Changeset 5056 for trunk/wp-includes/script-loader.php

Timestamp:

03/17/2007 08:46:59 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

File:

• trunk/wp-includes/script-loader.php (modified) (1 diff)

trunk/wp-includes/script-loader.php

@@ -151 +151 @@
                     $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
                     $src = add_query_arg('ver', $ver, $src);
-                    $src = attribute_escape(apply_filters( 'script_loader_src', $src ));
+                    $src = clean_url(apply_filters( 'script_loader_src', $src ));
                     echo "<script type='text/javascript' src='$src'></script>\n";
                     $this->print_scripts_l10n( $handle );