Changeset 23528 for trunk

Timestamp:

02/28/2013 06:58:52 PM (12 years ago)

Author:

nacin

Message:

esc_url() when printing a URL into an attribute, even when it is known to be safe. (see #17562)

File:

• trunk/wp-includes/author-template.php (modified) (2 diffs)

trunk/wp-includes/author-template.php

@@ -135 +135 @@
 function get_the_author_link() {
     if ( get_the_author_meta('url') ) {
-        return '<a href="' . get_the_author_meta('url') . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="author external">' . get_the_author() . '</a>';
+        return '<a href="' . esc_url( get_the_author_meta('url') ) . '" title="' . esc_attr( sprintf(__("Visit %s&#8217;s website"), get_the_author()) ) . '" rel="author external">' . get_the_author() . '</a>';
     } else {
         return get_the_author();
@@ -201 +201 @@
     $link = sprintf(
         '<a href="%1$s" title="%2$s" rel="author">%3$s</a>',
-        get_author_posts_url( $authordata->ID, $authordata->user_nicename ),
+        esc_url( get_author_posts_url( $authordata->ID, $authordata->user_nicename ) ),
         esc_attr( sprintf( __( 'Posts by %s' ), get_the_author() ) ),
         get_the_author()