Make WordPress Core

Changeset 12295


Ignore:
Timestamp:
11/30/2009 04:55:50 PM (15 years ago)
Author:
ryan
Message:

escape hrefs. Props Denis-de-Bernardy. fixes #10056

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/media.php

    r12289 r12295  
    487487            if ( !strpos($src, '://') )
    488488                $src = "http://$src";
    489             $html = '[embed]' . $src . '[/embed]';
     489            $html = '[embed]' . esc_url($src) . '[/embed]';
    490490        } else {
    491491            $src = $_POST['insertonly']['src'];
     
    498498            }
    499499            if ( !empty($src) )
    500                 $html = "<img src='$src' alt='$alt'$class />";
     500                $html = "<img src='" . esc_url($src) . "' alt='$alt'$class />";
    501501        }
    502502
    503         $html = apply_filters('image_send_to_editor_url', $html, $src, $alt, $align);
     503        $html = apply_filters('image_send_to_editor_url', $html, esc_url_raw($src), $alt, $align);
    504504        return media_send_to_editor($html);
    505505    }
     
    597597            $href = "http://$href";
    598598
    599         $html = '[embed]' . $href . '[/embed]';
    600         $html = apply_filters('audio_send_to_editor_url', $html, $href);
     599        $html = '[embed]' . esc_url($href) . '[/embed]';
     600        $html = apply_filters('audio_send_to_editor_url', $html, esc_url_raw($href));
    601601        return media_send_to_editor($html);
    602602    }
     
    648648            $href = "http://$href";
    649649
    650         $html = '[embed]' . $href . '[/embed]';
    651         $html = apply_filters('video_send_to_editor_url', $html, $href);
     650        $html = '[embed]' . esc_url($href) . '[/embed]';
     651        $html = apply_filters('video_send_to_editor_url', $html, esc_url_raw($href));
    652652        return media_send_to_editor($html);
    653653    }
     
    703703            $title = basename($href);
    704704        if ( !empty($title) && !empty($href) )
    705             $html = "<a href='$href' >$title</a>";
    706         $html = apply_filters('file_send_to_editor_url', $html, $href, $title);
     705            $html = "<a href='" . esc_url($href) . "' >$title</a>";
     706        $html = apply_filters('file_send_to_editor_url', $html, esc_url_raw($href), $title);
    707707        return media_send_to_editor($html);
    708708    }
Note: See TracChangeset for help on using the changeset viewer.