diff options
Diffstat (limited to 'wp-inst/wp-admin')
| -rw-r--r-- | wp-inst/wp-admin/admin-functions.php | 19 | ||||
| -rw-r--r-- | wp-inst/wp-admin/admin.php | 2 | ||||
| -rw-r--r-- | wp-inst/wp-admin/moderation.php | 2 | ||||
| -rw-r--r-- | wp-inst/wp-admin/post-new.php | 6 | ||||
| -rw-r--r-- | wp-inst/wp-admin/post.php | 9 | ||||
| -rw-r--r-- | wp-inst/wp-admin/user-edit.php | 2 |
6 files changed, 27 insertions, 13 deletions
diff --git a/wp-inst/wp-admin/admin-functions.php b/wp-inst/wp-admin/admin-functions.php index aabf77e..b33f94e 100644 --- a/wp-inst/wp-admin/admin-functions.php +++ b/wp-inst/wp-admin/admin-functions.php @@ -105,12 +105,12 @@ function relocate_children($old_ID, $new_ID) { function fix_attachment_links($post_ID) { global $wp_rewrite; - $post = & get_post($post_ID); + $post = & get_post($post_ID, ARRAY_A); $search = "#<a[^>]+rel=('|\")[^'\"]*attachment[^>]*>#ie"; // See if we have any rel="attachment" links - if ( 0 == preg_match_all($search, $post->post_content, $anchor_matches, PREG_PATTERN_ORDER) ) + if ( 0 == preg_match_all($search, $post['post_content'], $anchor_matches, PREG_PATTERN_ORDER) ) return; $i = 0; @@ -122,9 +122,11 @@ function fix_attachment_links($post_ID) { $id = $id_matches[2]; // While we have the attachment ID, let's adopt any orphans. - $attachment = & get_post($id); - if ( ! is_object(get_post($attachment->post_parent)) ) { - $attachment->post_parent = $post_ID; + $attachment = & get_post($id, ARRAY_A); + if ( ! empty($attachment) && ! is_object(get_post($attachment['post_parent'])) ) { + $attachment['post_parent'] = $post_ID; + // Escape data pulled from DB. + $attachment = add_magic_quotes($attachment); wp_update_post($attachment); } @@ -133,7 +135,10 @@ function fix_attachment_links($post_ID) { ++$i; } - $post->post_content = str_replace($post_search, $post_replace, $post->post_content); + $post['post_content'] = str_replace($post_search, $post_replace, $post['post_content']); + + // Escape data pulled from DB. + $post = add_magic_quotes($post); return wp_update_post($post); } @@ -491,6 +496,8 @@ function get_default_link_to_edit() { else $link->link_name = ''; + $link->link_visible = 'Y'; + return $link; } diff --git a/wp-inst/wp-admin/admin.php b/wp-inst/wp-admin/admin.php index 37894ca..4cedbbe 100644 --- a/wp-inst/wp-admin/admin.php +++ b/wp-inst/wp-admin/admin.php @@ -61,7 +61,7 @@ if (isset($_GET['page'])) { } if (! file_exists(ABSPATH . "wp-content/plugins/$plugin_page") && ! file_exists(ABSPATH . "wp-content/mu-plugins/$plugin_page")) - die(sprintf(__('Cannot load %s.'), $plugin_page)); + die(sprintf(__('Cannot load %s.'), htmlentities($plugin_page))); if (! isset($_GET['noheader'])) require_once(ABSPATH . '/wp-admin/admin-header.php'); diff --git a/wp-inst/wp-admin/moderation.php b/wp-inst/wp-admin/moderation.php index 9166536..c684f6e 100644 --- a/wp-inst/wp-admin/moderation.php +++ b/wp-inst/wp-admin/moderation.php @@ -145,7 +145,7 @@ $i = 0; <p><strong><?php _e('Name:') ?></strong> <?php comment_author_link() ?> <?php if ($comment->comment_author_email) { ?>| <strong><?php _e('E-mail:') ?></strong> <?php comment_author_email_link() ?> <?php } if ($comment->comment_author_url && 'http://' != $comment->comment_author_url) { ?> | <strong><?php _e('URI:') ?></strong> <?php comment_author_url_link() ?> <?php } ?>| <strong><?php _e('IP:') ?></strong> <a href="http://ws.arin.net/cgi-bin/whois.pl?queryinput=<?php comment_author_IP() ?>"><?php comment_author_IP() ?></a> | <strong><?php _e('Date:') ?></strong> <?php comment_date(); ?