Changeset 5058 for branches/2.0/wp-admin/bookmarklet.php

Timestamp:

03/17/2007 09:04:56 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

File:

• branches/2.0/wp-admin/bookmarklet.php (modified) (1 diff)

branches/2.0/wp-admin/bookmarklet.php

@@ -38 +38 @@
   
 $content  = wp_specialchars($_REQUEST['content']);
-$popupurl = attribute_escape(stripslashes($_REQUEST['popupurl']));
+$popupurl = clean_url(stripslashes($_REQUEST['popupurl']));
     if ( !empty($content) ) {
         $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );