Don't encode HTML entities automatically

Author: sheabunge

admin/views/single.php

@@ -59,7 +59,7 @@
 			<h3><?php _e( 'Code', 'code-snippets' ); ?></h3>
 		</label>
 
-		<textarea id="snippet_code" name="snippet_code" rows="20" spellcheck="false" style="font-family: monospace; width:100%;"><?php echo $snippet->code; ?></textarea>
+		<textarea id="snippet_code" name="snippet_code" rows="20" spellcheck="false" style="font-family: monospace; width:100%;"><?php echo esc_textarea( $snippet->code ); ?></textarea>
 
 		<?php do_action( 'code_snippets/admin/single', $snippet ); ?>
 

code-snippets.php

@@ -431,6 +431,43 @@ function upgrade() {
 		/* Skip this if we're on the latest version */
 		if ( version_compare( $current_version, $this->version, '<' ) ) {
 
+			/* Data in database is unsecapped in 1.8 */
+			if ( version_compare( $current_version, '1.8', '<' ) ) {
+
+				$tables = array();
+
+				if ( $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->snippets'" ) === $wpdb->snippets ) {
+					$tables[] = $wpdb->snippets;
+				}
+
+				if ( is_multisite() && is_main_site() && $wpdb->get_var( "SHOW TABLES LIKE '$wpdb->ms_snippets'" ) === $wpdb->ms_snippets ) {
+					$tables[] = $wpdb->ms_snippets;
+				}
+
+				foreach ( $tables as $table ) {
+					$snippets = $wpdb->get_results( "SELECT * FROM $table" );
+
+					foreach ( $snippets as $snippet ) {
+
+						$snippet->name        = esc_sql( htmlspecialchars_decode( stripslashes( $snippet->name ) ) );
+						$snippet->code        = esc_sql( htmlspecialchars_decode( stripslashes( $snippet->code ) ) );
+						$snippet->description = esc_sql( htmlspecialchars_decode( stripslashes( $snippet->description ) ) );
+
+						$wpdb->update( $table,
+							array(
+								'name'        => $snippet->name,
+								'code'        => $snippet->code,
+								'description' => $snippet->description
+							),
+							array( 'id' => $snippet->id ),
+							array( '%s' ),
+							array( '%d' )
+						);
+					}
+				} // end $table foreach
+
+			} // end < 1.8 version check
+
 			/* Register the capabilities once only */
 			if ( version_compare( $current_version, '1.5',  '<' ) ) {
 				$this->setup_roles( true );
@@ -677,10 +714,10 @@ public function escape_snippet_data( $snippet ) {
 		$snippet->code = rtrim( $snippet->code, '?>' );
 
 		/* escape the data */
-		$snippet->name        = esc_sql( htmlspecialchars( $snippet->name ) );
-		$snippet->description = esc_sql( htmlspecialchars( $snippet->description ) );
-		$snippet->code        = esc_sql( htmlspecialchars( $snippet->code ) );
-		$snippet->id          = absint( $snippet->id );
+		$snippet->name        = esc_sql( $snippet->name );
+		$snippet->description = esc_sql( $snippet->description );
+		$snippet->code        = esc_sql( $snippet->code );
+		$snippet->id          = absint ( $snippet->id );
 
 		return apply_filters( 'code_snippets/escape_snippet_data', $snippet );
 	}
@@ -699,9 +736,9 @@ public function unescape_snippet_data( $snippet ) {
 
 		$snippet = $this->build_snippet_object( $snippet );
 
-		$snippet->name        = htmlspecialchars_decode( stripslashes( $snippet->name ) );
-		$snippet->code        = htmlspecialchars_decode( stripslashes( $snippet->code ) );
-		$snippet->description = htmlspecialchars_decode( stripslashes( $snippet->description ) );
+		$snippet->name        = stripslashes( $snippet->name );
+		$snippet->code        = stripslashes( $snippet->code );
+		$snippet->description = stripslashes( $snippet->description );
 
 		return apply_filters( 'code_snippets/unescape_snippet_data', $snippet );
 	}

includes/class-list-table.php

@@ -124,7 +124,7 @@ function column_default( $snippet, $column_name ) {
 				return $snippet->id;
 			case 'description':
 				if ( ! empty( $snippet->description ) )
-					return apply_filters( 'code_snippets/list_table/print_snippet_description', $snippet->description );
+					return esc_html( apply_filters( 'code_snippets/list_table/print_snippet_description', $snippet->description ) );
 				else
 					return '—';
 			default:
@@ -195,7 +195,7 @@ function column_name( $snippet ) {
 		);
 
 		if ( ! empty( $snippet->name ) )
-			$title = stripslashes( $snippet->name );
+			$title = esc_html( $snippet->name );
 		else
 			$title = sprintf ( __( 'Untitled–%d', 'code-snippets' ), $snippet->id );