Changeset 5057 for branches/2.1/wp-admin/page.php

Timestamp:

03/17/2007 08:47:29 AM (19 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:

• branches/2.1/wp-admin/page.php (modified) (1 diff)

branches/2.1/wp-admin/page.php

@@ -64 +64 @@
     <div id='preview' class='wrap'>
     <h2 id="preview-post"><?php _e('Page Preview (updated when page is saved)'); ?></h2>
-        <iframe src="<?php echo attribute_escape(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+        <iframe src="<?php echo clean_url(apply_filters('preview_page_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     </div>
     <?php