Make WordPress Core


Ignore:
Timestamp:
04/09/2019 02:06:29 PM (6 years ago)
Author:
desrosj
Message:

Privacy: Pass admin URLs for data export and erase forms through esc_url().

Introduced in [45149].

Props: birgire.
Fixes #44047.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/user.php

    r45149 r45154  
    831831        <?php settings_errors(); ?>
    832832
    833         <form action="<?php echo admin_url( 'tools.php?page=export_personal_data' ); ?>" method="post" class="wp-privacy-request-form">
     833        <form action="<?php echo esc_url( admin_url( 'tools.php?page=export_personal_data' ) ); ?>" method="post" class="wp-privacy-request-form">
    834834            <h2><?php esc_html_e( 'Add Data Export Request' ); ?></h2>
    835835            <p><?php esc_html_e( 'An email will be sent to the user at this email address asking them to verify the request.' ); ?></p>
     
    915915        <?php settings_errors(); ?>
    916916
    917         <form action="<?php echo admin_url( 'tools.php?page=remove_personal_data' ); ?>" method="post" class="wp-privacy-request-form">
     917        <form action="<?php echo esc_url( admin_url( 'tools.php?page=remove_personal_data' ) ); ?>" method="post" class="wp-privacy-request-form">
    918918            <h2><?php esc_html_e( 'Add Data Erasure Request' ); ?></h2>
    919919            <p><?php esc_html_e( 'An email will be sent to the user at this email address asking them to verify the request.' ); ?></p>
Note: See TracChangeset for help on using the changeset viewer.