diff --git a/lib/auth.php b/lib/auth.php index 481796a..d6c910a 100644 --- a/lib/auth.php +++ b/lib/auth.php @@ -1,7 +1,7 @@ ' . $_msg_unfreeze . ')'; @@ -214,7 +214,7 @@ function basic_auth($page, $auth_flag, $exit_flag, $auth_pages, $title_cannot) } if ($exit_flag) { $body = $title = str_replace('$1', - htmlspecialchars(strip_bracket($page)), $title_cannot); + htmlsc(strip_bracket($page)), $title_cannot); $page = str_replace('$1', make_search($page), $title_cannot); catbody($title, $page, $body); exit; diff --git a/lib/backup.php b/lib/backup.php index 2726c09..d46fd8c 100644 --- a/lib/backup.php +++ b/lib/backup.php @@ -11,7 +11,7 @@ * @access public * @author * @create - * @version $Id: backup.php,v 1.12 2006/02/02 13:27:57 henoheno Exp $ + * @version $Id: backup.php,v 1.13 2011/01/25 15:01:01 henoheno Exp $ * Copyright (C) * 2002-2006 PukiWiki Developers Team * 2001-2002 Originally written by yu-ji @@ -67,7 +67,7 @@ function make_backup($page, $delete = FALSE) $body = preg_replace("/\n*$/", "\n", $body); $fp = _backup_fopen($page, 'wb') - or die_message('Cannot open ' . htmlspecialchars(_backup_get_filename($page)) . + or die_message('Cannot open ' . htmlsc(_backup_get_filename($page)) . '
Maybe permission is not writable or filename is too long'); _backup_fputs($fp, $strout); _backup_fputs($fp, $body); diff --git a/lib/convert_html.php b/lib/convert_html.php index f8adc53..eda75bf 100644 --- a/lib/convert_html.php +++ b/lib/convert_html.php @@ -1,6 +1,6 @@ style[$name] = $name . ':' . htmlspecialchars($matches[3]) . ';'; + $this->style[$name] = $name . ':' . htmlsc($matches[3]) . ';'; $text = $matches[5]; } else if ($matches[4]) { - $this->style['size'] = 'font-size:' . htmlspecialchars($matches[4]) . 'px;'; + $this->style['size'] = 'font-size:' . htmlsc($matches[4]) . 'px;'; $text = $matches[5]; } } @@ -726,7 +726,7 @@ class Pre extends Element { global $preformat_ltrim; parent::Element(); - $this->elements[] = htmlspecialchars( + $this->elements[] = htmlsc( (! $preformat_ltrim || $text == '' || $text{0} != ' ') ? $text : substr($text, 1)); } diff --git a/lib/diff.php b/lib/diff.php index 19a9916..c44cefc 100644 --- a/lib/diff.php +++ b/lib/diff.php @@ -1,6 +1,6 @@ '; $params = array($_obj->get('left'), $_obj->get('right'), $_obj->text()); foreach ($params as $key=>$text) { - $text = htmlspecialchars($text); + $text = htmlsc($text); if (trim($text) == '') $text = ' '; $do_update_diff_table .= '<' . $tags[$key] . ' class="style_' . $tags[$key] . '">' . $text . diff --git a/lib/file.php b/lib/file.php index dec5781..ea9cad3 100644 --- a/lib/file.php +++ b/lib/file.php @@ -1,6 +1,6 @@ ' . "\n" . 'Maybe permission is not writable or filename is too long'); set_file_buffer($fp, 0); @@ -285,7 +285,7 @@ function add_recent($page, $recentpage, $subject = '', $limit = 0) // Add array_unshift($lines, '-' . format_date(UTIME) . ' - ' . $_page . - htmlspecialchars($subject) . "\n"); + htmlsc($subject) . "\n"); // Get latest $limit reports $lines = array_splice($lines, 0, $limit); @@ -293,7 +293,7 @@ function add_recent($page, $recentpage, $subject = '', $limit = 0) // Update $fp = fopen(get_filename($recentpage), 'w') or die_message('Cannot write page file ' . - htmlspecialchars($recentpage) . + htmlsc($recentpage) . '
Maybe permission is not writable or filename is too long'); set_file_buffer($fp, 0); flock($fp, LOCK_EX); @@ -377,7 +377,7 @@ function lastmodified_add($update = '', $remove = '') // Open pkwk_touch_file($file); $fp = fopen($file, 'r+') or - die_message('Cannot open ' . htmlspecialchars($whatsnew)); + die_message('Cannot open ' . htmlsc($whatsnew)); set_file_buffer($fp, 0); flock($fp, LOCK_EX); @@ -385,8 +385,8 @@ function lastmodified_add($update = '', $remove = '') ftruncate($fp, 0); rewind($fp); foreach ($recent_pages as $_page=>$time) - fputs($fp, '-' . htmlspecialchars(format_date($time)) . - ' - ' . '[[' . htmlspecialchars($_page) . ']]' . "\n"); + fputs($fp, '-' . htmlsc(format_date($time)) . + ' - ' . '[[' . htmlsc($_page) . ']]' . "\n"); fputs($fp, '#norelated' . "\n"); // :) flock($fp, LOCK_UN); @@ -441,15 +441,15 @@ function put_lastmodified() $file = get_filename($whatsnew); pkwk_touch_file($file); $fp = fopen($file, 'r+') or - die_message('Cannot open ' . htmlspecialchars($whatsnew)); + die_message('Cannot open ' . htmlsc($whatsnew)); set_file_buffer($fp, 0); flock($fp, LOCK_EX); ftruncate($fp, 0); rewind($fp); foreach (array_keys($recent_pages) as $page) { $time = $recent_pages[$page]; - $s_lastmod = htmlspecialchars(format_date($time)); - $s_page = htmlspecialchars($page); + $s_lastmod = htmlsc(format_date($time)); + $s_page = htmlsc($page); fputs($fp, '-' . $s_lastmod . ' - [[' . $s_page . ']]' . "\n"); } fputs($fp, '#norelated' . "\n"); // :) @@ -730,12 +730,12 @@ function pkwk_chown($filename, $preserve_time = TRUE) $lockfile = CACHE_DIR . 'pkwk_chown.lock'; $flock = fopen($lockfile, 'a') or die('pkwk_chown(): fopen() failed for: CACHEDIR/' . - basename(htmlspecialchars($lockfile))); + basename(htmlsc($lockfile))); flock($flock, LOCK_EX) or die('pkwk_chown(): flock() failed for lock'); // Check owner $stat = stat($filename) or - die('pkwk_chown(): stat() failed for: ' . basename(htmlspecialchars($filename))); + die('pkwk_chown(): stat() failed for: ' . basename(htmlsc($filename))); if ($stat[4] === $php_uid) { // NOTE: Windows always here $result = TRUE; // Seems the same UID. Nothing to do @@ -746,7 +746,7 @@ function pkwk_chown($filename, $preserve_time = TRUE) // NOTE: Not 'r+'. Don't check write permission here $ffile = fopen($filename, 'r') or die('pkwk_chown(): fopen() failed for: ' . - basename(htmlspecialchars($filename))); + basename(htmlsc($filename))); // Try to chown by re-creating files // NOTE: @@ -786,7 +786,7 @@ function pkwk_touch_file($filename, $time = FALSE, $atime = FALSE) return $result; } else { die('pkwk_touch_file(): Invalid UID and (not writable for the directory or not a flie): ' . - htmlspecialchars(basename($filename))); + htmlsc(basename($filename))); } } ?> diff --git a/lib/func.php b/lib/func.php index d760dfe..43db3dd 100644 --- a/lib/func.php +++ b/lib/func.php @@ -1,6 +1,6 @@ ' . "\n"; foreach (array_keys($pages) as $page) { $r_page = rawurlencode($page); - $s_page = htmlspecialchars($page); + $s_page = htmlsc($page); $passage = $show_passage ? ' ' . get_passage(get_filetime($page)) : ''; $retval .= '
  • ' . $s_page . @@ -356,14 +356,14 @@ function page_list($pages, $cmd = 'read', $withfilename = FALSE) foreach($pages as $file=>$page) { $r_page = rawurlencode($page); - $s_page = htmlspecialchars($page, ENT_QUOTES); + $s_page = htmlsc($page, ENT_QUOTES); $passage = get_pg_passage($page); $str = '
  • ' . $s_page . '' . $passage; if ($withfilename) { - $s_file = htmlspecialchars($file); + $s_file = htmlsc($file); $str .= "\n" . ' ' . "\n" . ' '; } @@ -431,7 +431,7 @@ function catrule() global $rule_page; if (! is_page($rule_page)) { - return '

    Sorry, page \'' . htmlspecialchars($rule_page) . + return '

    Sorry, page \'' . htmlsc($rule_page) . '\' unavailable.

