Hyperz - WP 3.2.1 XSS Fix

<?php
/**
 * WordPress Post Template Functions.
 *
 * Gets content for the current post in the loop.
 *
 * @package WordPress
 * @subpackage Template
 */

/**
 * Display the ID of the current item in the WordPress Loop.
 *
 * @since 0.71
 */
function the_ID() {
    echo get_the_ID();
}

/**
 * Retrieve the ID of the current item in the WordPress Loop.
 *
 * @since 2.1.0
 * @uses $post
 *
 * @return int
 */
function get_the_ID() {
    global $post;
    return $post->ID;
}

/**
 * Display or retrieve the current post title with optional content.
 *
 * @since 0.71
 *
 * @param string $before Optional. Content to prepend to the title.
 * @param string $after Optional. Content to append to the title.
 * @param bool $echo Optional, default to true.Whether to display or return.
 * @return null|string Null on no title. String if $echo parameter is false.
 */
function the_title($before = '', $after = '', $echo = true) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $title = $before . $title . $after;

    if ( $echo )
        echo htmlentities($title);
    else
        return htmlentities($title);
}

/**
 * Sanitize the current title when retrieving or displaying.
 *
 * Works like {@link the_title()}, except the parameters can be in a string or
 * an array. See the function for what can be override in the $args parameter.
 *
 * The title before it is displayed will have the tags stripped and {@link
 * esc_attr()} before it is passed to the user or displayed. The default
 * as with {@link the_title()}, is to display the title.
 *
 * @since 2.3.0
 *
 * @param string|array $args Optional. Override the defaults.
 * @return string|null Null on failure or display. String when echo is false.
 */
function the_title_attribute( $args = '' ) {
    $title = get_the_title();

    if ( strlen($title) == 0 )
        return;

    $defaults = array('before' => '', 'after' =>  '', 'echo' => true);
    $r = wp_parse_args($args, $defaults);
    extract( $r, EXTR_SKIP );


    $title = $before . $title . $after;
    $title = esc_attr(strip_tags($title));

    if ( $echo )
        echo htmlentities($title);
    else
        return htmlentities($title);
}

/**
 * Retrieve post title.
 *
 * If the post is protected and the visitor is not an admin, then "Protected"
 * will be displayed before the post title. If the post is private, then
 * "Private" will be located before the post title.
 *
 * @since 0.71
 *
 * @param int $id Optional. Post ID.
 * @return string
 */
function get_the_title( $id = 0 ) {
    $post = &get_post($id);

    $title = isset($post->post_title) ? $post->post_title : '';
    $id = isset($post->ID) ? $post->ID : (int) $id;

    if ( !is_admin() ) {
        if ( !empty($post->post_password) ) {
            $protected_title_format = apply_filters('protected_title_format', __('Protected: %s'));
            $title = sprintf($protected_title_format, $title);
        } else if ( isset($post->post_status) && 'private' == $post->post_status ) {
            $private_title_format = apply_filters('private_title_format', __('Private: %s'));
            $title = sprintf($private_title_format, $title);
        }
    }
    return htmlentities(apply_filters( 'the_title', $title, $id ));
}

/**
 * Display the Post Global Unique Identifier (guid).
 *
 * The guid will appear to be a link, but should not be used as an link to the
 * post. The reason you should not use it as a link, is because of moving the
 * blog across domains.
 *
 * Url is escaped to make it xml safe
 *
 * @since 1.5.0
 *
 * @param int $id Optional. Post ID.
 */
function the_guid( $id = 0 ) {
    echo esc_url( get_the_guid( $id ) );
}

/**
 * Retrieve the Post Global Unique Identifier (guid).
 *
 * The guid will appear to be a link, but should not be used as an link to the
 * post. The reason you should not use it as a link, is because of moving the
 * blog across domains.
 *
 * @since 1.5.0
 *
 * @param int $id Optional. Post ID.
 * @return string
 */
function get_the_guid( $id = 0 ) {
    $post = &get_post($id);

    return apply_filters('get_the_guid', $post->guid);
}

/**
 * Display the post content.
 *
 * @since 0.71
 *
 * @param string $more_link_text Optional. Content for when there is more text.
 * @param string $stripteaser Optional. Teaser content before the more text.
 */
function the_content($more_link_text = null, $stripteaser = 0) {
    $content = get_the_content($more_link_text, $stripteaser);
    $content = apply_filters('the_content', $content);
    $content = str_replace(']]>', ']]&gt;', $content);
    echo $content;
}

/**
 * Retrieve the post content.
 *
 * @since 0.71
 *
 * @param string $more_link_text Optional. Content for when there is more text.
 * @param string $stripteaser Optional. Teaser content before the more text.
 * @return string
 */
function get_the_content($more_link_text = null, $stripteaser = 0) {
    global $post, $more, $page, $pages, $multipage, $preview;

    if ( null === $more_link_text )
        $more_link_text = __( '(more...)' );

    $output = '';
    $hasTeaser = false;

    // If post password required and it doesn't match the cookie.
    if ( post_password_required($post) ) {
        $output = get_the_password_form();
        return $output;
    }

    if ( $page > count($pages) ) // if the requested page doesn't exist
        $page = count($pages); // give them the highest numbered page that DOES exist

    $content = $pages[$page-1];
    if ( preg_match('/<!--more(.*?)?-->/', $content, $matches) ) {
        $content = explode($matches[0], $content, 2);
        if ( !empty($matches[1]) && !empty($more_link_text) )
            $more_link_text = strip_tags(wp_kses_no_null(trim($matches[1])));

