WordPress.org

Make WordPress Core

Changeset 23739


Ignore:
Timestamp:
03/18/2013 02:01:25 PM (5 years ago)
Author:
ryan
Message:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

Location:
trunk/wp-admin
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/file.php

    r23669 r23739  
    980980-->
    981981</script>
    982 <form action="<?php echo $form_post ?>" method="post">
     982<form action="<?php echo esc_url( $form_post ) ?>" method="post">
    983983<div class="wrap">
    984984<?php screen_icon(); ?>
  • trunk/wp-admin/includes/media.php

    r23615 r23739  
    16031603?>
    16041604
    1605 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
     1605<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16061606<?php submit_button( '', 'hidden', 'save', false ); ?>
    16071607<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
     
    16681668?>
    16691669
    1670 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
     1670<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16711671<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    16721672<?php wp_nonce_field('media-form'); ?>
     
    18191819<a href="#" id="clear"><?php _ex('Clear', 'verb'); ?></a>
    18201820</div>
    1821 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
     1821<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
    18221822<?php wp_nonce_field('media-form'); ?>
    18231823<?php //media_upload_form( $errors ); ?>
     
    20592059</form>
    20602060
    2061 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="library-form">
     2061<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="library-form">
    20622062
    20632063<?php wp_nonce_field('media-form'); ?>
  • trunk/wp-admin/includes/template.php

    r23710 r23739  
    786786    else :
    787787?>
    788 <form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_attr(wp_nonce_url($action, 'import-upload')); ?>">
     788<form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_url( wp_nonce_url( $action, 'import-upload' ) ); ?>">
    789789<p>
    790790<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>)
  • trunk/wp-admin/media-new.php

    r22880 r23739  
    6969    <h2><?php echo esc_html( $title ); ?></h2>
    7070
    71     <form enctype="multipart/form-data" method="post" action="<?php echo admin_url('media-new.php'); ?>" class="<?php echo $form_class; ?>" id="file-form">
     71    <form enctype="multipart/form-data" method="post" action="<?php echo admin_url('media-new.php'); ?>" class="<?php echo esc_attr( $form_class ); ?>" id="file-form">
    7272
    7373    <?php media_upload_form(); ?>
  • trunk/wp-admin/update-core.php

    r23381 r23739  
    189189<h3><?php _e( 'Plugins' ); ?></h3>
    190190<p><?php _e( 'The following plugins have new versions available. Check the ones you want to update and then click &#8220;Update Plugins&#8221;.' ); ?></p>
    191 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-plugins" class="upgrade">
     191<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-plugins" class="upgrade">
    192192<?php wp_nonce_field('upgrade-core'); ?>
    193193<p><input id="upgrade-plugins" class="button" type="submit" value="<?php esc_attr_e('Update Plugins'); ?>" name="upgrade" /></p>
     
    267267<p><?php _e( 'The following themes have new versions available. Check the ones you want to update and then click &#8220;Update Themes&#8221;.' ); ?></p>
    268268<p><?php printf( __('<strong>Please Note:</strong> Any customizations you have made to theme files will be lost. Please consider using <a href="%s">child themes</a> for modifications.'), _x('http://codex.wordpress.org/Child_Themes', 'Link used in suggestion to use child themes in GUU') ); ?></p>
    269 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-themes" class="upgrade">
     269<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-themes" class="upgrade">
    270270<?php wp_nonce_field('upgrade-core'); ?>
    271271<p><input id="upgrade-themes" class="button" type="submit" value="<?php esc_attr_e('Update Themes'); ?>" name="upgrade" /></p>
Note: See TracChangeset for help on using the changeset viewer.