Ticket #13383: 13383-escape-preview.diff

File 13383-escape-preview.diff, 1.9 KB (added by zeo, 3 years ago)

escape preview link

Line 
1Index: wp-admin/includes/template.php
2===================================================================
3--- wp-admin/includes/template.php      (revision 14647)
4+++ wp-admin/includes/template.php      (working copy)
5@@ -1361,7 +1361,7 @@
6                        }
7                        if ( in_array($post->post_status, array('pending', 'draft')) ) {
8                                if ( current_user_can($post_type_object->cap->edit_post, $post->ID) )
9-                                       $actions['view'] = '<a href="' . add_query_arg( 'preview', 'true', get_permalink($post->ID) ) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
10+                                       $actions['view'] = '<a href="' . esc_url( add_query_arg( 'preview', 'true', get_permalink($post->ID) ) ) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
11                        } elseif ( 'trash' != $post->post_status ) {
12                                $actions['view'] = '<a href="' . get_permalink($post->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
13                        }
14@@ -1583,7 +1583,7 @@
15                }
16                if ( in_array($post->post_status, array('pending', 'draft')) ) {
17                        if ( current_user_can($post_type_object->cap->edit_post, $page->ID) )
18-                               $actions['view'] = '<a href="' . add_query_arg( 'preview', 'true', get_permalink($page->ID) ) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
19+                               $actions['view'] = '<a href="' . esc_url( add_query_arg( 'preview', 'true', get_permalink($page->ID) ) ) . '" title="' . esc_attr(sprintf(__('Preview &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('Preview') . '</a>';
20                } elseif ( $post->post_status != 'trash' ) {
21                        $actions['view'] = '<a href="' . get_permalink($page->ID) . '" title="' . esc_attr(sprintf(__('View &#8220;%s&#8221;'), $title)) . '" rel="permalink">' . __('View') . '</a>';
22                }