Changeset 5057 for branches/2.1/wp-admin/edit-form-advanced.php

Timestamp:

03/17/2007 08:47:29 AM (19 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:

• branches/2.1/wp-admin/edit-form-advanced.php (modified) (1 diff)

branches/2.1/wp-admin/edit-form-advanced.php

@@ -169 +169 @@
 <input name="referredby" type="hidden" id="referredby" value="<?php 
 if ( !empty($_REQUEST['popupurl']) )
-    echo attribute_escape(stripslashes($_REQUEST['popupurl']));
+    echo clean_url(stripslashes($_REQUEST['popupurl']));
 else if ( url_to_postid(wp_get_referer()) == $post_ID )
     echo 'redo';
 else
-    echo attribute_escape(stripslashes(wp_get_referer()));
+    echo clean_url(stripslashes(wp_get_referer()));
 ?>" /></p>