Make WordPress Core


Ignore:
Timestamp:
05/23/2013 05:45:59 PM (12 years ago)
Author:
duck_
Message:

Properly escape source parameter in audio/video shortcodes. See #23282.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/media.php

    r24329 r24334  
    862862        $type = wp_check_filetype( $src );
    863863        if ( ! in_array( $type['ext'], $default_types ) )
    864             return sprintf( '<a class="wp-post-format-link-audio" href="%1$s">%1$s</a>', $src );
     864            return sprintf( '<a class="wp-post-format-link-audio" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
    865865        $primary = true;
    866866        array_unshift( $default_types, 'src' );
     
    908908                $fileurl = $$fallback;
    909909            $type = wp_check_filetype( $$fallback );
    910             $html .= sprintf( $source, $type['type'], $$fallback );
     910            $html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
    911911        }
    912912    }
     
    980980        $type = wp_check_filetype( $src );
    981981        if ( ! in_array( $type['ext'], $default_types ) )
    982             return sprintf( '<a class="wp-post-format-link-video" href="%1$s">%1$s</a>', $src );
     982            return sprintf( '<a class="wp-post-format-link-video" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
    983983        $primary = true;
    984984        array_unshift( $default_types, 'src' );
     
    10341034            if ( 'm4v' === $type['ext'] )
    10351035                $type['type'] = 'video/m4v';
    1036             $html .= sprintf( $source, $type['type'], $$fallback );
     1036            $html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
    10371037        }
    10381038    }
Note: See TracChangeset for help on using the changeset viewer.