Covering our XSS bases

git-svn-id: https://develop.svn.wordpress.org/trunk@9233 602fd350-edb4-49c9-b593-d223f7449a82

wp-admin/categories.php

@@ -140,7 +140,7 @@ if ( isset($_GET['message']) && ( $msg = (int) $_GET['message'] ) ) : ?>
 endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub"><li class="current"><a class="current"><br /></a></li></ul>
 <form class="search-form" action="" method="get">

wp-admin/edit-comments.php

@@ -121,7 +121,7 @@ if ( isset( $_GET['approved'] ) || isset( $_GET['deleted'] ) || isset( $_GET['sp
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub">
 <?php

wp-admin/edit-form-advanced.php

@@ -457,7 +457,7 @@ endif;
 <?php endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2>
+<h2><?php echo wp_specialchars( $title ); ?></h2>
 <form name="post" action="post.php" method="post" id="post">
 <?php
 

wp-admin/edit-link-categories.php

@@ -76,7 +76,7 @@ $messages[6] = __('Categories deleted.'); ?>
 endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub"><li><a class="current"><br /></a></li></ul>
 <form class="search-form" action="" method="get">

wp-admin/edit-link-form.php

@@ -320,7 +320,7 @@ add_meta_box('linkadvanceddiv', __('Advanced'), 'link_advanced_meta_box', 'link'
 </div>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <!--
 <p id="big-add-button">

wp-admin/edit-page-form.php

@@ -358,7 +358,7 @@ endif;
 </div>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form name="post" action="page.php" method="post" id="post">
 <?php if ( $notice ) : ?>

wp-admin/edit-pages.php

@@ -135,7 +135,7 @@ if ( (int) $_GET['locked'] ) {
 endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub">
 <?php

wp-admin/edit-tags.php

@@ -143,7 +143,7 @@ $messages[6] = __('Tags deleted.'); ?>
 endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub"><li class="current"><a class="current"><br /></a></li></ul>
 <form class="search-form" action="" method="get">

wp-admin/export.php

@@ -22,7 +22,7 @@ require_once ('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <p><?php _e('When you click the button below WordPress will create an XML file for you to save to your computer.'); ?></p>
 <p><?php _e('This format, which we call WordPress eXtended RSS or WXR, will contain your posts, pages, comments, custom fields, categories, and tags.'); ?></p>

wp-admin/import.php

@@ -13,7 +13,7 @@ require_once ('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 <p><?php _e('If you have posts or comments in another system, WordPress can import those into this blog. To get started, choose a system to import from below:'); ?></p>
 
 <?php

wp-admin/index.php

@@ -38,7 +38,7 @@ $today = current_time('mysql', 1);
 </div>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2>
+<h2><?php echo wp_specialchars( $title ); ?></h2>
 
 <div id="dashboard-widgets-wrap">
 

wp-admin/link-manager.php

@@ -95,7 +95,7 @@ if ( isset($_GET['deleted']) ) {
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <div class="filter">
 <form id="list-filter" action="" method="get">

wp-admin/media-upload.php

@@ -56,7 +56,7 @@ if ( isset($_GET['inline']) ) {
 	$parent_file = 'edit.php';
 	require_once('admin-header.php'); ?>
 	<div class="wrap">
-	<h2><?php echo $title ?></h2> 
+	<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 	<form enctype="multipart/form-data" method="post" action="media-upload.php?inline=&amp;upload-page-form=" class="media-upload-form type-form validate" id="file-form">
 

wp-admin/options-discussion.php

@@ -16,7 +16,7 @@ include('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form method="post" action="options.php">
 <input type='hidden' name='option_page' value='discussion' />

wp-admin/options-general.php

@@ -49,7 +49,7 @@ include('./admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form method="post" action="options.php">
 <input type='hidden' name='option_page' value='general' />

wp-admin/options-media.php

@@ -17,7 +17,7 @@ include('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form action="options.php" method="post">
 <input type="hidden" name="action" value="update" />