    '; } else { return convert_html(get_source($rule_page)); @@ -631,7 +631,7 @@ function get_script_uri($init_uri = '') if (isset($script_directory_index)) { if (! file_exists($script_directory_index)) die_message('Directory index file not found: ' . - htmlspecialchars($script_directory_index)); + htmlsc($script_directory_index)); $matches = array(); if (preg_match('#^(.+/)' . preg_quote($script_directory_index, '#') . '$#', $script, $matches)) $script = $matches[1]; @@ -701,6 +701,13 @@ function csv_implode($glue, $pieces) return join($glue, $arr); } +// Sugar with default settings +function htmlsc($string = '', $flags = ENT_QUOTES, $charset = CONTENT_CHARSET) +{ + return htmlspecialchars($string, $flags, $charset); // htmlsc() +} + + //// Compat //// // is_a -- Returns TRUE if the object is of this class or has this class as one of its parents diff --git a/lib/html.php b/lib/html.php index c5047d7..965ae07 100644 --- a/lib/html.php +++ b/lib/html.php @@ -1,6 +1,6 @@ ' . $_msg_word . htmlspecialchars($vars['word']) . + $body = '
    ' . $_msg_word . htmlsc($vars['word']) . '
    ' . $hr . "\n" . $body; // BugTrack2/106: Only variables can be passed by reference from PHP 5.0.5 @@ -132,7 +132,7 @@ function catbody($title, $page, $body) $keys = get_search_words(array_keys($keys), TRUE); $id = 0; foreach ($keys as $key=>$pattern) { - $s_key = htmlspecialchars($key); + $s_key = htmlsc($key); $pattern = '/' . ']*>.*?<\/textarea>' . // Ignore textareas '|' . '<[^>]*>' . // Ignore tags @@ -190,7 +190,7 @@ function edit_form($page, $postdata, $digest = FALSE, $b_template = TRUE) foreach(get_existpages() as $_page) { if ($_page == $whatsnew || check_non_list($_page)) continue; - $s_page = htmlspecialchars($_page); + $s_page = htmlsc($_page); $pages[$_page] = ' '; } @@ -210,10 +210,10 @@ EOD; } $r_page = rawurlencode($page); - $s_page = htmlspecialchars($page); - $s_digest = htmlspecialchars($digest); - $s_postdata = htmlspecialchars($refer . $postdata); - $s_original = isset($vars['original']) ? htmlspecialchars($vars['original']) : $s_postdata; + $s_page = htmlsc($page); + $s_digest = htmlsc($digest); + $s_postdata = htmlsc($refer . $postdata); + $s_original = isset($vars['original']) ? htmlsc($vars['original']) : $s_postdata; $b_preview = isset($vars['preview']); // TRUE when preview $btn_preview = $b_preview ? $_btn_repreview : $_btn_preview; @@ -293,7 +293,7 @@ function make_related($page, $tag = '') if (check_non_list($page)) continue; $r_page = rawurlencode($page); - $s_page = htmlspecialchars($page); + $s_page = htmlsc($page); $passage = get_passage($lastmod); $_links[] = $tag ? '=')) { if (headers_sent($file, $line)) die('Headers already sent at ' . - htmlspecialchars($file) . + htmlsc($file) . ' line ' . $line . '.'); } else { if (headers_sent()) @@ -509,7 +509,7 @@ function pkwk_output_dtd($pkwk_dtd = PKWK_DTD_XHTML_1_1, $charset = CONTENT_CHAR break; } - $charset = htmlspecialchars($charset); + $charset = htmlsc($charset); // Output XML or not if ($type == PKWK_DTD_TYPE_XHTML) echo '' . "\n"; diff --git a/lib/init.php b/lib/init.php index 0029c18..21020ab 100644 --- a/lib/init.php +++ b/lib/init.php @@ -1,6 +1,6 @@ $arr) { $fp = fopen(CACHE_DIR . encode($page) . '.ref', 'w') - or die_message('cannot write ' . htmlspecialchars(CACHE_DIR . encode($page) . '.ref')); + or die_message('cannot write ' . htmlsc(CACHE_DIR . encode($page) . '.ref')); foreach ($arr as $ref_page=>$ref_auto) fputs($fp, $ref_page . "\t" . $ref_auto . "\n"); fclose($fp); @@ -199,7 +199,7 @@ function links_add($page, $add, $rel_auto) } if ($is_page || ! $all_auto) { $fp = fopen($ref_file, 'w') - or die_message('cannot write ' . htmlspecialchars($ref_file)); + or die_message('cannot write ' . htmlsc($ref_file)); fputs($fp, $ref); fclose($fp); } @@ -228,7 +228,7 @@ function links_delete($page, $del) unlink($ref_file); if (($is_page || ! $all_auto) && $ref != '') { $fp = fopen($ref_file, 'w') - or die_message('cannot write ' . htmlspecialchars($ref_file)); + or die_message('cannot write ' . htmlsc($ref_file)); fputs($fp, $ref); fclose($fp); } diff --git a/lib/make_link.php b/lib/make_link.php index b18b9a6..362701a 100644 --- a/lib/make_link.php +++ b/lib/make_link.php @@ -1,6 +1,6 @@ pattern . '/x', array(& $this, 'replace'), $string); - $arr = explode("\x08", make_line_rules(htmlspecialchars($string))); + $arr = explode("\x08", make_line_rules(htmlsc($string))); $retval = ''; while (! empty($arr)) { $retval .= array_shift($arr) . array_shift($this->result); @@ -108,7 +108,7 @@ class InlineConverter $obj = $this->get_converter($arr); $this->result[] = ($obj !== NULL && $obj->set($arr, $this->page) !== FALSE) ? - $obj->toString() : make_line_rules(htmlspecialchars($arr[0])); + $obj->toString() : make_line_rules(htmlsc($arr[0])); return "\x08"; // Add a mark into latest processed part } @@ -187,7 +187,7 @@ class Link $this->type = $type; if (! PKWK_DISABLE_INLINE_IMAGE_FROM_URI && is_url($alias) && preg_match('/\.(gif|png|jpe?g)$/i', $alias)) { - $alias = '' . $name . ''; + $alias = '' . $name . ''; } else if ($alias != '') { if ($converter === NULL) $converter = new InlineConverter(array('plugin')); @@ -270,7 +270,7 @@ EOD; } else { // No such plugin, or Failed $body = (($body == '') ? '' : '{' . $body . '}') . ';'; - return make_line_rules(htmlspecialchars('&' . $this->plain) . $body); + return make_line_rules(htmlsc('&' . $this->plain) . $body); } } } @@ -374,7 +374,7 @@ EOD; function set($arr, $page) { list(, , $alias, $name) = $this->splice($arr); - return parent::setParam($page, htmlspecialchars($name), + return parent::setParam($page, htmlsc($name), '', 'url', $alias == '' ? $name : $alias); } @@ -418,7 +418,7 @@ EOD; function set($arr, $page) { list(, $name, $alias) = $this->splice($arr); - return parent::setParam($page, htmlspecialchars($name), '', 'url', $alias); + return parent::setParam($page, htmlsc($name), '', 'url', $alias); } function toString() @@ -520,11 +520,11 @@ EOD; $url = get_interwiki_url($name, $this->param); $this->url = ($url === FALSE) ? $script . '?' . rawurlencode('[[' . $name . ':' . $this->param . ']]') : - htmlspecialchars($url); + htmlsc($url); return parent::setParam( $page, - htmlspecialchars($name . ':' . $this->param), + htmlsc($name . ':' . $this->param), '', 'InterWikiName', $alias == '' ? $name . ':' . $this->param : $alias @@ -708,7 +708,7 @@ function make_pagelink($page, $alias = '', $anchor = '', $refer = '', $isautolin { global $script, $vars, $link_compact, $related, $_symbol_noexists; - $s_page = htmlspecialchars(strip_bracket($page)); + $s_page = htmlsc(strip_bracket($page)); $s_alias = ($alias == '') ? $s_page : $alias; if ($page == '') return '' . $s_alias . ''; diff --git a/lib/plugin.php b/lib/plugin.php index 2444abc..bcf35a8 100644 --- a/lib/plugin.php +++ b/lib/plugin.php @@ -1,6 +1,6 @@ PKWK_PLUGIN_CALL_TIME_LIMIT) - die('Alert: plugin "' . htmlspecialchars($name) . + die('Alert: plugin "' . htmlsc($name) . '" was called over ' . PKWK_PLUGIN_CALL_TIME_LIMIT . ' times. SPAM or someting?
    ' . "\n" . ' @@ -147,12 +147,12 @@ EOD; if ($align == 'clear') return '
    '; // 改行挿入 if ($align != 'left') $align = 'right'; // 配置決定 - $asin_all = htmlspecialchars($aryargs[0]); // for XSS + $asin_all = htmlsc($aryargs[0]); // for XSS if (is_asin() == FALSE && $align != 'clear') return FALSE; if ($aryargs[2] != '') { // タイトル指定 - $title = $alt = htmlspecialchars($aryargs[2]); // for XSS + $title = $alt = htmlsc($aryargs[2]); // for XSS if ($alt == 'image') { $alt = plugin_amazon_get_asin_title(); if ($alt == '') return FALSE; @@ -195,7 +195,7 @@ function plugin_amazon_action() $s_page = isset($vars['refer']) ? $vars['refer'] : ''; $asin_all = isset($vars['asin']) ? - htmlspecialchars(rawurlencode(strip_bracket($vars['asin']))) : ''; + htmlsc(rawurlencode(strip_bracket($vars['asin']))) : ''; if (! is_asin()) { $retvars['msg'] = 'ブックレビュー編集'; @@ -236,7 +236,7 @@ function plugin_amazon_inline() list($asin_all) = func_get_args(); - $asin_all = htmlspecialchars($asin_all); // for XSS + $asin_all = htmlsc($asin_all); // for XSS if (! is_asin()) return FALSE; $title = plugin_amazon_get_asin_title(); diff --git a/plugin/aname.inc.php b/plugin/aname.inc.php index e00e5bb..0aa4394 100644 --- a/plugin/aname.inc.php +++ b/plugin/aname.inc.php @@ -1,6 +1,6 @@ @@ -93,9 +93,9 @@ function plugin_article_action() $body = $_msg_collided . "\n"; - $s_refer = htmlspecialchars($post['refer']); - $s_digest = htmlspecialchars($post['digest']); - $s_postdata = htmlspecialchars($postdata_input); + $s_refer = htmlsc($post['refer']); + $s_digest = htmlsc($post['digest']); + $s_postdata = htmlsc($postdata_input); $body .= <<
    @@ -152,9 +152,9 @@ function plugin_article_convert() $article_no = $numbers[$vars['page']]++; - $s_page = htmlspecialchars($vars['page']); - $s_digest = htmlspecialchars($digest); - $name_cols = PLUGIN_ARTICLE_NAME_COLS; + $s_page = htmlsc($vars['page']); + $s_digest = htmlsc($digest); + $name_cols = PLUGIN_ARTICLE_NAME_COLS; $subject_cols = PLUGIN_ARTICLE_SUBJECT_COLS; $article_rows = PLUGIN_ARTICLE_ROWS; $article_cols = PLUGIN_ARTICLE_COLS; diff --git a/plugin/attach.inc.php b/plugin/attach.inc.php index 1be6c7e..ce7f70e 100644 --- a/plugin/attach.inc.php +++ b/plugin/attach.inc.php @@ -1,6 +1,6 @@ http://home.arino.jp/ @@ -389,7 +389,7 @@ function attach_form($page) global $script, $vars, $_attach_messages; $r_page = rawurlencode($page); - $s_page = htmlspecialchars($page); + $s_page = htmlsc($page); $navi = << [{$_attach_messages['msg_list']}] @@ -502,7 +502,7 @@ class AttachFile $param = '&file=' . rawurlencode($this->file) . '&refer=' . rawurlencode($this->page) . ($this->age ? '&age=' . $this->age : ''); $title = $this->time_str . ' ' . $this->size_str; - $label = ($showicon ? PLUGIN_ATTACH_FILE_ICON : '') . htmlspecialchars($this->file); + $label = ($showicon ? PLUGIN_ATTACH_FILE_ICON : '') . htmlsc($this->file); if ($this->age) { $label .= ' (backup No.' . $this->age . ')'; } @@ -522,8 +522,8 @@ class AttachFile global $script, $_attach_messages; $r_page = rawurlencode($this->page); - $s_page = htmlspecialchars($this->page); - $s_file = htmlspecialchars($this->file); + $s_page = htmlsc($this->page); + $s_file = htmlsc($this->file); $s_err = ($err == '') ? '' : '

