Make WordPress Core


Ignore:
Timestamp:
03/18/2013 02:01:25 PM (12 years ago)
Author:
ryan
Message:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/media.php

    r23615 r23739  
    16031603?>
    16041604
    1605 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
     1605<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16061606<?php submit_button( '', 'hidden', 'save', false ); ?>
    16071607<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
     
    16681668?>
    16691669
    1670 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
     1670<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="<?php echo $type; ?>-form">
    16711671<input type="hidden" name="post_id" id="post_id" value="<?php echo (int) $post_id; ?>" />
    16721672<?php wp_nonce_field('media-form'); ?>
     
    18191819<a href="#" id="clear"><?php _ex('Clear', 'verb'); ?></a>
    18201820</div>
    1821 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
     1821<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="gallery-form">
    18221822<?php wp_nonce_field('media-form'); ?>
    18231823<?php //media_upload_form( $errors ); ?>
     
    20592059</form>
    20602060
    2061 <form enctype="multipart/form-data" method="post" action="<?php echo esc_attr($form_action_url); ?>" class="<?php echo $form_class; ?>" id="library-form">
     2061<form enctype="multipart/form-data" method="post" action="<?php echo esc_url( $form_action_url ); ?>" class="<?php echo $form_class; ?>" id="library-form">
    20622062
    20632063<?php wp_nonce_field('media-form'); ?>
Note: See TracChangeset for help on using the changeset viewer.