        $hasTeaser = true;
    } else {
        $content = array($content);
    }
    if ( (false !== strpos($post->post_content, '<!--noteaser-->') && ((!$multipage) || ($page==1))) )
        $stripteaser = 1;
    $teaser = $content[0];
    if ( ($more) && ($stripteaser) && ($hasTeaser) )
        $teaser = '';
    $output .= $teaser;
    if ( count($content) > 1 ) {
        if ( $more ) {
            $output .= '<span id="more-' . $post->ID . '"></span>' . $content[1];
        } else {
            if ( ! empty($more_link_text) )
                $output .= apply_filters( 'the_content_more_link', ' <a href="' . get_permalink() . "#more-{$post->ID}\" class=\"more-link\">$more_link_text</a>", $more_link_text );
            $output = force_balance_tags($output);
        }

    }
    if ( $preview ) // preview fix for javascript bug with foreign languages
        $output =   preg_replace_callback('/\%u([0-9A-F]{4})/', '_convert_urlencoded_to_entities', $output);

    return $output;
}

/**
 * Preview fix for javascript bug with foreign languages
 *
 * @since 3.1.0
 * @access private
 * @param array $match Match array from preg_replace_callback
 * @returns string
 */
function _convert_urlencoded_to_entities( $match ) {
    return '&#' . base_convert( $match[1], 16, 10 ) . ';';
}

/**
 * Display the post excerpt.
 *
 * @since 0.71
 * @uses apply_filters() Calls 'the_excerpt' hook on post excerpt.
 */
function the_excerpt() {
    echo apply_filters('the_excerpt', get_the_excerpt());
}

/**
 * Retrieve the post excerpt.
 *
 * @since 0.71
 *
 * @param mixed $deprecated Not used.
 * @return string
 */
function get_the_excerpt( $deprecated = '' ) {
    if ( !empty( $deprecated ) )
        _deprecated_argument( __FUNCTION__, '2.3' );

    global $post;
    $output = $post->post_excerpt;
    if ( post_password_required($post) ) {
        $output = __('There is no excerpt because this is a protected post.');
        return $output;
    }

    return apply_filters('get_the_excerpt', $output);
}

/**
 * Whether post has excerpt.
 *
 * @since 2.3.0
 *
 * @param int $id Optional. Post ID.
 * @return bool
 */
function has_excerpt( $id = 0 ) {
    $post = &get_post( $id );
    return ( !empty( $post->post_excerpt ) );
}

/**
 * Display the classes for the post div.
 *
 * @since 2.7.0
 *
 * @param string|array $class One or more classes to add to the class list.
 * @param int $post_id An optional post ID.
 */
function post_class( $class = '', $post_id = null ) {
    // Separates classes with a single space, collates classes for post DIV
    echo 'class="' . join( ' ', get_post_class( $class, $post_id ) ) . '"';
}

/**
 * Retrieve the classes for the post div as an array.
 *
 * The class names are add are many. If the post is a sticky, then the 'sticky'
 * class name. The class 'hentry' is always added to each post. For each
 * category, the class will be added with 'category-' with category slug is
 * added. The tags are the same way as the categories with 'tag-' before the tag
 * slug. All classes are passed through the filter, 'post_class' with the list
 * of classes, followed by $class parameter value, with the post ID as the last
 * parameter.
 *
 * @since 2.7.0
 *
 * @param string|array $class One or more classes to add to the class list.
 * @param int $post_id An optional post ID.
 * @return array Array of classes.
 */
function get_post_class( $class = '', $post_id = null ) {
    $post = get_post($post_id);

    $classes = array();

    if ( empty($post) )
        return $classes;

    $classes[] = 'post-' . $post->ID;
    $classes[] = $post->post_type;
    $classes[] = 'type-' . $post->post_type;
    $classes[] = 'status-' . $post->post_status;

    // Post Format
    $post_format = get_post_format( $post->ID );

    if ( post_type_supports( $post->post_type, 'post-formats' ) ) {
        if ( $post_format && !is_wp_error($post_format) )
            $classes[] = 'format-' . sanitize_html_class( $post_format );
        else
            $classes[] = 'format-standard';
    }

    // post requires password
    if ( post_password_required($post->ID) )
        $classes[] = 'post-password-required';

    // sticky for Sticky Posts
    if ( is_sticky($post->ID) && is_home() && !is_paged() )
        $classes[] = 'sticky';

    // hentry for hAtom compliance
    $classes[] = 'hentry';

    // Categories
    if ( is_object_in_taxonomy( $post->post_type, 'category' ) ) {
        foreach ( (array) get_the_category($post->ID) as $cat ) {
            if ( empty($cat->slug ) )
                continue;
            $classes[] = 'category-' . sanitize_html_class($cat->slug, $cat->term_id);
        }
    }

    // Tags
    if ( is_object_in_taxonomy( $post->post_type, 'post_tag' ) ) {
        foreach ( (array) get_the_tags($post->ID) as $tag ) {
            if ( empty($tag->slug ) )
                continue;
            $classes[] = 'tag-' . sanitize_html_class($tag->slug, $tag->term_id);
        }
    }

    if ( !empty($class) ) {
        if ( !is_array( $class ) )
            $class = preg_split('#\s+#', $class);
        $classes = array_merge($classes, $class);
    }

    $classes = array_map('esc_attr', $classes);

    return apply_filters('post_class', $classes, $class, $post->ID);
}

/**
 * Display the classes for the body element.
 *
 * @since 2.8.0
 *
 * @param string|array $class One or more classes to add to the class list.
 */
function body_class( $class = '' ) {
    // Separates classes with a single space, collates classes for body element
    echo 'class="' . join( ' ', get_body_class( $class ) ) . '"';
}

/**
 * Retrieve the classes for the body element as an array.
 *
 * @since 2.8.0
 *
 * @param string|array $class One or more classes to add to the class list.
 * @return array Array of classes.
 */
function get_body_class( $class = '' ) {
    global $wp_query, $wpdb;