    ' . $_attach_messages[$err] . '

    '; $msg_rename = ''; @@ -564,7 +564,7 @@ class AttachFile } $info = $this->toString(TRUE, FALSE); - $retval = array('msg'=>sprintf($_attach_messages['msg_info'], htmlspecialchars($this->file))); + $retval = array('msg'=>sprintf($_attach_messages['msg_info'], htmlsc($this->file))); $retval['body'] = <<< EOD

    [{$_attach_messages['msg_list']}] @@ -711,7 +711,7 @@ EOD; break; } } - $filename = htmlspecialchars($filename); + $filename = htmlsc($filename); ini_set('default_charset', ''); mb_http_output('pass'); @@ -763,7 +763,7 @@ class AttachFiles $_files[$age] = $this->files[$file][$age]->toString(FALSE, TRUE); } if (! isset($_files[0])) { - $_files[0] = htmlspecialchars($file); + $_files[0] = htmlsc($file); } ksort($_files); $_file = $_files[0]; diff --git a/plugin/back.inc.php b/plugin/back.inc.php index 9bd8fd4..76625e8 100644 --- a/plugin/back.inc.php +++ b/plugin/back.inc.php @@ -1,5 +1,5 @@ @@ -23,7 +23,7 @@ function plugin_back_convert() list($word, $align, $hr, $href) = array_pad(func_get_args(), 4, ''); $word = trim($word); - $word = ($word == '') ? $_msg_back_word : htmlspecialchars($word); + $word = ($word == '') ? $_msg_back_word : htmlsc($word); $align = strtolower(trim($align)); switch($align){ diff --git a/plugin/backup.inc.php b/plugin/backup.inc.php index a3fa0ca..91befe7 100644 --- a/plugin/backup.inc.php +++ b/plugin/backup.inc.php @@ -1,6 +1,6 @@ $_title_backuplist, 'body'=>plugin_backup_get_list_all()); check_readable($page, true, true); - $s_page = htmlspecialchars($page); + $s_page = htmlsc($page); $r_page = rawurlencode($page); $action = isset($vars['action']) ? $vars['action'] : ''; @@ -33,7 +33,7 @@ function plugin_backup_action() $s_action = $r_action = ''; if ($action != '') { - $s_action = htmlspecialchars($action); + $s_action = htmlsc($action); $r_action = rawurlencode($action); } @@ -107,7 +107,7 @@ function plugin_backup_action() $body .= plugin_backup_diff(do_diff($old, $cur)); } else if ($s_action == 'source') { $title = & $_title_backupsource; - $body .= '

