Make WordPress Core

Changeset 51177


Ignore:
Timestamp:
06/17/2021 02:35:59 PM (3 years ago)
Author:
SergeyBiryukov
Message:

Administration: Consistently escape admin_url() links.

Props chintan1896, mukesh27.
Fixes #53426.

Location:
trunk/src
Files:
14 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/about.php

    r50535 r51177  
    2424        <div class="about__header">
    2525            <div class="about__header-image">
    26                 <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo admin_url( 'images/about-badge.svg' ); ?>" />
     26                <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo esc_url( admin_url( 'images/about-badge.svg' ) ); ?>" />
    2727            </div>
    2828
     
    180180            <div class="column about__image">
    181181                <picture>
    182                     <source media="(max-width: 600px)" srcset="<?php echo admin_url( 'images/about-color-palette-vert.svg' ); ?>" />
    183                     <img alt="" src="<?php echo admin_url( 'images/about-color-palette.svg' ); ?>" />
     182                    <source media="(max-width: 600px)" srcset="<?php echo esc_url( admin_url( 'images/about-color-palette-vert.svg' ) ); ?>" />
     183                    <img alt="" src="<?php echo esc_url( admin_url( 'images/about-color-palette.svg' ) ); ?>" />
    184184                </picture>
    185185            </div>
  • trunk/src/wp-admin/comment.php

    r48991 r51177  
    233233    <td class="comment-content">
    234234        <?php comment_text( $comment ); ?>
    235     <p class="edit-comment"><a href="<?php echo admin_url( "comment.php?action=editcomment&amp;c={$comment->comment_ID}" ); ?>"><?php esc_html_e( 'Edit' ); ?></a></p>
     235    <p class="edit-comment"><a href="<?php echo esc_url( admin_url( "comment.php?action=editcomment&c={$comment->comment_ID}" ) ); ?>"><?php esc_html_e( 'Edit' ); ?></a></p>
    236236    </td>
    237237    </tr>
     
    242242    <p>
    243243        <?php submit_button( $button, 'primary', 'submit', false ); ?>
    244     <a href="<?php echo admin_url( 'edit-comments.php' ); ?>" class="button-cancel"><?php esc_html_e( 'Cancel' ); ?></a>
     244    <a href="<?php echo esc_url( admin_url( 'edit-comments.php' ) ); ?>" class="button-cancel"><?php esc_html_e( 'Cancel' ); ?></a>
    245245    </p>
    246246
  • trunk/src/wp-admin/credits.php

    r50523 r51177  
    2323    <div class="about__header">
    2424        <div class="about__header-image">
    25             <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo admin_url( 'images/about-badge.svg' ); ?>" />
     25            <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo esc_url( admin_url( 'images/about-badge.svg' ) ); ?>" />
    2626        </div>
    2727
  • trunk/src/wp-admin/edit-tag-form.php

    r50769 r51177  
    301301    <?php if ( current_user_can( 'delete_term', $tag->term_id ) ) : ?>
    302302        <span id="delete-link">
    303             <a class="delete" href="<?php echo admin_url( wp_nonce_url( "edit-tags.php?action=delete&taxonomy=$taxonomy&tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ) ); ?>"><?php _e( 'Delete' ); ?></a>
     303            <a class="delete" href="<?php echo esc_url( admin_url( wp_nonce_url( "edit-tags.php?action=delete&taxonomy=$taxonomy&tag_ID=$tag->term_id", 'delete-tag_' . $tag->term_id ) ) ); ?>"><?php _e( 'Delete' ); ?></a>
    304304        </span>
    305305    <?php endif; ?>
  • trunk/src/wp-admin/freedoms.php

    r50523 r51177  
    2626    <div class="about__header">
    2727        <div class="about__header-image">
    28             <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo admin_url( 'images/about-badge.svg' ); ?>" />
     28            <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo esc_url( admin_url( 'images/about-badge.svg' ) ); ?>" />
    2929        </div>
    3030
  • trunk/src/wp-admin/includes/dashboard.php

