WordPress.org

Make WordPress Core

Ticket #11128: quickpress.title.XSS.fix.patch

File quickpress.title.XSS.fix.patch, 889 bytes (added by Simek, 9 years ago)
  • dashboard.php

     
    447447                $list = array();
    448448                foreach ( $drafts as $draft ) {
    449449                        $url = get_edit_post_link( $draft->ID );
    450                         $title = _draft_or_post_title( $draft->ID );
     450                        $title = esc_html( _draft_or_post_title( $draft->ID ) );
    451451                        $item = "<h4><a href='$url' title='" . sprintf( __( 'Edit &#8220;%s&#8221;' ), esc_attr( $title ) ) . "'>$title</a> <abbr title='" . get_the_time(__('Y/m/d g:i:s A'), $draft) . "'>" . get_the_time( get_option( 'date_format' ), $draft ) . '</abbr></h4>';
    452452                        if ( $the_content = preg_split( '#\s#', strip_tags( $draft->post_content ), 11, PREG_SPLIT_NO_EMPTY ) )
    453453                                $item .= '<p>' . join( ' ', array_slice( $the_content, 0, 10 ) ) . ( 10 < count( $the_content ) ? '&hellip;' : '' ) . '</p>';