    ' . htmlspecialchars(join('', $backups[$s_age]['data'])) .
+		$body .= '
    ' . htmlsc(join('', $backups[$s_age]['data'])) .
 			'
    ' . "\n";
 	} else {
 		if (PLUGIN_BACKUP_DISABLE_BACKUP_RENDERING) {
@@ -145,7 +145,7 @@ function plugin_backup_delete($page)
 	}
 
 	$script = get_script_uri();
-	$s_page = htmlspecialchars($page);
+	$s_page = htmlsc($page);
 	$body .= <<$_msg_backup_adminpass
    
 
    
@@ -172,7 +172,7 @@ $hr
 
 EOD;
 
-	return $ul . '
    ' . diff_style_to_css(htmlspecialchars($str)) . '
    ' . "\n";
+	return $ul . '
    ' . diff_style_to_css(htmlsc($str)) . '
    ' . "\n";
 }
 
 function plugin_backup_get_list($page)
@@ -182,7 +182,7 @@ function plugin_backup_get_list($page)
 
 	$script = get_script_uri();
 	$r_page = rawurlencode($page);
-	$s_page = htmlspecialchars($page);
+	$s_page = htmlsc($page);
 	$retval = array();
 	$retval[0] = <<
diff --git a/plugin/bugtrack.inc.php b/plugin/bugtrack.inc.php
index 93723ab..5ceab69 100644
--- a/plugin/bugtrack.inc.php
+++ b/plugin/bugtrack.inc.php
@@ -1,5 +1,9 @@
 ' . $priority_list . '' . "\n";
 	}
 
 	$select_state = "\n";
 	for ($i = 0; $i < count($_plugin_bugtrack['state_list']); ++$i) {
-		$state_list = htmlspecialchars($_plugin_bugtrack['state_list'][$i]);
+		$state_list = htmlsc($_plugin_bugtrack['state_list'][$i]);
 		$select_state .= '    ' . "\n";
 	}
@@ -92,7 +96,7 @@ function plugin_bugtrack_print_form($base, $category)
 	} else {
 		$encoded_category = '
diff --git a/plugin/interwiki.inc.php b/plugin/interwiki.inc.php
index 02ba97b..cc3bf92 100644
--- a/plugin/interwiki.inc.php
+++ b/plugin/interwiki.inc.php
@@ -1,6 +1,6 @@
  $_title_invalidiwn,
 		'body' => str_replace(array('$1', '$2'),
-			array(htmlspecialchars(''),
+			array(htmlsc(''),
 			make_pagelink('InterWikiName')),
 			$_msg_invalidiwn));
 }
diff --git a/plugin/lookup.inc.php b/plugin/lookup.inc.php
index 3bf67bf..5030ba7 100644
--- a/plugin/lookup.inc.php
+++ b/plugin/lookup.inc.php
@@ -1,6 +1,6 @@
  3) return PLUGIN_LOOKUP_USAGE;
 
 	$args = func_get_args();
-	$interwiki = htmlspecialchars(trim($args[0]));
-	$button    = isset($args[1]) ? trim($args[1]) : '';
-	$button    = ($button != '') ? htmlspecialchars($button) : 'lookup';
-	$default   = ($num > 2) ? htmlspecialchars(trim($args[2])) : '';
-	$s_page    = htmlspecialchars($vars['page']);
+	$interwiki = htmlsc(trim($args[0]));
+	$button    = isset($args[1]) ? trim($args[1])         : '';
+	$button    = ($button != '') ? htmlsc($button)        : 'lookup';
+	$default   = ($num > 2)      ? htmlsc(trim($args[2])) : '';
+	$s_page    = htmlsc($vars['page']);
 	++$id;
 
 	$script = get_script_uri();
@@ -54,7 +54,7 @@ function plugin_lookup_action()
 	$url = get_interwiki_url($inter, $page);
 	if ($url === FALSE) {
 		$msg = sprintf('InterWikiName "%s" not found', $inter);
-		$msg = htmlspecialchars($msg);
+		$msg = htmlsc($msg);
 		return array('msg'=>'Not found', 'body'=>$msg);
 	}
 
diff --git a/plugin/ls2.inc.php b/plugin/ls2.inc.php
index 6c4e01b..8495e8a 100644
--- a/plugin/ls2.inc.php
+++ b/plugin/ls2.inc.php
@@ -1,7 +1,11 @@
 $body,
-		'msg'=>str_replace('$1', htmlspecialchars($prefix), $_ls2_msg_title));
+		'msg'=>str_replace('$1', htmlsc($prefix), $_ls2_msg_title));
 }
 
 function plugin_ls2_convert()
@@ -69,7 +73,7 @@ function plugin_ls2_convert()
 	array_walk($args, 'plugin_ls2_check_arg', & $params);
 
 	$title = (! empty($params['_args'])) ? join(',', $params['_args']) :   // Manual
-		str_replace('$1', htmlspecialchars($prefix), $_ls2_msg_title); // Auto
+		str_replace('$1', htmlsc($prefix), $_ls2_msg_title); // Auto
 
 	if (! $params['link'])
 		return plugin_ls2_show_lists($prefix, $params);
@@ -102,7 +106,7 @@ function plugin_ls2_show_lists($prefix, & $params)
 	foreach ($pages as $page) $params["page_$page"] = 0;
 
 	if (empty($pages)) {
-		return str_replace('$1', htmlspecialchars($prefix), $_ls2_err_nopages);
+		return str_replace('$1', htmlsc($prefix), $_ls2_err_nopages);
 	} else {
 		$params['result'] = $params['saved'] = array();
 		foreach ($pages as $page)
@@ -121,7 +125,7 @@ function plugin_ls2_get_headings($page, & $params, $level, $include = FALSE)
 	if (! $is_done) $params["page_$page"] = ++$_ls2_anchor;
 
 	$r_page = rawurlencode($page);
-	$s_page = htmlspecialchars($page);
+	$s_page = htmlsc($page);
 	$title  = $s_page . ' ' . get_pg_passage($page, FALSE);
 	$href   = $script . '?cmd=read&page=' . $r_page;
 
@@ -214,6 +218,6 @@ function plugin_ls2_check_arg($value, $key, & $params)
 		$params['_done'] = TRUE;
 	}
 
-	$params['_args'][] = htmlspecialchars($value); // Link title
+	$params['_args'][] = htmlsc($value); // Link title
 }
 ?>
diff --git a/plugin/map.inc.php b/plugin/map.inc.php
index 530d5f5..f3ab427 100644
--- a/plugin/map.inc.php
+++ b/plugin/map.inc.php
@@ -1,6 +1,8 @@
 chain($nodes);
 		$retval['body'] .= '
      ' . "\n" . $nodes[$refer]->toString($nodes) . '
    ' . "\n";
 		$retval['body'] .= '
    ' . "\n" .
-			'
    Not related from ' . htmlspecialchars($refer) . '
    ' . "\n";
+			'
    Not related from ' . htmlsc($refer) . '
    ' . "\n";
 		$keys = array_keys($nodes);
 		sort($keys);
 		$retval['body'] .= '
      ' . "\n";
diff --git a/plugin/md5.inc.php b/plugin/md5.inc.php
index 2ceedf9..fb271ec 100644
--- a/plugin/md5.inc.php
+++ b/plugin/md5.inc.php
@@ -1,6 +1,6 @@
  PKWK_PASSPHRASE_LIMIT_LENGTH)
 		die_message('Limit: malicious message length');
 