    r51120 r51177  
    19971997            <a class="button button-primary button-hero load-customize hide-if-no-customize" href="<?php echo wp_customize_url(); ?>"><?php _e( 'Customize Your Site' ); ?></a>
    19981998        <?php endif; ?>
    1999         <a class="button button-primary button-hero hide-if-customize" href="<?php echo admin_url( 'themes.php' ); ?>"><?php _e( 'Customize Your Site' ); ?></a>
     1999        <a class="button button-primary button-hero hide-if-customize" href="<?php echo esc_url( admin_url( 'themes.php' ) ); ?>"><?php _e( 'Customize Your Site' ); ?></a>
    20002000        <?php if ( current_user_can( 'install_themes' ) || ( current_user_can( 'switch_themes' ) && count( wp_get_themes( array( 'allowed' => true ) ) ) > 1 ) ) : ?>
    20012001            <?php $themes_link = current_user_can( 'customize' ) ? add_query_arg( 'autofocus[panel]', 'themes', admin_url( 'customize.php' ) ) : admin_url( 'themes.php' ); ?>
  • trunk/src/wp-admin/includes/image-edit.php

    r50810 r51177  
    9191
    9292        <div id="imgedit-crop-<?php echo $post_id; ?>" class="imgedit-crop-wrap">
    93         <img id="image-preview-<?php echo $post_id; ?>" onload="imageEdit.imgLoaded('<?php echo $post_id; ?>')" src="<?php echo admin_url( 'admin-ajax.php', 'relative' ); ?>?action=imgedit-preview&amp;_ajax_nonce=<?php echo $nonce; ?>&amp;postid=<?php echo $post_id; ?>&amp;rand=<?php echo rand( 1, 99999 ); ?>" alt="" />
     93        <img id="image-preview-<?php echo $post_id; ?>" onload="imageEdit.imgLoaded('<?php echo $post_id; ?>')"
     94            src="<?php echo esc_url( admin_url( 'admin-ajax.php', 'relative' ) ) . '?action=imgedit-preview&amp;_ajax_nonce=' . $nonce . '&amp;postid=' . $post_id . '&amp;rand=' . rand( 1, 99999 ); ?>" alt="" />
    9495        </div>
    9596
  • trunk/src/wp-admin/media-new.php

    r49384 r51177  
    7373    <h1><?php echo esc_html( $title ); ?></h1>
    7474
    75     <form enctype="multipart/form-data" method="post" action="<?php echo admin_url( 'media-new.php' ); ?>" class="<?php echo esc_attr( $form_class ); ?>" id="file-form">
     75    <form enctype="multipart/form-data" method="post" action="<?php echo esc_url( admin_url( 'media-new.php' ) ); ?>" class="<?php echo esc_attr( $form_class ); ?>" id="file-form">
    7676
    7777    <?php media_upload_form(); ?>
  • trunk/src/wp-admin/nav-menus.php

    r51010 r51177  
    690690
    691691    <nav class="nav-tab-wrapper wp-clearfix" aria-label="<?php esc_attr_e( 'Secondary menu' ); ?>">
    692         <a href="<?php echo admin_url( 'nav-menus.php' ); ?>" class="nav-tab<?php echo $nav_tab_active_class; ?>"<?php echo $nav_aria_current; ?>><?php esc_html_e( 'Edit Menus' ); ?></a>
     692        <a href="<?php echo esc_url( admin_url( 'nav-menus.php' ) ); ?>" class="nav-tab<?php echo $nav_tab_active_class; ?>"<?php echo $nav_aria_current; ?>><?php esc_html_e( 'Edit Menus' ); ?></a>
    693693        <?php
    694694        if ( $num_locations && $menu_count ) {
     
