Changeset 5058 for branches/2.0/wp-admin/upgrade.php

Timestamp:

03/17/2007 09:04:56 AM (18 years ago)

Author:

markjaquith

Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.0.

File:

• branches/2.0/wp-admin/upgrade.php (modified) (2 diffs)

branches/2.0/wp-admin/upgrade.php

@@ -68 +68 @@
 
     case 0:
-    $goback = attribute_escape(stripslashes(wp_get_referer()));
+    $goback = clean_url(stripslashes(wp_get_referer()));
 ?> 
 <p><?php _e('This file upgrades you from any previous version of WordPress to the latest. It may take a while though, so be patient.'); ?></p> 
@@ -87 +87 @@
         $backto = __get_option('home');
     else
-        $backto = attribute_escape(stripslashes($_GET['backto']));
+        $backto = clean_url(stripslashes($_GET['backto']));
 ?> 
 <h2><?php _e('Step 1'); ?></h2>