-	if ($value != '') $value = 'value="' . htmlspecialchars($value) . '" ';
+	if ($value != '') $value = 'value="' . htmlsc($value) . '" ';
 
 	$sha1_enabled = function_exists('sha1');
 	$sha1_checked = $md5_checked = '';
diff --git a/plugin/memo.inc.php b/plugin/memo.inc.php
index e3f5ab5..c0e6fe8 100644
--- a/plugin/memo.inc.php
+++ b/plugin/memo.inc.php
@@ -1,5 +1,5 @@
 
@@ -79,7 +79,7 @@ function plugin_memo_convert()
 	$data = implode(',', $data);	// Care all arguments
 	$data = str_replace(',', ',', $data); // Unescape commas
 	$data = str_replace('"', '"', $data); // Unescape double quotes
-	$data = htmlspecialchars(str_replace('\n', "\n", $data));
+	$data = htmlsc(str_replace('\n', "\n", $data));
 
 	if (PKWK_READONLY) {
 		$_script = '';
@@ -89,8 +89,8 @@ function plugin_memo_convert()
 		$_submit = '';
 	}
 
-	$s_page   = htmlspecialchars($vars['page']);
-	$s_digest = htmlspecialchars($digest);
+	$s_page   = htmlsc($vars['page']);
+	$s_digest = htmlsc($digest);
 	$s_cols   = MEMO_COLS;
 	$s_rows   = MEMO_ROWS;
 	$string   = << 0) {
 		// Try to change default 'MenuBar' page name (only)
 		if ($num > 1)       return '#menu(): Zero or One argument needed';
-		if ($menu !== NULL) return '#menu(): Already set: ' . htmlspecialchars($menu);
+		if ($menu !== NULL) return '#menu(): Already set: ' . htmlsc($menu);
 		$args = func_get_args();
 		if (! is_page($args[0])) {
-			return '#menu(): No such page: ' . htmlspecialchars($args[0]);
+			return '#menu(): No such page: ' . htmlsc($args[0]);
 		} else {
 			$menu = $args[0]; // Set
 			return '';
@@ -48,7 +48,7 @@ function plugin_menu_convert()
 		if (! is_page($page)) {
 			return '';
 		} else if ($vars['page'] == $page) {
-			return '';
+			return '';
 		} else {
 			// Cut fixed anchors
 			$menutext = preg_replace('/^(\*{1,3}.*)\[#[A-Za-z][\w-]+\](.*)$/m', '$1$2', get_source($page));
diff --git a/plugin/navi.inc.php b/plugin/navi.inc.php
index 5aeefcb..47545c4 100644
--- a/plugin/navi.inc.php
+++ b/plugin/navi.inc.php
@@ -1,6 +1,6 @@
 ';
+				htmlsc($home) . '
      ';
 		} else if (! $is_home &&
 		    ! preg_match('/^' . preg_quote($home, '/') . '/', $current)) {
-			return '#navi(' . htmlspecialchars($home) .
+			return '#navi(' . htmlsc($home) .
 				'): Not a child page like: ' .
-				htmlspecialchars($home . '/' . basename($current)) .
+				htmlsc($home . '/' . basename($current)) .
 				'
      ';
 		}
 		$reverse = (strtolower($reverse) == 'reverse');
@@ -128,7 +128,7 @@ function plugin_navi_convert()
 			foreach (array('start'=>$home, 'next'=>$next,
 			    'prev'=>$prev, 'up'=>$up) as $rel=>$_page) {
 				if ($_page != '') {
-					$s_page = htmlspecialchars($_page);
+					$s_page = htmlsc($_page);
 					$r_page = rawurlencode($_page);
 					$head_tags[] = ' $s_refer
      ";;
 
@@ -109,7 +109,7 @@ function plugin_paint_action()
 		$f_w = (is_numeric($width) and $width > 0) ? $width : PAINT_DEFAULT_WIDTH;
 		$f_h = (is_numeric($height) and $height > 0) ? $height : PAINT_DEFAULT_HEIGHT;
 		$f_refer = array_key_exists('refer',$vars) ? encode($vars['refer']) : ''; // BBSPainter.jarがshift-jisに変換するのを回避
-		$f_digest = array_key_exists('digest',$vars) ? htmlspecialchars($vars['digest']) : '';
+		$f_digest = array_key_exists('digest',$vars) ? htmlsc($vars['digest']) : '';
 		$f_no = (array_key_exists('paint_no',$vars) and is_numeric($vars['paint_no'])) ?
 			$vars['paint_no'] + 0 : 0;
 
@@ -185,7 +185,7 @@ function plugin_paint_convert()
 	}
 
 	//XSS脆弱性問題 - 外部から来た変数をエスケープ
-	$f_page = htmlspecialchars($vars['page']);
+	$f_page = htmlsc($vars['page']);
 
 	$max = sprintf($_paint_messages['msg_max'],PAINT_MAX_WIDTH,PAINT_MAX_HEIGHT);
 
diff --git a/plugin/pcomment.inc.php b/plugin/pcomment.inc.php
index 96518c8..e826f04 100644
--- a/plugin/pcomment.inc.php
+++ b/plugin/pcomment.inc.php
@@ -1,6 +1,6 @@
 ' : '';
 		$comment = '';
 
-		$s_page   = htmlspecialchars($page);
-		$s_refer  = htmlspecialchars($vars_page);
-		$s_nodate = htmlspecialchars($params['nodate']);
-		$s_count  = htmlspecialchars($count);
+		$s_page   = htmlsc($page);
+		$s_refer  = htmlsc($vars_page);
+		$s_nodate = htmlsc($params['nodate']);
+		$s_count  = htmlsc($count);
 
 		$form_start = '' . "\n";
 		$form = <<
+// License: WHERE IS THE RECORD?
 //
 // Popular pages plugin: Show an access ranking of this wiki
 // -- like recent plugin, using counter plugin's count --
@@ -76,7 +80,7 @@ function plugin_popular_convert()
 		foreach ($counters as $page=>$count) {
 			$page = substr($page, 1);
 
-			$s_page = htmlspecialchars($page);
+			$s_page = htmlsc($page);
 			if ($page == $vars['page']) {
 				// No need to link itself, notifies where you just read
 				$pg_passage = get_pg_passage($page,FALSE);
diff --git a/plugin/random.inc.php b/plugin/random.inc.php
index 3b97c98..258b1e8 100644
--- a/plugin/random.inc.php
+++ b/plugin/random.inc.php
@@ -2,7 +2,7 @@
 /////////////////////////////////////////////////
 // PukiWiki - Yet another WikiWikiWeb clone.
 //
-// $Id: random.inc.php,v 1.8 2004/09/10 14:18:34 henoheno Exp $
+// $Id: random.inc.php,v 1.9 2011/01/25 15:01:01 henoheno Exp $
 //
 
