Make WordPress Core


Ignore:
Timestamp:
03/18/2013 02:01:25 PM (12 years ago)
Author:
ryan
Message:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/includes/template.php

    r23710 r23739  
    786786    else :
    787787?>
    788 <form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_attr(wp_nonce_url($action, 'import-upload')); ?>">
     788<form enctype="multipart/form-data" id="import-upload-form" method="post" class="wp-upload-form" action="<?php echo esc_url( wp_nonce_url( $action, 'import-upload' ) ); ?>">
    789789<p>
    790790<label for="upload"><?php _e( 'Choose a file from your computer:' ); ?></label> (<?php printf( __('Maximum size: %s' ), $size ); ?>)
Note: See TracChangeset for help on using the changeset viewer.