    $classes = array();

    if ( is_rtl() )
        $classes[] = 'rtl';

    if ( is_front_page() )
        $classes[] = 'home';
    if ( is_home() )
        $classes[] = 'blog';
    if ( is_archive() )
        $classes[] = 'archive';
    if ( is_date() )
        $classes[] = 'date';
    if ( is_search() )
        $classes[] = 'search';
    if ( is_paged() )
        $classes[] = 'paged';
    if ( is_attachment() )
        $classes[] = 'attachment';
    if ( is_404() )
        $classes[] = 'error404';

    if ( is_single() ) {
        $post_id = $wp_query->get_queried_object_id();
        $post = $wp_query->get_queried_object();

        $classes[] = 'single';
        $classes[] = 'single-' . sanitize_html_class($post->post_type, $post_id);
        $classes[] = 'postid-' . $post_id;

        // Post Format
        $post_format = get_post_format( $post->ID );

        if ( $post_format && !is_wp_error($post_format) )
            $classes[] = 'single-format-' . sanitize_html_class( $post_format );
        else
            $classes[] = 'single-format-standard';

        if ( is_attachment() ) {
            $mime_type = get_post_mime_type($post_id);
            $mime_prefix = array( 'application/', 'image/', 'text/', 'audio/', 'video/', 'music/' );
            $classes[] = 'attachmentid-' . $post_id;
            $classes[] = 'attachment-' . str_replace( $mime_prefix, '', $mime_type );
        }
    } elseif ( is_archive() ) {
        if ( is_post_type_archive() ) {
            $classes[] = 'post-type-archive';
            $classes[] = 'post-type-archive-' . sanitize_html_class( get_query_var( 'post_type' ) );
        } else if ( is_author() ) {
            $author = $wp_query->get_queried_object();
            $classes[] = 'author';
            $classes[] = 'author-' . sanitize_html_class( $author->user_nicename , $author->ID );
            $classes[] = 'author-' . $author->ID;
        } elseif ( is_category() ) {
            $cat = $wp_query->get_queried_object();
            $classes[] = 'category';
            $classes[] = 'category-' . sanitize_html_class( $cat->slug, $cat->term_id );
            $classes[] = 'category-' . $cat->term_id;
        } elseif ( is_tag() ) {
            $tags = $wp_query->get_queried_object();
            $classes[] = 'tag';
            $classes[] = 'tag-' . sanitize_html_class( $tags->slug, $tags->term_id );
            $classes[] = 'tag-' . $tags->term_id;
        } elseif ( is_tax() ) {
            $term = $wp_query->get_queried_object();
            $classes[] = 'tax-' . sanitize_html_class( $term->taxonomy );
            $classes[] = 'term-' . sanitize_html_class( $term->slug, $term->term_id );
            $classes[] = 'term-' . $term->term_id;
        }
    } elseif ( is_page() ) {
        $classes[] = 'page';

        $page_id = $wp_query->get_queried_object_id();

        $post = get_page($page_id);

        $classes[] = 'page-id-' . $page_id;

        if ( $wpdb->get_var( $wpdb->prepare("SELECT ID FROM $wpdb->posts WHERE post_parent = %d AND post_type = 'page' AND post_status = 'publish' LIMIT 1", $page_id) ) )
            $classes[] = 'page-parent';

        if ( $post->post_parent ) {
            $classes[] = 'page-child';
            $classes[] = 'parent-pageid-' . $post->post_parent;
        }
        if ( is_page_template() ) {
            $classes[] = 'page-template';
            $classes[] = 'page-template-' . sanitize_html_class( str_replace( '.', '-', get_post_meta( $page_id, '_wp_page_template', true ) ), '' );
        } else {
            $classes[] = 'page-template-default';
        }
    } elseif ( is_search() ) {
        if ( !empty( $wp_query->posts ) )
            $classes[] = 'search-results';
        else
            $classes[] = 'search-no-results';
    }

    if ( is_user_logged_in() )
        $classes[] = 'logged-in';

    if ( is_admin_bar_showing() )
        $classes[] = 'admin-bar';

    $page = $wp_query->get( 'page' );

    if ( !$page || $page < 2)
        $page = $wp_query->get( 'paged' );

    if ( $page && $page > 1 ) {
        $classes[] = 'paged-' . $page;

        if ( is_single() )
            $classes[] = 'single-paged-' . $page;
        elseif ( is_page() )
            $classes[] = 'page-paged-' . $page;
        elseif ( is_category() )
            $classes[] = 'category-paged-' . $page;
        elseif ( is_tag() )
            $classes[] = 'tag-paged-' . $page;
        elseif ( is_date() )
            $classes[] = 'date-paged-' . $page;
        elseif ( is_author() )
            $classes[] = 'author-paged-' . $page;
        elseif ( is_search() )
            $classes[] = 'search-paged-' . $page;
        elseif ( is_post_type_archive() )
            $classes[] = 'post-type-paged-' . $page;
    }

    if ( ! empty( $class ) ) {
        if ( !is_array( $class ) )
            $class = preg_split( '#\s+#', $class );
        $classes = array_merge( $classes, $class );
    } else {
        // Ensure that we always coerce class to being an array.
        $class = array();
    }

    $classes = array_map( 'esc_attr', $classes );

    return apply_filters( 'body_class', $classes, $class );
}

/**
 * Whether post requires password and correct password has been provided.
 *
 * @since 2.7.0
 *
 * @param int|object $post An optional post.  Global $post used if not provided.
 * @return bool false if a password is not required or the correct password cookie is present, true otherwise.
 */
function post_password_required( $post = null ) {
    $post = get_post($post);

    if ( empty($post->post_password) )
        return false;

    if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
        return true;

    if ( $_COOKIE['wp-postpass_' . COOKIEHASH] != $post->post_password )
        return true;

    return false;
}

/**
 * Display "sticky" CSS class, if a post is sticky.
 *
 * @since 2.7.0
 *
 * @param int $post_id An optional post ID.
 */
function sticky_class( $post_id = null ) {
    if ( !is_sticky($post_id) )
        return;

    echo " sticky";
}

/**
 * Page Template Functions for usage in Themes
 *
 * @package WordPress
 * @subpackage Template
 */

