WordPress.org

Make WordPress Core

Changeset 12296


Ignore:
Timestamp:
11/30/2009 05:08:36 PM (12 years ago)
Author:
ryan
Message:

escape hrefs. Props Denis-de-Bernardy. fixes #10056 for 2.8

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.8/wp-admin/includes/media.php

    r11639 r12296  
    478478        }
    479479        if ( !empty($src) )
    480             $html = "<img src='$src' alt='$alt'$class />";
    481         $html = apply_filters('image_send_to_editor_url', $html, $src, $alt, $align);
     480            $html = "<img src='" . esc_url($src) . "' alt='$alt'$class />";
     481        $html = apply_filters('image_send_to_editor_url', $html, esc_url_raw($src), $alt, $align);
    482482        return media_send_to_editor($html);
    483483    }
     
    570570            $title = basename($href);
    571571        if ( !empty($title) && !empty($href) )
    572             $html = "<a href='$href' >$title</a>";
    573         $html = apply_filters('audio_send_to_editor_url', $html, $href, $title);
     572            $html = "<a href='" . esc_url($href) . "' >$title</a>";
     573        $html = apply_filters('audio_send_to_editor_url', $html, esc_url_raw($href), $title);
    574574        return media_send_to_editor($html);
    575575    }
     
    624624            $title = basename($href);
    625625        if ( !empty($title) && !empty($href) )
    626             $html = "<a href='$href' >$title</a>";
    627         $html = apply_filters('video_send_to_editor_url', $html, $href, $title);
     626            $html = "<a href='" . esc_url($href) . "' >$title</a>";
     627        $html = apply_filters('video_send_to_editor_url', $html, esc_url_raw($href), $title);
    628628        return media_send_to_editor($html);
    629629    }
     
    678678            $title = basename($href);
    679679        if ( !empty($title) && !empty($href) )
    680             $html = "<a href='$href' >$title</a>";
    681         $html = apply_filters('file_send_to_editor_url', $html, $href, $title);
     680            $html = "<a href='" . esc_url($href) . "' >$title</a>";
     681        $html = apply_filters('file_send_to_editor_url', $html, esc_url_raw($href), $title);
    682682        return media_send_to_editor($html);
    683683    }
Note: See TracChangeset for help on using the changeset viewer.