Make WordPress Core


Ignore:
Timestamp:
02/27/2014 03:19:53 PM (11 years ago)
Author:
wonderboymusic
Message:

Add some security hardening to passed playlist attributes.

Props xknown.
See #26631.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/media.php

    r27302 r27311  
    10141014    }
    10151015
     1016    if ( ! in_array( $style, array( 'light', 'dark' ), true ) ) {
     1017        $style = 'light';
     1018    }
     1019
    10161020    $args = array(
    10171021        'post_status' => 'inherit',
     
    11141118    $data['tracks'] = $tracks;
    11151119
     1120    $safe_type = esc_attr( $safe_type );
     1121    $safe_style = esc_attr( $style );
     1122
    11161123    ob_start();
    11171124
     
    11201127        wp_enqueue_script( 'wp-playlist' );
    11211128?>
    1122 <!--[if lt IE 9]><script>document.createElement('<?php echo $type ?>');</script><![endif]-->
     1129<!--[if lt IE 9]><script>document.createElement('<?php echo esc_js( $type ) ?>');</script><![endif]-->
    11231130<script type="text/html" id="tmpl-wp-playlist-current-item">
    11241131    <# if ( data.image ) { #>
     
    11551162</script>
    11561163    <?php endif ?>
    1157 <div class="wp-playlist wp-<?php echo $type ?>-playlist wp-playlist-<?php echo $style ?>">
     1164<div class="wp-playlist wp-<?php echo $safe_type ?>-playlist wp-playlist-<?php echo $safe_style ?>">
    11581165    <?php if ( 'audio' === $type ): ?>
    11591166    <div class="wp-playlist-current-item"></div>
    11601167    <?php endif ?>
    1161     <<?php echo $type ?> controls="controls" preload="metadata" width="<?php echo $theme_width ?>"></<?php echo $type ?>>
     1168    <<?php echo $safe_type ?> controls="controls" preload="metadata" width="<?php echo (int) $theme_width ?>"></<?php echo $safe_type ?>>
    11621169    <div class="wp-playlist-next"></div>
    11631170    <div class="wp-playlist-prev"></div>
Note: See TracChangeset for help on using the changeset viewer.