/**
 * The formatted output of a list of pages.
 *
 * Displays page links for paginated posts (i.e. includes the <!--nextpage-->.
 * Quicktag one or more times). This tag must be within The Loop.
 *
 * The defaults for overwriting are:
 * 'next_or_number' - Default is 'number' (string). Indicates whether page
 *      numbers should be used. Valid values are number and next.
 * 'nextpagelink' - Default is 'Next Page' (string). Text for link to next page.
 *      of the bookmark.
 * 'previouspagelink' - Default is 'Previous Page' (string). Text for link to
 *      previous page, if available.
 * 'pagelink' - Default is '%' (String).Format string for page numbers. The % in
 *      the parameter string will be replaced with the page number, so Page %
 *      generates "Page 1", "Page 2", etc. Defaults to %, just the page number.
 * 'before' - Default is '<p> Pages:' (string). The html or text to prepend to
 *      each bookmarks.
 * 'after' - Default is '</p>' (string). The html or text to append to each
 *      bookmarks.
 * 'link_before' - Default is '' (string). The html or text to prepend to each
 *      Pages link inside the <a> tag. Also prepended to the current item, which
 *      is not linked.
 * 'link_after' - Default is '' (string). The html or text to append to each
 *      Pages link inside the <a> tag. Also appended to the current item, which
 *      is not linked.
 *
 * @since 1.2.0
 * @access private
 *
 * @param string|array $args Optional. Overwrite the defaults.
 * @return string Formatted output in HTML.
 */
function wp_link_pages($args = '') {
    $defaults = array(
        'before' => '<p>' . __('Pages:'), 'after' => '</p>',
        'link_before' => '', 'link_after' => '',
        'next_or_number' => 'number', 'nextpagelink' => __('Next page'),
        'previouspagelink' => __('Previous page'), 'pagelink' => '%',
        'echo' => 1
    );

    $r = wp_parse_args( $args, $defaults );
    $r = apply_filters( 'wp_link_pages_args', $r );
    extract( $r, EXTR_SKIP );

    global $page, $numpages, $multipage, $more, $pagenow;

    $output = '';
    if ( $multipage ) {
        if ( 'number' == $next_or_number ) {
            $output .= $before;
            for ( $i = 1; $i < ($numpages+1); $i = $i + 1 ) {
                $j = str_replace('%',$i,$pagelink);
                $output .= ' ';
                if ( ($i != $page) || ((!$more) && ($page==1)) ) {
                    $output .= _wp_link_page($i);
                }
                $output .= $link_before . $j . $link_after;
                if ( ($i != $page) || ((!$more) && ($page==1)) )
                    $output .= '</a>';
            }
            $output .= $after;
        } else {
            if ( $more ) {
                $output .= $before;
                $i = $page - 1;
                if ( $i && $more ) {
                    $output .= _wp_link_page($i);
                    $output .= $link_before. $previouspagelink . $link_after . '</a>';
                }
                $i = $page + 1;
                if ( $i <= $numpages && $more ) {
                    $output .= _wp_link_page($i);
                    $output .= $link_before. $nextpagelink . $link_after . '</a>';
                }
                $output .= $after;
            }
        }
    }

    if ( $echo )
        echo $output;

    return $output;
}

/**
 * Helper function for wp_link_pages().
 *
 * @since 3.1.0
 * @access private
 *
 * @param int $i Page number.
 * @return string Link.
 */
function _wp_link_page( $i ) {
    global $post, $wp_rewrite;

    if ( 1 == $i ) {
        $url = get_permalink();
    } else {
        if ( '' == get_option('permalink_structure') || in_array($post->post_status, array('draft', 'pending')) )
            $url = add_query_arg( 'page', $i, get_permalink() );
        elseif ( 'page' == get_option('show_on_front') && get_option('page_on_front') == $post->ID )
            $url = trailingslashit(get_permalink()) . user_trailingslashit("$wp_rewrite->pagination_base/" . $i, 'single_paged');
        else
            $url = trailingslashit(get_permalink()) . user_trailingslashit($i, 'single_paged');
    }

    return '<a href="' . esc_url( $url ) . '">';
}

//
// Post-meta: Custom per-post fields.
//

/**
 * Retrieve post custom meta data field.
 *
 * @since 1.5.0
 *
 * @param string $key Meta data key name.
 * @return bool|string|array Array of values or single value, if only one element exists. False will be returned if key does not exist.
 */
function post_custom( $key = '' ) {
    $custom = get_post_custom();

    if ( !isset( $custom[$key] ) )
        return false;
    elseif ( 1 == count($custom[$key]) )
        return $custom[$key][0];
    else
        return $custom[$key];
}

/**
 * Display list of post custom fields.
 *
 * @internal This will probably change at some point...
 * @since 1.2.0
 * @uses apply_filters() Calls 'the_meta_key' on list item HTML content, with key and value as separate parameters.
 */
function the_meta() {
    if ( $keys = get_post_custom_keys() ) {
        echo "<ul class='post-meta'>\n";
        foreach ( (array) $keys as $key ) {
            $keyt = trim($key);
            if ( '_' == $keyt[0] )
                continue;
            $values = array_map('trim', get_post_custom_values($key));
            $value = implode($values,', ');
            echo apply_filters('the_meta_key', "<li><span class='post-meta-key'>$key:</span> $value</li>\n", $key, $value);
        }
        echo "</ul>\n";
    }
}

