IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

deprecate wp_specialchars() in favor of esc_html(). Encode quotes for esc_html() as in esc_attr(), to improve plugin security.

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@11380 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith
2009-05-18 15:11:07 +00:00
parent e2802f7f3b
commit 119b39cec2
68 changed files with 210 additions and 151 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wp-includes/user.php
View File

@@ -540,7 +540,7 @@ function wp_dropdown_users( $args = '' ) {
$user->ID = (int) $user->ID;
$_selected = $user->ID == $selected ? " selected='selected'" : '';
$display = !empty($user->$show) ? $user->$show : '('. $user->user_login . ')';
$output .= "\t<option value='$user->ID'$_selected>" . wp_specialchars($display) . "</option>\n";
$output .= "\t<option value='$user->ID'$_selected>" . esc_html($display) . "</option>\n";
}
$output .= "</select>";