case 'addcat':
+ check_admin_referer('add-category');
+
if ( !current_user_can('manage_categories') )
die (__('Cheatin’ uh?'));
wp_insert_category($_POST);
- header('Location: categories.php?message=1#addcat');
+ wp_redirect('categories.php?message=1#addcat');
+ exit;
break;
case 'delete':
-
- check_admin_referer();
+ $cat_ID = (int) $_GET['cat_ID'];
+ check_admin_referer('delete-category_' . $cat_ID);
if ( !current_user_can('manage_categories') )
die (__('Cheatin’ uh?'));
- $cat_ID = (int) $_GET['cat_ID'];
$cat_name = get_catname($cat_ID);
- if ( 1 == $cat_ID )
+ // Don't delete the default cats.
+ if ( $cat_ID == get_option('default_category') )
die(sprintf(__("Can't delete the <strong>%s</strong> category: this is the default one"), $cat_name));
wp_delete_category($cat_ID);
- header('Location: categories.php?message=2');
-
+ wp_redirect('categories.php?message=2');
+ exit;
break;
case 'edit':
<div class="wrap">
<h2><?php _e('Edit Category') ?></h2>
<form name="editcat" action="categories.php" method="post">
+ <?php wp_nonce_field('update-category_' . $category->cat_ID); ?>
<table class="editform" width="100%" cellspacing="2" cellpadding="5">
<tr>
<th width="33%" scope="row"><?php _e('Category name:') ?></th>
- <td width="67%"><input name="cat_name" type="text" value="<?php echo wp_specialchars($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
+ <td width="67%"><input name="cat_name" type="text" value="<?php echo attribute_escape($category->cat_name); ?>" size="40" /> <input type="hidden" name="action" value="editedcat" />
<input type="hidden" name="cat_ID" value="<?php echo $category->cat_ID ?>" /></td>
</tr>
<tr>
<th scope="row"><?php _e('Category slug:') ?></th>
- <td><input name="category_nicename" type="text" value="<?php echo wp_specialchars($category->category_nicename); ?>" size="40" /></td>
+ <td><input name="category_nicename" type="text" value="<?php echo attribute_escape($category->category_nicename); ?>" size="40" /></td>
</tr>
<tr>
<th scope="row"><?php _e('Category parent:') ?></th>
</tr>
<tr>
<th scope="row"><?php _e('Description:') ?></th>
- <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description, 1); ?></textarea></td>
+ <td><textarea name="category_description" rows="5" cols="50" style="width: 97%;"><?php echo wp_specialchars($category->category_description); ?></textarea></td>
</tr>
</table>
<p class="submit"><input type="submit" name="submit" value="<?php _e('Edit category') ?> »" /></p>
break;
case 'editedcat':
+ $cat_ID = (int) $_POST['cat_ID'];
+ check_admin_referer('update-category_' . $cat_ID);
+
if ( !current_user_can('manage_categories') )
die (__('Cheatin’ uh?'));
wp_update_category($_POST);
- header('Location: categories.php?message=3');
+ wp_redirect('categories.php?message=3');
+ exit;
break;
default:
<div class="wrap">
<h2><?php _e('Add New Category') ?></h2>
<form name="addcat" id="addcat" action="categories.php" method="post">
-
+ <?php wp_nonce_field('add-category'); ?>
<p><?php _e('Name:') ?><br />
<input type="text" name="cat_name" value="" /></p>
<p><?php _e('Category parent:') ?><br />