WordPress.org

Make WordPress Core


Ignore:
Timestamp:
02/27/2007 07:15:47 AM (15 years ago)
Author:
markjaquith
Message:

attribute_escape() in nonce AYS

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/functions.php

    r4934 r4951  
    12711271    $adminurl = get_option('siteurl') . '/wp-admin';
    12721272    if ( wp_get_referer() )
    1273         $adminurl = wp_get_referer();
     1273        $adminurl = attribute_escape(wp_get_referer());
    12741274
    12751275    $title = __('WordPress Confirmation');
     
    12881288        $html .= "\t\t<div id='message' class='confirm fade'>\n\t\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t\t<p><a href='$adminurl'>" . __('No') . "</a> <input type='submit' value='" . __('Yes') . "' /></p>\n\t\t</div>\n\t</form>\n";
    12891289    } else {
    1290         $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] ) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
     1290        $html .= "\t<div id='message' class='confirm fade'>\n\t<p>" . wp_specialchars(wp_explain_nonce($action)) . "</p>\n\t<p><a href='$adminurl'>" . __('No') . "</a> <a href='" . attribute_escape(add_query_arg( '_wpnonce', wp_create_nonce($action), $_SERVER['REQUEST_URI'] )) . "'>" . __('Yes') . "</a></p>\n\t</div>\n";
    12911291    }
    12921292    $html .= "</body>\n</html>";
Note: See TracChangeset for help on using the changeset viewer.