Changeset 29399

Timestamp:

08/06/2014 07:50:35 AM (10 years ago)

Author:

nacin

Message:

Escape late in get_avatar().

Merges [29397] to the 3.8 branch.

Location:

branches/3.8

Files:

• . (modified) (1 prop)
• src/wp-includes/pluggable.php (modified) (1 diff)

branches/3.8/src/wp-includes/pluggable.php

@@ -1756 +1756 @@
         $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo' height='{$size}' width='{$size}' />";
     } else {
-        $avatar = "<img alt='{$safe_alt}' src='{$default}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
+        $out = esc_url( $default );
+        $avatar = "<img alt='{$safe_alt}' src='{$out}' class='avatar avatar-{$size} photo avatar-default' height='{$size}' width='{$size}' />";
     }