Make WordPress Core


Ignore:
Timestamp:
03/09/2007 04:36:24 AM (18 years ago)
Author:
markjaquith
Message:

Sanitize browser-bound add_query_arg() outputs. fixes #3937

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/custom-header.php

    r4953 r5007  
    175175<p><?php printf(__('Images of exactly <strong>%1$d x %2$d pixels</strong> will be used as-is.'), HEADER_IMAGE_WIDTH, HEADER_IMAGE_HEIGHT); ?></p>
    176176
    177 <form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo add_query_arg('step', 2) ?>" style="margin: auto; width: 50%;">
     177<form enctype="multipart/form-data" id="uploadForm" method="POST" action="<?php echo attribute_escape(add_query_arg('step', 2)) ?>" style="margin: auto; width: 50%;">
    178178<label for="upload"><?php _e('Choose an image from your computer:'); ?></label><br /><input type="file" id="upload" name="import" />
    179179<input type="hidden" name="action" value="save" />
     
    189189<h2><?php _e('Reset Header Image and Color'); ?></h2>
    190190<p><?php _e('This will restore the original header image and color. You will not be able to retrieve any customizations.') ?></p>
    191 <form method="post" action="<?php echo add_query_arg('step', 1) ?>">
     191<form method="post" action="<?php echo attribute_escape(add_query_arg('step', 1)) ?>">
    192192<input type="submit" name="resetheader" value="<?php _e('Restore Original Header'); ?>" />
    193193</form>
     
    241241<div class="wrap">
    242242
    243 <form method="POST" action="<?php echo add_query_arg('step', 3) ?>">
     243<form method="POST" action="<?php echo attribute_escape(add_query_arg('step', 3)) ?>">
    244244
    245245<p><?php _e('Choose the part of the image you want to use as your header.'); ?></p>
Note: See TracChangeset for help on using the changeset viewer.