 /*
@@ -30,7 +30,7 @@ function plugin_random_convert()
 
 	return "
      ' .
-		htmlspecialchars($title) . '
      ';
+		htmlsc($title) . '
      ';
 }
 
 function plugin_random_action()
diff --git a/plugin/read.inc.php b/plugin/read.inc.php
index 7654416..20e9a68 100644
--- a/plugin/read.inc.php
+++ b/plugin/read.inc.php
@@ -1,6 +1,6 @@
 $_title_invalidwn,
-			'body'=>str_replace('$1', htmlspecialchars($page),
+			'body'=>str_replace('$1', htmlsc($page),
 				str_replace('$2', 'WikiName', $_msg_invalidiwn))
 		);
 	}
diff --git a/plugin/recent.inc.php b/plugin/recent.inc.php
index 5f7feff..12c0821 100644
--- a/plugin/recent.inc.php
+++ b/plugin/recent.inc.php
@@ -1,5 +1,5 @@
 ' . "\n";
 		}
 
-		$s_page = htmlspecialchars($page);
+		$s_page = htmlsc($page);
 		if($page == $vars['page']) {
 			// No need to link to the page you just read, or notify where you just read
 			$items .= ' 
    • ' . $s_page . '
      • ' . "\n";
diff --git a/plugin/ref.inc.php b/plugin/ref.inc.php
index a117944..cb3fe32 100644
--- a/plugin/ref.inc.php
+++ b/plugin/ref.inc.php
@@ -1,6 +1,6 @@
 ' . $url . '';
 			return $params;
 		}
 
-		$url = $url2 = htmlspecialchars($name);
-		$title = htmlspecialchars(preg_match('/([^\/]+)$/', $name, $matches) ? $matches[1] : $url);
+		$url = $url2 = htmlsc($name);
+		$title = htmlsc(preg_match('/([^\/]+)$/', $name, $matches) ? $matches[1] : $url);
 
 		$is_image = (! $params['noimg'] && preg_match(PLUGIN_REF_IMAGE, $name));
 
@@ -254,7 +254,7 @@ function plugin_ref_body($args)
 
 	} else { // 添付ファイル
 
-		$title = htmlspecialchars($name);
+		$title = htmlsc($name);
 
 		$is_image = (! $params['noimg'] && preg_match(PLUGIN_REF_IMAGE, $name));
 
@@ -306,7 +306,7 @@ function plugin_ref_body($args)
 		}
 
 		if (! empty($_title)) {
-			$title = htmlspecialchars(join(',', $_title));
+			$title = htmlsc(join(',', $_title));
 			if ($is_image) $title = make_line_rules($title);
 		}
 	}
@@ -420,7 +420,7 @@ function plugin_ref_action()
 			break;
 		}
 	}
-	$file = htmlspecialchars($filename);
+	$file = htmlsc($filename);
 	$size = filesize($ref);
 
 	// Output
diff --git a/plugin/referer.inc.php b/plugin/referer.inc.php
index 56f0c45..e7ba83a 100644
--- a/plugin/referer.inc.php
+++ b/plugin/referer.inc.php
@@ -99,8 +99,8 @@ function plugin_referer_body($page, $sort)
 		list($ltime, $stime, $count, $url, $enable) = $arr;
 
 		// 非ASCIIキャラクタ(だけ)をURLエンコードしておく BugTrack/440
-		$e_url = htmlspecialchars(preg_replace('/([" \x80-\xff]+)/e', 'rawurlencode("$1")', $url));
-		$s_url = htmlspecialchars(mb_convert_encoding(rawurldecode($url), SOURCE_ENCODING, 'auto'));
+		$e_url = htmlsc(preg_replace('/([" \x80-\xff]+)/e', 'rawurlencode("$1")', $url));
+		$s_url = htmlsc(mb_convert_encoding(rawurldecode($url), SOURCE_ENCODING, 'auto'));
 
 		$lpass = get_passage($ltime, FALSE); // 最終更新日時からの経過時間
 		$spass = get_passage($stime, FALSE); // 初回登録日時からの経過時間
@@ -164,7 +164,7 @@ function plugin_referer_set_color()
 		// BGCOLOR(#88ff88)
 		$matches = array();
 		foreach ($pconfig_color as $x)
-			$color[$x[0]] = htmlspecialchars(
+			$color[$x[0]] = htmlsc(
 				preg_match('/BGCOLOR\(([^)]+)\)/si', $x[1], $matches) ?
 					$matches[1] : $x[1]);
 	}
diff --git a/plugin/related.inc.php b/plugin/related.inc.php
index a81f0c6..82ac11e 100644
--- a/plugin/related.inc.php
+++ b/plugin/related.inc.php
@@ -1,6 +1,8 @@
 ' .
 		'Return to ' . $s_word .'
      '. "\n";
@@ -44,7 +46,7 @@ function plugin_related_action()
 		$retval .= '
        ' . "\n";
 		foreach ($data as $page=>$time) {
 			$r_page  = rawurlencode($page);
-			$s_page  = htmlspecialchars($page);
+			$s_page  = htmlsc($page);
 			$passage = get_passage($time);
 			$retval .= ' 
      • ' . $s_page .
 				' ' . $passage . '
        • ' . "\n";
diff --git a/plugin/rename.inc.php b/plugin/rename.inc.php
index 2e30446..604fa7e 100644
--- a/plugin/rename.inc.php
+++ b/plugin/rename.inc.php
@@ -1,6 +1,8 @@
 ' . $_page;
 		$page = $tmp;
 	}
-	if ($page != '') $body = sprintf($body, htmlspecialchars($page));
+	if ($page != '') $body = sprintf($body, htmlsc($page));
 
 	$msg = sprintf($_rename_messages['err'], $body);
 	return $msg;
@@ -101,8 +103,8 @@ function plugin_rename_phase1($err = '', $page = '')
 	}
 	$select_refer = plugin_rename_getselecttag($refer);
 
-	$s_src = htmlspecialchars(plugin_rename_getvar('src'));
-	$s_dst = htmlspecialchars(plugin_rename_getvar('dst'));
+	$s_src = htmlsc(plugin_rename_getvar('src'));
+	$s_dst = htmlsc(plugin_rename_getvar('dst'));
 
 	$ret = array();
 	$ret['msg']  = $_rename_messages['msg_title'];
@@ -143,8 +145,8 @@ function plugin_rename_phase2($err = '')
 		'
        ';
 
 	$msg_rename = sprintf($_rename_messages['msg_rename'], make_pagelink($refer));
-	$s_page  = htmlspecialchars($page);
-	$s_refer = htmlspecialchars($refer);
+	$s_page  = htmlsc($page);
+	$s_refer = htmlsc($refer);
 
 	$ret = array();
 	$ret['msg']  = $_rename_messages['msg_title'];
@@ -228,16 +230,16 @@ function plugin_rename_phase3($pages)
 
 	$method = plugin_rename_getvar('method');
 	if ($method == 'regex') {
-		$s_src = htmlspecialchars(plugin_rename_getvar('src'));
-		$s_dst = htmlspecialchars(plugin_rename_getvar('dst'));
+		$s_src = htmlsc(plugin_rename_getvar('src'));
+		$s_dst = htmlsc(plugin_rename_getvar('dst'));
 		$msg   .= $_rename_messages['msg_regex'] . '
        ';
 		$input .= '';
 		$input .= '';
 		$input .= '';
 	} else {
-		$s_refer   = htmlspecialchars(plugin_rename_getvar('refer'));
-		$s_page    = htmlspecialchars(plugin_rename_getvar('page'));
-		$s_related = htmlspecialchars(plugin_rename_getvar('related'));
+		$s_refer   = htmlsc(plugin_rename_getvar('refer'));
+		$s_page    = htmlsc(plugin_rename_getvar('page'));
+		$s_related = htmlsc(plugin_rename_getvar('related'));
 		$msg   .= $_rename_messages['msg_page'] . '
        ';
 		$input .= '';
 		$input .= '';
@@ -250,7 +252,7 @@ function plugin_rename_phase3($pages)
 		foreach ($exists as $page=>$arr) {
 			$msg .= '
      • ' . make_pagelink(decode($page));
 			$msg .= $_rename_messages['msg_arrow'];
-			$msg .= htmlspecialchars(decode($pages[$page]));
+			$msg .= htmlsc(decode($pages[$page]));
 			if (! empty($arr)) {
 				$msg .= '
          ' . "\n";
 				foreach ($arr as $ofile=>$nfile)
@@ -289,7 +291,7 @@ EOD;
 	foreach ($pages as $old=>$new)
 		$ret['body'] .= '
        • ' .  make_pagelink(decode($old)) .
 			$_rename_messages['msg_arrow'] .
-			htmlspecialchars(decode($new)) .  '
          • ' . "\n";
+			htmlsc(decode($new)) .  '' . "\n";
 	$ret['body'] .= '
        ' . "\n";
 	return $ret;
 }
@@ -407,7 +409,7 @@ function plugin_rename_getselecttag($page)
 		if ($_page == $whatsnew) continue;
 
