htmlspecialchars when loading content into html editor. Props DD32 and andy. fixes #5796

git-svn-id: https://develop.svn.wordpress.org/trunk@6767 602fd350-edb4-49c9-b593-d223f7449a82
2008-02-09 07:29:36 +00:00 · 2008-02-09 07:29:36 +00:00 · 3c1a115108
parent 911c089e36
commit 3c1a115108
2 changed files with 9 additions and 0 deletions
--- a/wp-includes/formatting.php
+++ b/wp-includes/formatting.php
@ -1111,6 +1111,13 @@ function wp_richedit_pre($text) {
 	return apply_filters('richedit_pre', $output);
 }

+function wp_htmledit_pre($output) {
+	if ( !empty($output) )
+		$output = htmlspecialchars($output, ENT_NOQUOTES); // convert only < > &
+
+	return apply_filters('htmledit_pre', $output);
+}
+
 function clean_url( $url, $protocols = null, $context = 'display' ) {
 	$original_url = $url;

--- a/wp-includes/general-template.php
+++ b/wp-includes/general-template.php
@ -932,6 +932,8 @@ function the_editor($content, $id = 'content', $prev_id = 'title') {

 		if ( 'tinymce' == $wp_default_editor )
 			add_filter('the_editor_content', 'wp_richedit_pre');
+		else if ( 'html' == $wp_default_editor )
+			add_filter('the_editor_content', 'wp_htmledit_pre');

 		//	The following line moves the border so that the active button "attaches" to the toolbar. Only IE needs it.
        ?>