wp-admin/options-misc.php

@@ -17,7 +17,7 @@ include('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form method="post" action="options.php">
 <input type='hidden' name='option_page' value='misc' />

wp-admin/options-permalink.php

@@ -123,7 +123,7 @@ else
 <?php endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form name="form" action="options-permalink.php" method="post">
 <?php wp_nonce_field('update-permalink') ?>

wp-admin/options-privacy.php

@@ -16,7 +16,7 @@ include('./admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form method="post" action="options.php">
 <?php wp_nonce_field('privacy-options') ?>

wp-admin/options-reading.php

@@ -16,7 +16,7 @@ include('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form name="form1" method="post" action="options.php">
 <?php wp_nonce_field('reading-options') ?>

wp-admin/options-writing.php

@@ -16,7 +16,7 @@ include('admin-header.php');
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form method="post" action="options.php">
 <?php wp_nonce_field('writing-options') ?>

wp-admin/plugin-editor.php

@@ -96,7 +96,7 @@ default:
 </div>
 <?php endif; ?>
 <div class="wrap">
-	<h2><?php echo $title ?></h2> 
+	<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <div class="tablenav">
 <div class="alignleft">

wp-admin/plugin-install.php

@@ -52,7 +52,7 @@ do_action('install_plugins_pre_' . $tab); //Used to override the general interfa
 include('admin-header.php');
 ?>
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 	<ul class="subsubsub">
 <?php

wp-admin/plugins.php

@@ -203,7 +203,7 @@ if( !empty($invalid) )
 <?php endif; ?>
 
 <div class="wrap">
-	<h2><?php echo $title ?></h2> 
+	<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <p><?php _e('Plugins extend and expand the functionality of WordPress. Once a plugin is installed, you may activate it or deactivate it here.'); ?></p>
 <?php

wp-admin/theme-editor.php

@@ -99,7 +99,7 @@ $description = get_file_description($file);
 $desc_header = ( $description != $file_show ) ? "$description</strong> (%s)" : "%s";
 ?>
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 <div class="bordertitle">
 	<form id="themeselector" action="theme-editor.php" method="post">
 		<strong><label for="theme"><?php _e('Select theme to edit:'); ?> </label></strong>

wp-admin/themes.php

@@ -98,7 +98,7 @@ function theme_update_available( $theme ) {
 ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <h2><?php _e('Current Theme'); ?></h2>
 <div id="current-theme">

wp-admin/turbo.php

@@ -17,7 +17,7 @@ require_once('admin-header.php');
 if ( ! $is_opera ) {
 ?>
 	<div id="gears-info-box" class="wrap">
-	<h2><?php echo $title ?></h2> 
+	<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 	<img src="images/gear.png" title="Gear" alt="" class="gears-img" />
 	<div id="gears-msg1">

wp-admin/upload.php

@@ -183,7 +183,7 @@ if ( isset($message) ) { ?>
 <?php do_action('restrict_manage_posts'); ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <ul class="subsubsub">
 <?php

wp-admin/user-edit.php

@@ -177,7 +177,7 @@ include ('admin-header.php');
 <?php endif; ?>
 
 <div class="wrap" id="profile-page">
-	<h2><?php echo $title ?></h2> 
+	<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form id="your-profile" action="" method="post">
 <?php wp_nonce_field('update-user_' . $user_id) ?>

wp-admin/users.php

@@ -264,7 +264,7 @@ if ( ! empty($messages) ) {
 } ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 <form id="posts-filter" action="" method="get">
 	<?php if ( $wp_user_search->is_search() ) : ?>

wp-admin/widgets.php

@@ -233,7 +233,7 @@ require_once( 'admin-header.php' ); ?>
 <?php endif; ?>
 
 <div class="wrap">
-<h2><?php echo $title ?></h2> 
+<h2><?php echo wp_specialchars( $title ); ?></h2> 
 
 	<form id="widgets-filter" action="" method="get">