 		$selected = ($_page == $page) ? ' selected' : '';
-		$s_page = htmlspecialchars($_page);
+		$s_page = htmlsc($_page);
 		$pages[$_page] = '';
 	}
diff --git a/plugin/ruby.inc.php b/plugin/ruby.inc.php
index a312a14..3f01b7c 100644
--- a/plugin/ruby.inc.php
+++ b/plugin/ruby.inc.php
@@ -1,6 +1,6 @@
 ' . $body . '' . '(' .
-		'' .  htmlspecialchars($ruby) . '' . ')' .
+		'' .  htmlsc($ruby) . '' . ')' .
 		'';
 }
 ?>
diff --git a/plugin/search.inc.php b/plugin/search.inc.php
index 51d364f..bde0306 100644
--- a/plugin/search.inc.php
+++ b/plugin/search.inc.php
@@ -1,6 +1,6 @@
  PLUGIN_SEARCH_MAX_LENGTH) {
 		unset($vars['word']); // Stop using $_msg_word at lib/html.php
@@ -81,7 +81,7 @@ function plugin_search_search_form($s_word = '', $type = '', $bases = array())
 			++$_num;
 			if (PLUGIN_SEARCH_MAX_BASE < $_num) break;
 			$label_id = '_p_search_base_id_' . $_num;
-			$s_base   = htmlspecialchars($base);
+			$s_base   = htmlsc($base);
 			$base_str = '' . $s_base . '';
 			$base_label = str_replace('$1', $base_str, $_search_pages);
 			$base_msg  .=<<' conversion
 //
@@ -41,7 +41,7 @@ function plugin_setlinebreak_convert()
 
 		default:
 			return '#setlinebreak: Invalid argument: ' .
-				htmlspecialchars($args[0]) . '
        ';
+				htmlsc($args[0]) . '
        ';
 		}
 	}
 	return '';
diff --git a/plugin/showrss.inc.php b/plugin/showrss.inc.php
index 8b66a43..ece800b 100644
--- a/plugin/showrss.inc.php
+++ b/plugin/showrss.inc.php
@@ -1,6 +1,6 @@
 ' . "\n";
+		return '#showrss: Cache-lifetime seems not numeric: ' . htmlsc($cachehour) . '
        ' . "\n";
 	if (! class_exists($class))
-		return '#showrss: Template not found: ' . htmlspecialchars($template) . '
        ' . "\n";
+		return '#showrss: Template not found: ' . htmlsc($template) . '
        ' . "\n";
 	if (! is_url($uri))
-		return '#showrss: Seems not URI: ' . htmlspecialchars($uri) . '
        ' . "\n";
+		return '#showrss: Seems not URI: ' . htmlsc($uri) . '
        ' . "\n";
 
 	list($rss, $time) = plugin_showrss_get_rss($uri, $cachehour);
 	if ($rss === FALSE) return '#showrss: Failed fetching RSS from the server
        ' . "\n";
@@ -247,10 +247,10 @@ class ShowRSS_XML
 
 	function escape($str)
 	{
-		// Unescape already-escaped chars (<, >, &, ...) in RSS body before htmlspecialchars()
+		// Unescape already-escaped chars (<, >, &, ...) in RSS body before htmlsc()
 		$str = strtr($str, array_flip(get_html_translation_table(ENT_COMPAT)));
 		// Escape
-		$str = htmlspecialchars($str);
+		$str = htmlsc($str);
 		// Encoding conversion
 		$str = mb_convert_encoding($str, SOURCE_ENCODING, $this->encoding);
 		return trim($str);
diff --git a/plugin/source.inc.php b/plugin/source.inc.php
index 9223da0..f213dfc 100644
--- a/plugin/source.inc.php
+++ b/plugin/source.inc.php
@@ -1,6 +1,6 @@
  $_source_messages['msg_title'],
 		'body' => '
        ' .
-		htmlspecialchars(join('', get_source($page))) . '
        ');
+		htmlsc(join('', get_source($page))) . '
    '); } ?> diff --git a/plugin/stationary.inc.php b/plugin/stationary.inc.php index e36883b..af282ff 100644 --- a/plugin/stationary.inc.php +++ b/plugin/stationary.inc.php @@ -1,5 +1,5 @@ '; + return '#stationary(' . htmlsc($result) . ')
    '; } // In-line type plugin: &stationary; or &stationary(foo); , or &stationary(foo){bar}; @@ -56,7 +56,7 @@ function plugin_stationary_inline() $args[$key] = trim($args[$key]); $result = join(',', $args); - return '&stationary(' . htmlspecialchars($result) . '){' . $body . '};'; + return '&stationary(' . htmlsc($result) . '){' . $body . '};'; } // Action-type plugin: ?plugin=stationary&foo=bar @@ -69,6 +69,6 @@ function plugin_stationary_action() $msg = 'Message'; $body = 'Message body'; - return array('msg'=>htmlspecialchars($msg), 'body'=>htmlspecialchars($body)); + return array('msg' => htmlsc($msg), 'body' => htmlsc($body)); } ?> diff --git a/plugin/template.inc.php b/plugin/template.inc.php index e7e9a3b..195c3dd 100644 --- a/plugin/template.inc.php +++ b/plugin/template.inc.php @@ -1,5 +1,5 @@ $line\n"; @@ -52,7 +52,7 @@ function plugin_template_action() $end_select .= "\n"; } - $_page = htmlspecialchars($page); + $_page = htmlsc($page); $msg = $tag = ''; if ($is_page) { $msg = $_err_template_already; @@ -61,7 +61,7 @@ function plugin_template_action() $msg = str_replace('$1', $_page, $_err_template_invalid); } - $s_refer = htmlspecialchars($vars['refer']); + $s_refer = htmlsc($vars['refer']); $s_page = ($page == '') ? str_replace('$1', $s_refer, $_msg_template_page) : $_page; $ret = << diff --git a/plugin/topicpath.inc.php b/plugin/topicpath.inc.php index 5591c13..66e1bbd 100644 --- a/plugin/topicpath.inc.php +++ b/plugin/topicpath.inc.php @@ -1,6 +1,12 @@ read()) { - return "

    config file '".htmlspecialchars($config_name)."' not found.

    "; + return "

    config file '".htmlsc($config_name)."' not found.

    "; } $config->config_name = $config_name; @@ -89,7 +91,7 @@ function plugin_tracker_action() $config = new Config('plugin/tracker/'.$config_name); if (!$config->read()) { - return "

    config file '".htmlspecialchars($config_name)."' not found.

    "; + return "

    config file '".htmlsc($config_name)."' not found.

