WordPress.org

Make WordPress Core


Ignore:
Timestamp:
03/17/2007 08:46:59 AM (12 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/post.php

    r4990 r5056  
    7070    <div id='preview' class='wrap'>
    7171    <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?></h2>
    72         <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     72        <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
    7373    </div>
    7474    <?php
Note: See TracChangeset for help on using the changeset viewer.