Changeset 5056 for trunk/wp-includes/comment.php

Timestamp:

03/17/2007 08:46:59 AM (19 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

File:

• trunk/wp-includes/comment.php (modified) (1 diff)

trunk/wp-includes/comment.php

@@ -170 +170 @@
         $comment_author_url = apply_filters('pre_comment_author_url', $_COOKIE['comment_author_url_'.COOKIEHASH]);
         $comment_author_url = stripslashes($comment_author_url);
-        $comment_author_url = attribute_escape($comment_author_url);
+        $comment_author_url = clean_url($comment_author_url);
         $_COOKIE['comment_author_url_'.COOKIEHASH] = $comment_author_url;
     }