Make WordPress Core


Ignore:
Timestamp:
03/17/2007 08:47:29 AM (18 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.1/wp-admin/upload-functions.php

    r5007 r5057  
    3636
    3737    if ( $href )
    38         $r .= "<a id='file-link-$id' href='" . attribute_escape($href) ."' title='$post_title' class='file-link $class'>\n";
     38        $r .= "<a id='file-link-$id' href='" . clean_url($href) ."' title='$post_title' class='file-link $class'>\n";
    3939    if ( $href || $image_src )
    4040        $r .= "\t\t\t$innerHTML";
     
    8484                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    8585                echo '&nbsp;|&nbsp;';
    86                     echo '<a href="' . attribute_escape(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
     86                    echo '<a href="' . clean_url(add_query_arg('action', 'edit')) . '" title="' . __('Edit this file') . '">' . __('edit') . '</a>';
    8787                echo '&nbsp;|&nbsp;';
    88                 echo '<a href="' . attribute_escape(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     88                echo '<a href="' . clean_url(remove_query_arg(array('action', 'ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    8989                echo '&nbsp;]'; ?></span>
    9090        </div>
     
    124124                echo '<a href="' . get_permalink() . '">' . __('view') . '</a>';
    125125                echo '&nbsp;|&nbsp;';
    126                     echo '<a href="' . attribute_escape(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
     126                    echo '<a href="' . clean_url(add_query_arg('action', 'view')) . '">' . __('links') . '</a>';
    127127                echo '&nbsp;|&nbsp;';
    128                 echo '<a href="' . attribute_escape(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
     128                echo '<a href="' . clean_url(remove_query_arg(array('action','ID'))) . '" title="' . __('Browse your files') . '">' . __('cancel') . '</a>';
    129129                echo '&nbsp;]'; ?></span>
    130130        </div>
Note: See TracChangeset for help on using the changeset viewer.