//
// Pages
//

/**
 * Retrieve or display list of pages as a dropdown (select list).
 *
 * @since 2.1.0
 *
 * @param array|string $args Optional. Override default arguments.
 * @return string HTML content, if not displaying.
 */
function wp_dropdown_pages($args = '') {
    $defaults = array(
        'depth' => 0, 'child_of' => 0,
        'selected' => 0, 'echo' => 1,
        'name' => 'page_id', 'id' => '',
        'show_option_none' => '', 'show_option_no_change' => '',
        'option_none_value' => ''
    );

    $r = wp_parse_args( $args, $defaults );
    extract( $r, EXTR_SKIP );

    $pages = get_pages($r);
    $output = '';
    $name = esc_attr($name);
    // Back-compat with old system where both id and name were based on $name argument
    if ( empty($id) )
        $id = $name;

    if ( ! empty($pages) ) {
        $output = "<select name=\"$name\" id=\"$id\">\n";
        if ( $show_option_no_change )
            $output .= "\t<option value=\"-1\">$show_option_no_change</option>";
        if ( $show_option_none )
            $output .= "\t<option value=\"" . esc_attr($option_none_value) . "\">$show_option_none</option>\n";
        $output .= walk_page_dropdown_tree($pages, $depth, $r);
        $output .= "</select>\n";
    }

    $output = apply_filters('wp_dropdown_pages', $output);

    if ( $echo )
        echo $output;

    return $output;
}

/**
 * Retrieve or display list of pages in list (li) format.
 *
 * @since 1.5.0
 *
 * @param array|string $args Optional. Override default arguments.
 * @return string HTML content, if not displaying.
 */
function wp_list_pages($args = '') {
    $defaults = array(
        'depth' => 0, 'show_date' => '',
        'date_format' => get_option('date_format'),
        'child_of' => 0, 'exclude' => '',
        'title_li' => __('Pages'), 'echo' => 1,
        'authors' => '', 'sort_column' => 'menu_order, post_title',
        'link_before' => '', 'link_after' => '', 'walker' => '',
    );

    $r = wp_parse_args( $args, $defaults );
    extract( $r, EXTR_SKIP );

    $output = '';
    $current_page = 0;

    // sanitize, mostly to keep spaces out
    $r['exclude'] = preg_replace('/[^0-9,]/', '', $r['exclude']);

    // Allow plugins to filter an array of excluded pages (but don't put a nullstring into the array)
    $exclude_array = ( $r['exclude'] ) ? explode(',', $r['exclude']) : array();
    $r['exclude'] = implode( ',', apply_filters('wp_list_pages_excludes', $exclude_array) );

    // Query pages.
    $r['hierarchical'] = 0;
    $pages = get_pages($r);

    if ( !empty($pages) ) {
        if ( $r['title_li'] )
            $output .= '<li class="pagenav">' . $r['title_li'] . '<ul>';

        global $wp_query;
        if ( is_page() || is_attachment() || $wp_query->is_posts_page )
            $current_page = $wp_query->get_queried_object_id();
        $output .= walk_page_tree($pages, $r['depth'], $current_page, $r);

        if ( $r['title_li'] )
            $output .= '</ul></li>';
    }

    $output = apply_filters('wp_list_pages', $output, $r);

    if ( $r['echo'] )
        echo $output;
    else
        return $output;
}

/**
 * Display or retrieve list of pages with optional home link.
 *
 * The arguments are listed below and part of the arguments are for {@link
 * wp_list_pages()} function. Check that function for more info on those
 * arguments.
 *
 * <ul>
 * <li><strong>sort_column</strong> - How to sort the list of pages. Defaults
 * to page title. Use column for posts table.</li>
 * <li><strong>menu_class</strong> - Class to use for the div ID which contains
 * the page list. Defaults to 'menu'.</li>
 * <li><strong>echo</strong> - Whether to echo list or return it. Defaults to
 * echo.</li>
 * <li><strong>link_before</strong> - Text before show_home argument text.</li>
 * <li><strong>link_after</strong> - Text after show_home argument text.</li>
 * <li><strong>show_home</strong> - If you set this argument, then it will
 * display the link to the home page. The show_home argument really just needs
 * to be set to the value of the text of the link.</li>
 * </ul>
 *
 * @since 2.7.0
 *
 * @param array|string $args
 */
function wp_page_menu( $args = array() ) {
    $defaults = array('sort_column' => 'menu_order, post_title', 'menu_class' => 'menu', 'echo' => true, 'link_before' => '', 'link_after' => '');
    $args = wp_parse_args( $args, $defaults );
    $args = apply_filters( 'wp_page_menu_args', $args );

    $menu = '';

    $list_args = $args;

    // Show Home in the menu
    if ( ! empty($args['show_home']) ) {
        if ( true === $args['show_home'] || '1' === $args['show_home'] || 1 === $args['show_home'] )
            $text = __('Home');
        else
            $text = $args['show_home'];
        $class = '';
        if ( is_front_page() && !is_paged() )
            $class = 'class="current_page_item"';
        $menu .= '<li ' . $class . '><a href="' . home_url( '/' ) . '" title="' . esc_attr($text) . '">' . $args['link_before'] . $text . $args['link_after'] . '</a></li>';
        // If the front page is a page, add it to the exclude list
        if (get_option('show_on_front') == 'page') {
            if ( !empty( $list_args['exclude'] ) ) {
                $list_args['exclude'] .= ',';
            } else {
                $list_args['exclude'] = '';
            }
            $list_args['exclude'] .= get_option('page_on_front');
        }
    }

    $list_args['echo'] = false;
    $list_args['title_li'] = '';
    $menu .= str_replace( array( "\r", "\n", "\t" ), '', wp_list_pages($list_args) );

    if ( $menu )
        $menu = '<ul>' . $menu . '</ul>';

