WordPress.org

Make WordPress Core

Changeset 23739


Ignore:
Timestamp:
03/18/13 14:01:25 (2 years ago)
Author:
ryan
Message:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

Location:
trunk/wp-admin
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/file.php

    r23669 r23739  
    980980--> 
    981981</script> 
    982 <form action="<?php echo $form_post ?>" method="post"> 
     982<form action="<?php echo esc_url( $form_post ) ?>" method="post"> 
    983983<div class="wrap"> 
    984984<?php screen_icon(); ?> 
  • trunk/wp-admin/includes/media.php

    r23615 r23739  
    16031603?> 
    16041604 
    1605 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form"> 
     1605<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form"> 
    16061606<?php submit_button( '', 'hidden', 'save', false ); ?> 
    16071607<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
     
    16681668?> 
    16691669 
    1670 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form"> 
     1670<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form"> 
    16711671<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" /> 
    16721672<?php wp_nonce_field('media-form'); ?> 
     
    18191819<a href="#" id="clear"><?php _ex('Clear', 'verb'); ?></a> 
    18201820</div> 
    1821 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="gallery-form"> 
     1821<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="gallery-form"> 
    18221822<?php wp_nonce_field('media-form'); ?> 
    18231823<?php //media_upload_form( $errors ); ?> 
     
    20592059</form> 
    20602060 
    2061 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="library-form"> 
     2061<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="library-form"> 
    20622062 
    20632063<?php wp_nonce_field('media-form'); ?> 
  • trunk/wp-admin/includes/template.php

    r23710 r23739  
    786786    else : 
    787787?> 
    788 <form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_attr(wp_nonce_url($action, 'import-upload')); ?>"> 
     788<form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_url( wp_nonce_url( $action, 'import-upload' ) ); ?>"> 
    789789<p> 
    790790<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>) 
  • trunk/wp-admin/media-new.php

    r22880 r23739  
    6969    <h2><?php echo esc_html( $title ); ?></h2> 
    7070 
    71     <form enctype="multipart/form-data" method="post" action="<?php echo admin_url('media-new.php'); ?>" class="<?php echo $form_class; ?>" id="file-form"> 
     71    <form enctype="multipart/form-data" method="post" action="<?php echo admin_url('media-new.php'); ?>" class="<?php echo esc_attr( $form_class ); ?>" id="file-form"> 
    7272 
    7373    <?php media_upload_form(); ?> 
  • trunk/wp-admin/update-core.php

    r23381 r23739  
    189189<h3><?php _e( 'Plugins' ); ?></h3> 
    190190<p><?php _e( 'The following plugins have new versions available. Check the ones you want to update and then click &#8220;Update Plugins&#8221;.' ); ?></p> 
    191 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-plugins" class="upgrade"> 
     191<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-plugins" class="upgrade"> 
    192192<?php wp_nonce_field('upgrade-core'); ?> 
    193193<p><input id="upgrade-plugins" class="button" type="submit" value="<?php esc_attr_e('Update Plugins'); ?>" name="upgrade" /></p> 
     
    267267<p><?php _e( 'The following themes have new versions available. Check the ones you want to update and then click &#8220;Update Themes&#8221;.' ); ?></p> 
    268268<p><?php printf( __('<strong>Please Note:</strong> Any customizations you have made to theme files will be lost. Please consider using <a href="%s">child themes</a> for modifications.'), _x('http://codex.wordpress.org/Child_Themes', 'Link used in suggestion to use child themes in GUU') ); ?></p> 
    269 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-themes" class="upgrade"> 
     269<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-themes" class="upgrade"> 
    270270<?php wp_nonce_field('upgrade-core'); ?> 
    271271<p><input id="upgrade-themes" class="button" type="submit" value="<?php esc_attr_e('Update Themes'); ?>" name="upgrade" /></p> 
Note: See TracChangeset for help on using the changeset viewer.