search

devinsays / portfolio-press

A WordPress theme for artists and designers to showcase their work.
https://wptheming.com/portfolio-theme/
GNU General Public License v2.0
62 stars 30 forks source link

Better escaping for portfoliopress_postby_meta() #62

Closed mfields closed 10 years ago

mfields commented 10 years ago

This function is defined in template-helpers.php. All values should be escaped with core functions before inserted into the formatted string. Something like this should work:

function portfoliopress_postby_meta() {

    printf( __( '<span class="meta-prep meta-prep-author">Posted </span><a href="%1$s" rel="bookmark"><time class="entry-date" datetime="%2$s" pubdate>%3$s</time></a> <span class="meta-sep"> by </span> <span class="author vcard"><a class="url fn n" href="%4$s" title="%5$s">%6$s</a></span>', 'portfoliopress' ),
        esc_url( get_permalink() ),
        esc_html( get_the_date( 'c' ) ),
        esc_html( get_the_date() ),
        esc_url( get_author_posts_url( get_the_author_meta( 'ID' ) ) ),
        esc_attr( sprintf( __( 'View all posts by %s', 'portfoliopress' ), get_the_author() ) ),
        esc_html( get_the_author() )
    );
}
devinsays commented 10 years ago

Thanks!