Changeset 5057 for branches/2.1/wp-includes/general-template.php

Timestamp:

03/17/2007 08:47:29 AM (19 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:

• branches/2.1/wp-includes/general-template.php (modified) (4 diffs)

branches/2.1/wp-includes/general-template.php

@@ -290 +290 @@
     $text = wptexturize($text);
     $title_text = attribute_escape($text);
+    $url = clean_url($url);
 
     if ('link' == $format)
@@ -972 +973 @@
         if ( $add_args )
             $link = add_query_arg( $add_args, $link );
-        $page_links[] = "<a class='prev page-numbers' href='" . attribute_escape($link) . "'>$prev_text</a>";
+        $page_links[] = "<a class='prev page-numbers' href='" . clean_url($link) . "'>$prev_text</a>";
     endif;
     for ( $n = 1; $n <= $total; $n++ ) :
@@ -984 +985 @@
                 if ( $add_args )
                     $link = add_query_arg( $add_args, $link );
-                $page_links[] = "<a class='page-numbers' href='" . attribute_escape($link) . "'>$n</a>";
+                $page_links[] = "<a class='page-numbers' href='" . clean_url($link) . "'>$n</a>";
                 $dots = true;
             elseif ( $dots && !$show_all ) :
@@ -997 +998 @@
         if ( $add_args )
             $link = add_query_arg( $add_args, $link );
-        $page_links[] = "<a class='next page-numbers' href='" . attribute_escape($link) . "'>$next_text</a>";
+        $page_links[] = "<a class='next page-numbers' href='" . clean_url($link) . "'>$next_text</a>";
     endif;
     switch ( $type ) :