Make WordPress Core

Changeset 5838


Ignore:
Timestamp:
08/01/2007 08:58:38 PM (17 years ago)
Author:
markjaquith
Message:

More upload escaping. Props Brian Layman. fixes #4689 for 2.2.x

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/2.2/wp-admin/upload-functions.php

    r5828 r5838  
    108108    $post_id = (int) $post_id;
    109109?>
    110     <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style) . '&amp;tab=upload&amp;post_id=' . $post_id; ?>">
     110    <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&amp;tab=upload&amp;post_id=' . $post_id); ?>">
    111111<?php
    112112    if ( $id ) :
     
    203203        if ( !current_user_can( 'upload_files' ) )
    204204            wp_die( __('You are not allowed to upload files.')
    205                 . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=browse-all&amp;post_id=$post_id'>"
     205                . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=browse-all&amp;post_id=$post_id") . "'>"
    206206                . __('Browse Files') . '</a>'
    207207            );
     
    213213        if ( isset($file['error']) )
    214214            wp_die($file['error'] . "<br /><a href='" . get_option('siteurl')
    215             . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>" . __('Back to Image Uploading') . '</a>'
     215            . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>'
    216216        );
    217217
     
    260260        if ( !current_user_can('edit_post', (int) $ID) )
    261261            wp_die( __('You are not allowed to delete this attachment.')
    262                 . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>"
     262                . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>"
    263263                . __('Go back') . '</a>'
    264264            );
Note: See TracChangeset for help on using the changeset viewer.