$temp_ID = -1 * time();
$form_extra = "<input type='hidden' name='temp_ID' value='$temp_ID' />";
} else {
+ $post_ID = (int) $post_ID;
$form_action = 'editpost';
$nonce_action = 'update-post_' . $post_ID;
$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
}
-$sendto = wp_get_referer();
+$temp_ID = (int) $temp_ID;
+$user_ID = (int) $user_ID;
+
+$sendto = attribute_escape(wp_get_referer());
if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
$sendto = 'redo';
-$sendto = wp_specialchars( $sendto );
?>
<fieldset id="passworddiv" class="dbx-box">
<h3 class="dbx-handle"><?php _e('Password-Protect Post') ?></h3>
-<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo $post->post_password ?>" /></div>
+<div class="dbx-content"><input name="post_password" type="text" size="13" id="post_password" value="<?php echo attribute_escape($post->post_password); ?>" /></div>
</fieldset>
<fieldset id="pageparent" class="dbx-box">
<fieldset id="slugdiv" class="dbx-box">
<h3 class="dbx-handle"><?php _e('Post slug') ?></h3>
-<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo $post->post_name ?>" /></div>
+<div class="dbx-content"><input name="post_name" type="text" size="13" id="post_name" value="<?php echo attribute_escape($post->post_name); ?>" /></div>
</fieldset>
<?php if ( $authors = get_editable_authors( $current_user->id ) ) : // TODO: ROLE SYSTEM ?>
$o = get_userdata( $o->ID );
if ( $post->post_author == $o->ID || ( empty($post_ID) && $user_ID == $o->ID ) ) $selected = 'selected="selected"';
else $selected = '';
+$o->ID = (int) $o->ID;
+$o->display_name = wp_specialchars( $o->display_name );
echo "<option value='$o->ID' $selected>$o->display_name</option>";
endforeach;
?>
<fieldset id="titlediv">
<legend><?php _e('Page Title') ?></legend>
- <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo $post->post_title; ?>" id="title" /></div>
+ <div><input type="text" name="post_title" size="30" tabindex="1" value="<?php echo attribute_escape($post->post_title); ?>" id="title" /></div>
</fieldset>
$uploading_iframe_src = wp_nonce_url("inline-uploading.php?action=view&post=$uploading_iframe_ID", 'inlineuploading');
$uploading_iframe_src = apply_filters('uploading_iframe_src', $uploading_iframe_src);
if ( false != $uploading_iframe_src )
- echo '<iframe id="uploading" border="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
+ echo '<iframe id="uploading" frameborder="0" src="' . $uploading_iframe_src . '">' . __('This feature requires iframe support.') . '</iframe>';
}
?>
$delete_nonce = wp_create_nonce( 'delete-page_' . $post_ID ); ?>
<input name="deletepost" class="button" type="submit" id="deletepost" tabindex="10" value="<?php _e('Delete this page') ?>" <?php echo "onclick=\"if ( confirm('" . sprintf(__("You are about to delete this page \'%s\'\\n \'Cancel\' to stop, \'OK\' to delete."), js_escape($post->post_title) ) . "') ) { document.forms.post._wpnonce.value = '$delete_nonce'; return true;}return false;\""; ?> />
<?php endif; ?>
-</form>
-
</div>
+</form>
+
</div>