    $menu = '<div class="' . esc_attr($args['menu_class']) . '">' . $menu . "</div>\n";
    $menu = apply_filters( 'wp_page_menu', $menu, $args );
    if ( $args['echo'] )
        echo $menu;
    else
        return $menu;
}

//
// Page helpers
//

/**
 * Retrieve HTML list content for page list.
 *
 * @uses Walker_Page to create HTML list content.
 * @since 2.1.0
 * @see Walker_Page::walk() for parameters and return description.
 */
function walk_page_tree($pages, $depth, $current_page, $r) {
    if ( empty($r['walker']) )
        $walker = new Walker_Page;
    else
        $walker = $r['walker'];

    $args = array($pages, $depth, $r, $current_page);
    return call_user_func_array(array(&$walker, 'walk'), $args);
}

/**
 * Retrieve HTML dropdown (select) content for page list.
 *
 * @uses Walker_PageDropdown to create HTML dropdown content.
 * @since 2.1.0
 * @see Walker_PageDropdown::walk() for parameters and return description.
 */
function walk_page_dropdown_tree() {
    $args = func_get_args();
    if ( empty($args[2]['walker']) ) // the user's options are the third parameter
        $walker = new Walker_PageDropdown;
    else
        $walker = $args[2]['walker'];

    return call_user_func_array(array(&$walker, 'walk'), $args);
}

/**
 * Create HTML list of pages.
 *
 * @package WordPress
 * @since 2.1.0
 * @uses Walker
 */
class Walker_Page extends Walker {
    /**
     * @see Walker::$tree_type
     * @since 2.1.0
     * @var string
     */
    var $tree_type = 'page';

    /**
     * @see Walker::$db_fields
     * @since 2.1.0
     * @todo Decouple this.
     * @var array
     */
    var $db_fields = array ('parent' => 'post_parent', 'id' => 'ID');

    /**
     * @see Walker::start_lvl()
     * @since 2.1.0
     *
     * @param string $output Passed by reference. Used to append additional content.
     * @param int $depth Depth of page. Used for padding.
     */
    function start_lvl(&$output, $depth) {
        $indent = str_repeat("\t", $depth);
        $output .= "\n$indent<ul class='children'>\n";
    }

    /**
     * @see Walker::end_lvl()
     * @since 2.1.0
     *
     * @param string $output Passed by reference. Used to append additional content.
     * @param int $depth Depth of page. Used for padding.
     */
    function end_lvl(&$output, $depth) {
        $indent = str_repeat("\t", $depth);
        $output .= "$indent</ul>\n";
    }

    /**
     * @see Walker::start_el()
     * @since 2.1.0
     *
     * @param string $output Passed by reference. Used to append additional content.
     * @param object $page Page data object.
     * @param int $depth Depth of page. Used for padding.
     * @param int $current_page Page ID.
     * @param array $args
     */
    function start_el(&$output, $page, $depth, $args, $current_page) {
        if ( $depth )
            $indent = str_repeat("\t", $depth);
        else
            $indent = '';

        extract($args, EXTR_SKIP);
        $css_class = array('page_item', 'page-item-'.$page->ID);
        if ( !empty($current_page) ) {
            $_current_page = get_page( $current_page );
            _get_post_ancestors($_current_page);
            if ( isset($_current_page->ancestors) && in_array($page->ID, (array) $_current_page->ancestors) )
                $css_class[] = 'current_page_ancestor';
            if ( $page->ID == $current_page )
                $css_class[] = 'current_page_item';
            elseif ( $_current_page && $page->ID == $_current_page->post_parent )
                $css_class[] = 'current_page_parent';
        } elseif ( $page->ID == get_option('page_for_posts') ) {
            $css_class[] = 'current_page_parent';
        }

        $css_class = implode(' ', apply_filters('page_css_class', $css_class, $page));

        $output .= $indent . '<li class="' . $css_class . '"><a href="' . get_permalink($page->ID) . '" title="' . esc_attr( wp_strip_all_tags( apply_filters( 'the_title', $page->post_title, $page->ID ) ) ) . '">' . $link_before . apply_filters( 'the_title', $page->post_title, $page->ID ) . $link_after . '</a>';

        if ( !empty($show_date) ) {
            if ( 'modified' == $show_date )
                $time = $page->post_modified;
            else
                $time = $page->post_date;

            $output .= " " . mysql2date($date_format, $time);
        }
    }

    /**
     * @see Walker::end_el()
     * @since 2.1.0
     *
     * @param string $output Passed by reference. Used to append additional content.
     * @param object $page Page data object. Not used.
     * @param int $depth Depth of page. Not Used.
     */
    function end_el(&$output, $page, $depth) {
        $output .= "</li>\n";
    }

}

/**
 * Create HTML dropdown list of pages.
 *
 * @package WordPress
 * @since 2.1.0
 * @uses Walker
 */
class Walker_PageDropdown extends Walker {
    /**
     * @see Walker::$tree_type
     * @since 2.1.0
     * @var string
     */
    var $tree_type = 'page';

    /**
     * @see Walker::$db_fields
     * @since 2.1.0
     * @todo Decouple this
     * @var array
     */
    var $db_fields = array ('parent' => 'post_parent', 'id' => 'ID');

    /**
     * @see Walker::start_el()
     * @since 2.1.0
     *
     * @param string $output Passed by reference. Used to append additional content.
     * @param object $page Page data object.
     * @param int $depth Depth of page in reference to parent pages. Used for padding.
     * @param array $args Uses 'selected' argument for selected page to set selected HTML attribute for option element.
     */
    function start_el(&$output, $page, $depth, $args) {
        $pad = str_repeat('&nbsp;', $depth * 3);