    "; } $config->config_name = $config_name; $source = $config->page.'/page'; @@ -100,14 +102,14 @@ function plugin_tracker_action() { return array( 'msg'=>'cannot write', - 'body'=>'page name ('.htmlspecialchars($refer).') is not valid.' + 'body'=>'page name ('.htmlsc($refer).') is not valid.' ); } if (!is_page($source)) { return array( 'msg'=>'cannot write', - 'body'=>'page template ('.htmlspecialchars($source).') is not exist.' + 'body'=>'page template ('.htmlsc($source).') is not exist.' ); } // ページ名を決定 @@ -197,7 +199,7 @@ function plugin_tracker_inline() if (!$config->read()) { - return "config file '".htmlspecialchars($config_name)."' not found."; + return "config file '".htmlsc($config_name)."' not found."; } $config->config_name = $config_name; @@ -299,9 +301,9 @@ class Tracker_field_text extends Tracker_field function get_tag() { - $s_name = htmlspecialchars($this->name); - $s_size = htmlspecialchars($this->values[0]); - $s_value = htmlspecialchars($this->default_value); + $s_name = htmlsc($this->name); + $s_size = htmlsc($this->values[0]); + $s_value = htmlsc($this->default_value); return ""; } } @@ -341,10 +343,10 @@ class Tracker_field_textarea extends Tracker_field function get_tag() { - $s_name = htmlspecialchars($this->name); - $s_cols = htmlspecialchars($this->values[0]); - $s_rows = htmlspecialchars($this->values[1]); - $s_value = htmlspecialchars($this->default_value); + $s_name = htmlsc($this->name); + $s_cols = htmlsc($this->values[0]); + $s_rows = htmlsc($this->values[1]); + $s_value = htmlsc($this->default_value); return ""; } function format_cell($str) @@ -383,8 +385,8 @@ class Tracker_field_format extends Tracker_field } function get_tag() { - $s_name = htmlspecialchars($this->name); - $s_size = htmlspecialchars($this->values[0]); + $s_name = htmlsc($this->name); + $s_size = htmlsc($this->values[0]); return ""; } function get_key($str) @@ -412,8 +414,8 @@ class Tracker_field_file extends Tracker_field_format function get_tag() { - $s_name = htmlspecialchars($this->name); - $s_size = htmlspecialchars($this->values[0]); + $s_name = htmlsc($this->name); + $s_size = htmlsc($this->values[0]); return ""; } function format_value($str) @@ -437,12 +439,12 @@ class Tracker_field_radio extends Tracker_field_format function get_tag() { - $s_name = htmlspecialchars($this->name); + $s_name = htmlsc($this->name); $retval = ''; $id = 0; foreach ($this->config->get($this->name) as $option) { - $s_option = htmlspecialchars($option[0]); + $s_option = htmlsc($option[0]); $checked = trim($option[0]) == trim($this->default_value) ? ' checked="checked"' : ''; ++$id; $s_id = '_p_tracker_' . $s_name . '_' . $this->id . '_' . $id; @@ -473,9 +475,9 @@ class Tracker_field_select extends Tracker_field_radio function get_tag($empty=FALSE) { - $s_name = htmlspecialchars($this->name); + $s_name = htmlsc($this->name); $s_size = (array_key_exists(0,$this->values) and is_numeric($this->values[0])) ? - ' size="'.htmlspecialchars($this->values[0]).'"' : ''; + ' size="'.htmlsc($this->values[0]).'"' : ''; $s_multiple = (array_key_exists(1,$this->values) and strtolower($this->values[1]) == 'multiple') ? ' multiple="multiple"' : ''; $retval = "\n"; return $retval; @@ -537,10 +539,10 @@ class Tracker_field_submit extends Tracker_field { function get_tag() { - $s_title = htmlspecialchars($this->title); - $s_page = htmlspecialchars($this->page); - $s_refer = htmlspecialchars($this->refer); - $s_config = htmlspecialchars($this->config->config_name); + $s_title = htmlsc($this->title); + $s_page = htmlsc($this->page); + $s_refer = htmlsc($this->refer); + $s_config = htmlsc($this->config->config_name); return << @@ -626,7 +628,7 @@ function plugin_tracker_getlist($page,$refer,$config_name,$list,$order='',$limit if (!$config->read()) { - return "

    config file '".htmlspecialchars($config_name)."' is not exist."; + return "

    config file '".htmlsc($config_name)."' is not exist."; } $config->config_name = $config_name; diff --git a/plugin/unfreeze.inc.php b/plugin/unfreeze.inc.php index c13c436..14000bd 100644 --- a/plugin/unfreeze.inc.php +++ b/plugin/unfreeze.inc.php @@ -1,6 +1,8 @@ $_msg_invalidpass

    \n"; $body .= <<$_msg_unfreezing

    diff --git a/plugin/versionlist.inc.php b/plugin/versionlist.inc.php index c753060..a8cd838 100644 --- a/plugin/versionlist.inc.php +++ b/plugin/versionlist.inc.php @@ -44,12 +44,12 @@ function plugin_versionlist_convert() continue; } $data = join('',file($sdir.$file)); - $comment = array('file'=>htmlspecialchars($sdir.$file),'rev'=>'','date'=>''); + $comment = array('file'=>htmlsc($sdir.$file),'rev'=>'','date'=>''); if (preg_match('/\$'.'Id: (.+),v (\d+\.\d+) (\d{4}\/\d{2}\/\d{2} \d{2}:\d{2}:\d{2})/',$data,$matches)) { -// $comment['file'] = htmlspecialchars($sdir.$matches[1]); - $comment['rev'] = htmlspecialchars($matches[2]); - $comment['date'] = htmlspecialchars($matches[3]); +// $comment['file'] = htmlsc($sdir.$matches[1]); + $comment['rev'] = htmlsc($matches[2]); + $comment['date'] = htmlsc($matches[3]); } $comments[$sdir.$file] = $comment; } diff --git a/plugin/vote.inc.php b/plugin/vote.inc.php index f910522..dd32508 100644 --- a/plugin/vote.inc.php +++ b/plugin/vote.inc.php @@ -1,6 +1,8 @@ @@ -95,8 +97,8 @@ function plugin_vote_convert() } $args = func_get_args(); - $s_page = htmlspecialchars($page); - $s_digest = htmlspecialchars($digest); + $s_page = htmlsc($page); + $s_digest = htmlsc($digest); $body = << diff --git a/plugin/yetlist.inc.php b/plugin/yetlist.inc.php index 4accf43..8743600 100644 --- a/plugin/yetlist.inc.php +++ b/plugin/yetlist.inc.php @@ -1,6 +1,6 @@ ' . - htmlspecialchars($_refer) . ''; + htmlsc($_refer) . ''; } $link_ref = join(' ', $link_refs); unset($link_refs); - $s_page = htmlspecialchars($page); + $s_page = htmlsc($page); if (PKWK_READONLY) { $href = $s_page; } else { diff --git a/skin/tdiary.skin.php b/skin/tdiary.skin.php index 9389b53..c321a0c 100644 --- a/skin/tdiary.skin.php +++ b/skin/tdiary.skin.php @@ -1,6 +1,6 @@ '; + echo 'Theme not found: ' . htmlsc($theme_css) . '
    '; echo 'You can get tdiary-theme from: '; echo 'http://sourceforge.net/projects/tdiary/'; exit; @@ -589,7 +589,7 @@ if (isset($pkwk_dtd)) { - + @@ -701,7 +701,7 @@ function _navigator($key, $value = '', $javascript = ''){ $title = ''; if ($disable_backlink) { if ($_page != '') { - $title = htmlspecialchars($_page); + $title = htmlsc($_page); } else { $title = $page; // Search, or something message } @@ -709,7 +709,7 @@ if ($disable_backlink) { if ($page != '') { $title = $page; } else { - $title = htmlspecialchars($_page); + $title = htmlsc($_page); } } $title_date = $title_text = '';