Changeset 5058 for branches/2.0/wp-admin/post.php

Timestamp:

03/17/2007 09:04:56 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

File:

• branches/2.0/wp-admin/post.php (modified) (1 diff)

branches/2.0/wp-admin/post.php

@@ -82 +82 @@
     <div id='preview' class='wrap'>
     <h2 id="preview-post"><?php _e('Post Preview (updated when post is saved)'); ?> <small class="quickjump"><a href="#write-post"><?php _e('edit &uarr;'); ?></a></small></h2>
-        <iframe src="<?php echo attribute_escape(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
+        <iframe src="<?php echo clean_url(apply_filters('preview_post_link', add_query_arg('preview', 'true', get_permalink($post->ID)))); ?>" width="100%" height="600" ></iframe>
     </div>
     <?php