Make WordPress Core


Ignore:
Timestamp:
03/18/2013 02:01:25 PM (12 years ago)
Author:
ryan
Message:

Escape form action urls with esc_url() rather than esc_attr().

Props SergeyBiryukov
fixes #23266

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/update-core.php

    r23381 r23739  
    189189<h3><?php _e( 'Plugins' ); ?></h3>
    190190<p><?php _e( 'The following plugins have new versions available. Check the ones you want to update and then click &#8220;Update Plugins&#8221;.' ); ?></p>
    191 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-plugins" class="upgrade">
     191<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-plugins" class="upgrade">
    192192<?php wp_nonce_field('upgrade-core'); ?>
    193193<p><input id="upgrade-plugins" class="button" type="submit" value="<?php esc_attr_e('Update Plugins'); ?>" name="upgrade" /></p>
     
    267267<p><?php _e( 'The following themes have new versions available. Check the ones you want to update and then click &#8220;Update Themes&#8221;.' ); ?></p>
    268268<p><?php printf( __('<strong>Please Note:</strong> Any customizations you have made to theme files will be lost. Please consider using <a href="%s">child themes</a> for modifications.'), _x('http://codex.wordpress.org/Child_Themes', 'Link used in suggestion to use child themes in GUU') ); ?></p>
    269 <form method="post" action="<?php echo $form_action; ?>" name="upgrade-themes" class="upgrade">
     269<form method="post" action="<?php echo esc_url( $form_action ); ?>" name="upgrade-themes" class="upgrade">
    270270<?php wp_nonce_field('upgrade-core'); ?>
    271271<p><input id="upgrade-themes" class="button" type="submit" value="<?php esc_attr_e('Update Themes'); ?>" name="upgrade" /></p>
Note: See TracChangeset for help on using the changeset viewer.