Make WordPress Core


Ignore:
Timestamp:
08/05/2022 05:58:01 AM (22 months ago)
Author:
audrasjb
Message:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

Props krishaweb, audrasjb, SergeyBiryukov.
Fixes #56329.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/plugin-install.php

    r52936 r53839  
    343343<div class="upload-plugin">
    344344    <p class="install-help"><?php _e( 'If you have a plugin in a .zip format, you may install or update it by uploading it here.' ); ?></p>
    345     <form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url( 'update.php?action=upload-plugin' ); ?>">
     345    <form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo esc_url( self_admin_url( 'update.php?action=upload-plugin' ) ); ?>">
    346346        <?php wp_nonce_field( 'plugin-upload' ); ?>
    347347        <label class="screen-reader-text" for="pluginzip"><?php _e( 'Plugin zip file' ); ?></label>
Note: See TracChangeset for help on using the changeset viewer.