        $output .= "\t<option class=\"level-$depth\" value=\"$page->ID\"";
        if ( $page->ID == $args['selected'] )
            $output .= ' selected="selected"';
        $output .= '>';
        $title = apply_filters( 'list_pages', $page->post_title );
        $output .= $pad . esc_html( $title );
        $output .= "</option>\n";
    }
}

//
// Attachments
//

/**
 * Display an attachment page link using an image or icon.
 *
 * @since 2.0.0
 *
 * @param int $id Optional. Post ID.
 * @param bool $fullsize Optional, default is false. Whether to use full size.
 * @param bool $deprecated Deprecated. Not used.
 * @param bool $permalink Optional, default is false. Whether to include permalink.
 */
function the_attachment_link( $id = 0, $fullsize = false, $deprecated = false, $permalink = false ) {
    if ( !empty( $deprecated ) )
        _deprecated_argument( __FUNCTION__, '2.5' );

    if ( $fullsize )
        echo wp_get_attachment_link($id, 'full', $permalink);
    else
        echo wp_get_attachment_link($id, 'thumbnail', $permalink);
}

/**
 * Retrieve an attachment page link using an image or icon, if possible.
 *
 * @since 2.5.0
 * @uses apply_filters() Calls 'wp_get_attachment_link' filter on HTML content with same parameters as function.
 *
 * @param int $id Optional. Post ID.
 * @param string $size Optional, default is 'thumbnail'. Size of image, either array or string.
 * @param bool $permalink Optional, default is false. Whether to add permalink to image.
 * @param bool $icon Optional, default is false. Whether to include icon.
 * @param string $text Optional, default is false. If string, then will be link text.
 * @return string HTML content.
 */
function wp_get_attachment_link($id = 0, $size = 'thumbnail', $permalink = false, $icon = false, $text = false) {
    $id = intval($id);
    $_post = & get_post( $id );

    if ( ('attachment' != $_post->post_type) || !$url = wp_get_attachment_url($_post->ID) )
        return __('Missing Attachment');

    if ( $permalink )
        $url = get_attachment_link($_post->ID);

    $post_title = esc_attr($_post->post_title);

    if ( $text ) {
        $link_text = esc_attr($text);
    } elseif ( ( is_int($size) && $size != 0 ) or ( is_string($size) && $size != 'none' ) or $size != false ) {
        $link_text = wp_get_attachment_image($id, $size, $icon);
    } else {
        $link_text = '';
    }

    if( trim($link_text) == '' )
        $link_text = $_post->post_title;

    return apply_filters( 'wp_get_attachment_link', "<a href='$url' title='$post_title'>$link_text</a>", $id, $size, $permalink, $icon, $text );
}

/**
 * Wrap attachment in <<p>> element before content.
 *
 * @since 2.0.0
 * @uses apply_filters() Calls 'prepend_attachment' hook on HTML content.
 *
 * @param string $content
 * @return string
 */
function prepend_attachment($content) {
    global $post;

    if ( empty($post->post_type) || $post->post_type != 'attachment' )
        return $content;

    $p = '<p class="attachment">';
    // show the medium sized image representation of the attachment if available, and link to the raw file
    $p .= wp_get_attachment_link(0, 'medium', false);
    $p .= '</p>';
    $p = apply_filters('prepend_attachment', $p);

    return "$p\n$content";
}

//
// Misc
//

/**
 * Retrieve protected post password form content.
 *
 * @since 1.0.0
 * @uses apply_filters() Calls 'the_password_form' filter on output.
 *
 * @return string HTML content for password form for password protected post.
 */
function get_the_password_form() {
    global $post;
    $label = 'pwbox-'.(empty($post->ID) ? rand() : $post->ID);
    $output = '<form action="' . get_option('siteurl') . '/wp-pass.php" method="post">
    <p>' . __("This post is password protected. To view it please enter your password below:") . '</p>
    <p><label for="' . $label . '">' . __("Password:") . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr__("Submit") . '" /></p>
    </form>
    ';
    return apply_filters('the_password_form', $output);
}

/**
 * Whether currently in a page template.
 *
 * This template tag allows you to determine if you are in a page template.
 * You can optionally provide a template name and then the check will be
 * specific to that template.
 *
 * @since 2.5.0
 * @uses $wp_query
 *
 * @param string $template The specific template name if specific matching is required.
 * @return bool False on failure, true if success.
 */
function is_page_template($template = '') {
    if (!is_page()) {
        return false;
    }

    global $wp_query;

    $page = $wp_query->get_queried_object();
    $custom_fields = get_post_custom_values('_wp_page_template',$page->ID);
    $page_template = $custom_fields[0];

    // We have no argument passed so just see if a page_template has been specified
    if ( empty( $template ) ) {
        if ( !empty( $page_template ) and ( 'default' != $page_template ) ) {
            return true;
        }
    } elseif ( $template == $page_template) {
        return true;
    }

    return false;
}

/**
 * Retrieve formatted date timestamp of a revision (linked to that revisions's page).
 *
 * @package WordPress
 * @subpackage Post_Revisions
 * @since 2.6.0
 *
 * @uses date_i18n()
 *
 * @param int|object $revision Revision ID or revision object.
 * @param bool $link Optional, default is true. Link to revisions's page?
 * @return string i18n formatted datetimestamp or localized 'Current Revision'.
 */
function wp_post_revision_title( $revision, $link = true ) {
    if ( !$revision = get_post( $revision ) )
        return $revision;

    if ( !in_array( $revision->post_type, array( 'post', 'page', 'revision' ) ) )
        return false;

    /* translators: revision date format, see http://php.net/date */
    $datef = _x( 'j F, Y @ G:i', 'revision date format');
    /* translators: 1: date */
    $autosavef = __( '%1$s [Autosave]' );
    /* translators: 1: date */
    $currentf  = __( '%1$s [Current Revision]' );

