Make WordPress Core


Ignore:
Timestamp:
03/17/2007 09:04:56 AM (18 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.0/wp-admin/admin-functions.php

    r5007 r5058  
    468468    $link = get_link($link_id);
    469469
    470     $link->link_url         = attribute_escape($link->link_url);
     470    $link->link_url         =        clean_url($link->link_url);
    471471    $link->link_name        = attribute_escape($link->link_name);
    472472    $link->link_image       = attribute_escape($link->link_image);
    473473    $link->link_description = attribute_escape($link->link_description);
    474     $link->link_rss         = attribute_escape($link->link_rss);
     474    $link->link_rss         =        clean_url($link->link_rss);
    475475    $link->link_rel         = attribute_escape($link->link_rel);
    476476    $link->link_notes       =  wp_specialchars($link->link_notes);
     
    482482function get_default_link_to_edit() {
    483483    if ( isset($_GET['linkurl']) )
    484         $link->link_url = attribute_escape($_GET['linkurl']);
     484        $link->link_url = clean_url($_GET['linkurl']);
    485485    else
    486486        $link->link_url = '';
Note: See TracChangeset for help on using the changeset viewer.