Make WordPress Core


Ignore:
Timestamp:
04/15/2015 04:32:03 PM (9 years ago)
Author:
ocean90
Message:

Customizer: Escape theme preview URLs.

props johnbillion, ocean90.
see #31896.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/theme.php

    r31954 r32134  
    512512 */
    513513function customize_themes_print_templates() {
     514    $preview_url = esc_url( add_query_arg( 'theme', '__THEME__' ) ); // Token because esc_url() strips curly braces.
     515    $preview_url = str_replace( '__THEME__', '{{ data.id }}', $preview_url );
    514516    ?>
    515517    <script type="text/html" id="tmpl-customize-themes-details-view">
     
    551553                <div class="theme-actions">
    552554                    <div class="inactive-theme">
    553                         <a href="<?php echo add_query_arg( 'theme', '{{ data.id }}' ); ?>" target="_top" class="button button-primary"><?php _e( 'Live Preview' ); ?></a>
     555                        <a href="<?php echo $preview_url; ?>" target="_top" class="button button-primary"><?php _e( 'Live Preview' ); ?></a>
    554556                    </div>
    555557                </div>
Note: See TracChangeset for help on using the changeset viewer.