    $date = date_i18n( $datef, strtotime( $revision->post_modified ) );
    if ( $link && current_user_can( 'edit_post', $revision->ID ) && $link = get_edit_post_link( $revision->ID ) )
        $date = "<a href='$link'>$date</a>";

    if ( !wp_is_post_revision( $revision ) )
        $date = sprintf( $currentf, $date );
    elseif ( wp_is_post_autosave( $revision ) )
        $date = sprintf( $autosavef, $date );

    return $date;
}

/**
 * Display list of a post's revisions.
 *
 * Can output either a UL with edit links or a TABLE with diff interface, and
 * restore action links.
 *
 * Second argument controls parameters:
 *   (bool)   parent : include the parent (the "Current Revision") in the list.
 *   (string) format : 'list' or 'form-table'.  'list' outputs UL, 'form-table'
 *                     outputs TABLE with UI.
 *   (int)    right  : what revision is currently being viewed - used in
 *                     form-table format.
 *   (int)    left   : what revision is currently being diffed against right -
 *                     used in form-table format.
 *
 * @package WordPress
 * @subpackage Post_Revisions
 * @since 2.6.0
 *
 * @uses wp_get_post_revisions()
 * @uses wp_post_revision_title()
 * @uses get_edit_post_link()
 * @uses get_the_author_meta()
 *
 * @todo split into two functions (list, form-table) ?
 *
 * @param int|object $post_id Post ID or post object.
 * @param string|array $args See description {@link wp_parse_args()}.
 * @return null
 */
function wp_list_post_revisions( $post_id = 0, $args = null ) {
    if ( !$post = get_post( $post_id ) )
        return;

    $defaults = array( 'parent' => false, 'right' => false, 'left' => false, 'format' => 'list', 'type' => 'all' );
    extract( wp_parse_args( $args, $defaults ), EXTR_SKIP );

    switch ( $type ) {
        case 'autosave' :
            if ( !$autosave = wp_get_post_autosave( $post->ID ) )
                return;
            $revisions = array( $autosave );
            break;
        case 'revision' : // just revisions - remove autosave later
        case 'all' :
        default :
            if ( !$revisions = wp_get_post_revisions( $post->ID ) )
                return;
            break;
    }

    /* translators: post revision: 1: when, 2: author name */
    $titlef = _x( '%1$s by %2$s', 'post revision' );

    if ( $parent )
        array_unshift( $revisions, $post );

    $rows = $right_checked = '';
    $class = false;
    $can_edit_post = current_user_can( 'edit_post', $post->ID );
    foreach ( $revisions as $revision ) {
        if ( !current_user_can( 'read_post', $revision->ID ) )
            continue;
        if ( 'revision' === $type && wp_is_post_autosave( $revision ) )
            continue;

        $date = wp_post_revision_title( $revision );
        $name = get_the_author_meta( 'display_name', $revision->post_author );

        if ( 'form-table' == $format ) {
            if ( $left )
                $left_checked = $left == $revision->ID ? ' checked="checked"' : '';
            else
                $left_checked = $right_checked ? ' checked="checked"' : ''; // [sic] (the next one)
            $right_checked = $right == $revision->ID ? ' checked="checked"' : '';

            $class = $class ? '' : " class='alternate'";

            if ( $post->ID != $revision->ID && $can_edit_post )
                $actions = '<a href="' . wp_nonce_url( add_query_arg( array( 'revision' => $revision->ID, 'action' => 'restore' ) ), "restore-post_$post->ID|$revision->ID" ) . '">' . __( 'Restore' ) . '</a>';
            else
                $actions = '';

            $rows .= "<tr$class>\n";
            $rows .= "\t<th style='white-space: nowrap' scope='row'><input type='radio' name='left' value='$revision->ID'$left_checked /></th>\n";
            $rows .= "\t<th style='white-space: nowrap' scope='row'><input type='radio' name='right' value='$revision->ID'$right_checked /></th>\n";
            $rows .= "\t<td>$date</td>\n";
            $rows .= "\t<td>$name</td>\n";
            $rows .= "\t<td class='action-links'>$actions</td>\n";
            $rows .= "</tr>\n";
        } else {
            $title = sprintf( $titlef, $date, $name );
            $rows .= "\t<li>$title</li>\n";
        }
    }

    if ( 'form-table' == $format ) : ?>

<form action="revision.php" method="get">

<div class="tablenav">
    <div class="alignleft">
        <input type="submit" class="button-secondary" value="<?php esc_attr_e( 'Compare Revisions' ); ?>" />
        <input type="hidden" name="action" value="diff" />
        <input type="hidden" name="post_type" value="<?php echo esc_attr($post->post_type); ?>" />
    </div>
</div>

<br class="clear" />

<table class="widefat post-revisions" cellspacing="0" id="post-revisions">
    <col />
    <col />
    <col style="width: 33%" />
    <col style="width: 33%" />
    <col style="width: 33%" />
<thead>
<tr>
    <th scope="col"><?php /* translators: column name in revisons */ _ex( 'Old', 'revisions column name' ); ?></th>
    <th scope="col"><?php /* translators: column name in revisons */ _ex( 'New', 'revisions column name' ); ?></th>
    <th scope="col"><?php /* translators: column name in revisons */ _ex( 'Date Created', 'revisions column name' ); ?></th>
    <th scope="col"><?php _e( 'Author' ); ?></th>
    <th scope="col" class="action-links"><?php _e( 'Actions' ); ?></th>
</tr>
</thead>
<tbody>

<?php echo $rows; ?>

</tbody>
</table>

</form>

<?php
    else :
        echo "<ul class='post-revisions'>\n";
        echo $rows;
        echo "</ul>";
    endif;

}