Make WordPress Core


Ignore:
Timestamp:
03/17/2007 08:47:29 AM (18 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.1/wp-includes/script-loader.php

    r5007 r5057  
    7979                        $ver .= '&' . $this->args[$handle];
    8080                    $src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
    81                     $src = attribute_escape(add_query_arg('ver', $ver, $src));
     81                    $src = clean_url(add_query_arg('ver', $ver, $src));
    8282                    echo "<script type='text/javascript' src='$src'></script>\n";
    8383                }
Note: See TracChangeset for help on using the changeset viewer.