></p> <?php comment_text() ?> <p><?php -echo '<a href="post.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?> +echo '<a href="comment.php?action=editcomment&comment='.$comment->comment_ID.'">' . __('Edit') . '</a> | ';?> <a href="<?php echo get_permalink($comment->comment_post_ID); ?>"><?php _e('View Post') ?></a> | <?php echo " <a href=\"post.php?action=deletecomment&p=".$comment->comment_post_ID."&comment=".$comment->comment_ID."\" onclick=\"return deleteSomething( 'comment', $comment->comment_ID, '" . sprintf(__("You are about to delete this comment by "%s".\\n"Cancel" to stop, "OK" to delete."), wp_specialchars($comment->comment_author, 1)) . "' );\">" . __('Delete just this comment') . "</a> | "; ?> <?php _e('Bulk action:') ?> diff --git a/wp-inst/wp-admin/post-new.php b/wp-inst/wp-admin/post-new.php index b0dc1b6..76713cd 100644 --- a/wp-inst/wp-admin/post-new.php +++ b/wp-inst/wp-admin/post-new.php @@ -58,11 +58,11 @@ include('edit-form-advanced.php'); <?php if ($is_NS4 || $is_gecko) { ?> -<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a> +<a href="javascript:if(navigator.userAgent.indexOf('Safari') >= 0){Q=getSelection();}else{Q=document.selection?document.selection.createRange().text:document.getSelection();}location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press It - %s'), wp_specialchars(get_settings('blogname'))); ?></a> <?php } else if ($is_winIE) { ?> -<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> +<a href="javascript:Q='';if(top.frames.length==0)Q=document.selection.createRange().text;location.href='<?php echo get_settings('siteurl') ?>/wp-admin/post-new.php?text='+encodeURIComponent(Q)+'&popupurl='+encodeURIComponent(location.href)+'&popuptitle='+encodeURIComponent(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> <script type="text/javascript"> <!-- function oneclickbookmarklet(blah) { @@ -77,7 +77,7 @@ window.open ("profile.php?action=IErightclick", "oneclickbookmarklet", "width=50 <?php } else if ($is_opera) { ?> -<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> +<a href="javascript:location.href='<?php echo get_settings('siteurl'); ?>/wp-admin/post-new.php?popupurl='+escape(location.href)+'&popuptitle='+escape(document.title);"><?php printf(__('Press it - %s'), get_settings('blogname')); ?></a> <?php } else if ($is_macIE) { ?> diff --git a/wp-inst/wp-admin/post.php b/wp-inst/wp-admin/post.php index 9139584..0ea17be 100644 --- a/wp-inst/wp-admin/post.php +++ b/wp-inst/wp-admin/post.php @@ -23,7 +23,8 @@ $action = "delete"; switch($action) { case 'post': - + check_admin_referer(); + $post_ID = write_post(); // Redirect. @@ -76,6 +77,8 @@ case 'edit': break; case 'editattachment': + check_admin_referer(); + $post_id = (int) $_POST['post_ID']; // Don't let these be changed @@ -92,6 +95,8 @@ case 'editattachment': add_post_meta($post_id, '_wp_attachment_metadata', $newmeta); case 'editpost': + check_admin_referer(); + $post_ID = edit_post(); if ($_POST['save']) { @@ -107,7 +112,7 @@ case 'editpost': } elseif ($action == 'editattachment') { $location = 'attachments.php'; } else { - $location = 'post.php'; + $location = 'post-new.php'; } header ('Location: ' . $location); // Send user on their way while we keep working diff --git a/wp-inst/wp-admin/user-edit.php b/wp-inst/wp-admin/user-edit.php index ebb6cfd..5966f1a 100644 --- a/wp-inst/wp-admin/user-edit.php +++ b/wp-inst/wp-admin/user-edit.php @@ -38,6 +38,8 @@ break; case 'update': +check_admin_referer(); + $errors = array(); if (!current_user_can('edit_users')) |