace('%#%', $current - 1, $link);
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
-		$page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
+		$page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
 	endif;
 	for ( $n = 1; $n <= $total; $n++ ) :
 		if ( $n == $current ) :
@@ -998,7 +999,7 @@ function paginate_links( $arg = '' ) {
 				$link = str_replace('%#%', $n, $link);
 				if ( $add_args )
 					$link = add_query_arg( $add_args, $link );
-				$page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
+				$page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
 				$dots = true;
 			elseif ( $dots && !$show_all ) :
 				$page_links[] = "<span class='page-numbers dots'>...</span>";
@@ -1011,7 +1012,7 @@ function paginate_links( $arg = '' ) {
 		$link = str_replace('%#%', $current + 1, $link);
 		if ( $add_args )
 			$link = add_query_arg( $add_args, $link );
-		$page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
+		$page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
 	endif;
 	switch ( $type ) :
 		case 'array' :
diff --git a/wp-includes/link-template.php b/wp-includes/link-template.php
index 10de62a..7905311 100644
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@@ -422,7 +422,7 @@ function next_post_link($format='%link &raquo;', $link='%title', $in_same_cat =
 function get_pagenum_link($pagenum = 1) {
 	global $wp_rewrite;
 
-	$qstr = wp_specialchars($_SERVER['REQUEST_URI']);
+	$qstr = $_SERVER['REQUEST_URI'];
 
 	$page_querystring = "paged";
 	$page_modstring = "page/";
@@ -490,7 +490,7 @@ function get_pagenum_link($pagenum = 1) {
 	return $qstr;
 }
 
-function next_posts($max_page = 0) { // original by cfactor at cooltux.org
+function get_next_posts_page_link($max_page = 0) {
 	global $paged, $pagenow;
 
 	if ( !is_single() ) {
@@ -498,10 +498,14 @@ function next_posts($max_page = 0) { // original by cfactor at cooltux.org
 			$paged = 1;
 		$nextpage = intval($paged) + 1;
 		if ( !$max_page || $max_page >= $nextpage )
-			echo get_pagenum_link($nextpage);
+			return get_pagenum_link($nextpage);
 	}
 }
 
+function next_posts($max_page = 0) {
+	echo clean_url(get_next_posts_page_link($max_page));
+}
+
 function next_posts_link($label='Next Page &raquo;', $max_page=0) {
 	global $paged, $wpdb, $wp_query;
 	if ( !$max_page ) {
@@ -517,18 +521,20 @@ function next_posts_link($label='Next Page &raquo;', $max_page=0) {
 	}
 }
 
-
-function previous_posts() { // original by cfactor at cooltux.org
+function get_previous_posts_page_link() {
 	global $paged, $pagenow;
 
 	if ( !is_single() ) {
 		$nextpage = intval($paged) - 1;
 		if ( $nextpage < 1 )
 			$nextpage = 1;
-		echo get_pagenum_link($nextpage);
+		return get_pagenum_link($nextpage);
 	}
 }
 
+function previous_posts() {
+	echo clean_url(get_previous_posts_page_link());
+}
 
 function previous_posts_link($label='&laquo; Previous Page') {
 	global $paged;
diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index 3b1ca35..94d2876 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -281,7 +281,7 @@ function wp_list_pages($args = '') {
 		parse_str($args, $r);
 
 	$defaults = array('depth' => 0, 'show_date' => '', 'date_format' => get_option('date_format'),
-		'child_of' => 0, 'exclude' => '', 'title_li' => __('Pages'), 'echo' => 1, 'authors' => '');
+		'child_of' => 0, 'exclude' => '', 'title_li' => __('Pages'), 'echo' => 1, 'authors' => '', 'sort_column' => 'menu_order, post_title');
 	$r = array_merge($defaults, $r);
 
 	$output = '';
diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php
index a763315..cd3dfbc 100644
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -150,7 +150,7 @@ class WP_Scripts {
 						$ver .= '&amp;' . $this->args[$handle];
 					$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
 					$src = add_query_arg('ver', $ver, $src);
-					$src = attribute_escape(apply_filters( 'script_loader_src', $src ));
+					$src = clean_url(apply_filters( 'script_loader_src', $src ));
 					echo "<script type='text/javascript' src='$src'></script>\n";
 					$this->print_scripts_l10n( $handle );
 				}
diff --git a/wp-includes/user.php b/wp-includes/user.php
index 00b58d2..281483f 100644
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@@ -9,6 +9,7 @@ function get_profile($field, $user = false) {
 
 function get_usernumposts($userid) {
 	global $wpdb;
+	$userid = (int) $userid;
 	return $wpdb->get_var("SELECT COUNT(*) FROM $wpdb->posts WHERE post_author = '$userid' AND post_type = 'post' AND post_status = 'publish'");
 }