Changeset 5056 for trunk/wp-admin/upgrade.php

Timestamp:

03/17/2007 08:46:59 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

File:

• trunk/wp-admin/upgrade.php (modified) (2 diffs)

trunk/wp-admin/upgrade.php

@@ -36 +36 @@
 switch($step) :
     case 0:
-        $goback = attribute_escape(stripslashes(wp_get_referer()));
+        $goback = clean_url(stripslashes(wp_get_referer()));
 ?>
 <h2><?php _e('Database Upgrade Required'); ?></h2>
@@ -50 +50 @@
             $backto = __get_option('home') . '/';
         else
-            $backto = attribute_escape(stripslashes($_GET['backto']));
+            $backto = clean_url(stripslashes($_GET['backto']));
 ?> 
 <h2><?php _e('Upgrade Complete'); ?></h2>