    841841        </span><!-- /add-edit-menu-action -->
    842842        <?php else : ?>
    843             <form method="get" action="<?php echo admin_url( 'nav-menus.php' ); ?>">
     843            <form method="get" action="<?php echo esc_url( admin_url( 'nav-menus.php' ) ); ?>">
    844844            <input type="hidden" name="action" value="edit" />
    845845            <label for="select-menu-to-edit" class="selected-menu"><?php _e( 'Select a menu to edit:' ); ?></label>
  • trunk/src/wp-admin/privacy.php

    r50523 r51177  
    2020    <div class="about__header">
    2121        <div class="about__header-image">
    22             <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo admin_url( 'images/about-badge.svg' ); ?>" />
     22            <img alt="<?php _e( 'Code is Poetry' ); ?>" src="<?php echo esc_url( admin_url( 'images/about-badge.svg' ) ); ?>" />
    2323        </div>
    2424
  • trunk/src/wp-admin/themes.php

    r51083 r51177  
    251251
    252252    <?php if ( ! is_multisite() && current_user_can( 'install_themes' ) ) : ?>
    253         <a href="<?php echo admin_url( 'theme-install.php' ); ?>" class="hide-if-no-js page-title-action"><?php echo esc_html_x( 'Add New', 'theme' ); ?></a>
     253        <a href="<?php echo esc_url( admin_url( 'theme-install.php' ) ); ?>" class="hide-if-no-js page-title-action"><?php echo esc_html_x( 'Add New', 'theme' ); ?></a>
    254254    <?php endif; ?>
    255255
  • trunk/src/wp-admin/upload.php

    r51163 r51177  
    8888        if ( current_user_can( 'upload_files' ) ) {
    8989            ?>
    90             <a href="<?php echo admin_url( 'media-new.php' ); ?>" class="page-title-action aria-button-if-js"><?php echo esc_html_x( 'Add New', 'file' ); ?></a>
     90            <a href="<?php echo esc_url( admin_url( 'media-new.php' ) ); ?>" class="page-title-action aria-button-if-js"><?php echo esc_html_x( 'Add New', 'file' ); ?></a>
    9191                                <?php
    9292        }
     
    273273if ( current_user_can( 'upload_files' ) ) {
    274274    ?>
    275     <a href="<?php echo admin_url( 'media-new.php' ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add New', 'file' ); ?></a>
     275    <a href="<?php echo esc_url( admin_url( 'media-new.php' ) ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add New', 'file' ); ?></a>
    276276                        <?php
    277277}
  • trunk/src/wp-admin/users.php

    r50582 r51177  
    618618        if ( current_user_can( 'create_users' ) ) {
    619619            ?>
    620     <a href="<?php echo admin_url( 'user-new.php' ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add New', 'user' ); ?></a>
     620    <a href="<?php echo esc_url( admin_url( 'user-new.php' ) ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add New', 'user' ); ?></a>
    621621<?php } elseif ( is_multisite() && current_user_can( 'promote_users' ) ) { ?>
    622     <a href="<?php echo admin_url( 'user-new.php' ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add Existing', 'user' ); ?></a>
     622    <a href="<?php echo esc_url( admin_url( 'user-new.php' ) ); ?>" class="page-title-action"><?php echo esc_html_x( 'Add Existing', 'user' ); ?></a>
    623623            <?php
    624624}
  • trunk/src/wp-includes/class-wp-embed.php

    r51058 r51177  
    8787            return;
    8888        }
    89 
    9089        ?>
    9190<script type="text/javascript">
    9291    jQuery(document).ready(function($){
    93         $.get("<?php echo admin_url( 'admin-ajax.php?action=oembed-cache&post=' . $post->ID, 'relative' ); ?>");
     92        $.get("<?php echo esc_url( admin_url( 'admin-ajax.php', 'relative' ) ) . '?action=oembed-cache&post=' . $post->ID; ?>");
    9493    });
    9594</script>
Note: See TracChangeset for help on using the changeset viewer.