Changeset 5057 for branches/2.1/wp-includes/bookmark-template.php

Timestamp:

03/17/2007 08:47:29 AM (19 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:

• branches/2.1/wp-includes/bookmark-template.php (modified) (2 diffs)

branches/2.1/wp-includes/bookmark-template.php

@@ -97 +97 @@
         $the_link = '#';
         if ( !empty($row->link_url) )
-            $the_link = wp_specialchars($row->link_url);
+            $the_link = clean_url($row->link_url);
         $rel = $row->link_rel;
         if ( '' != $rel )
@@ -261 +261 @@
         $the_link = '#';
         if ( !empty($bookmark->link_url) )
-            $the_link = wp_specialchars($bookmark->link_url);
+            $the_link = clean_url($bookmark->link_url);
 
         $rel = $bookmark->link_rel;