Make WordPress Core


Ignore:
Timestamp:
08/05/2022 05:58:01 AM (22 months ago)
Author:
audrasjb
Message:

Coding standards: Properly escape URLs returned by self_admin_url() calls.

Props krishaweb, audrasjb, SergeyBiryukov.
Fixes #56329.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/theme-install.php

    r53639 r53839  
    183183    ?>
    184184<p class="install-help"><?php _e( 'If you have a theme in a .zip format, you may install or update it by uploading it here.' ); ?></p>
    185 <form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo self_admin_url( 'update.php?action=upload-theme' ); ?>">
     185<form method="post" enctype="multipart/form-data" class="wp-upload-form" action="<?php echo esc_url( self_admin_url( 'update.php?action=upload-theme' ) ); ?>">
    186186    <?php wp_nonce_field( 'theme-upload' ); ?>
    187187    <label class="screen-reader-text" for="themezip"><?php _e( 'Theme zip file' ); ?></label>
Note: See TracChangeset for help on using the changeset viewer.