WordPress.org

Make WordPress Core

#23664 closed enhancement (fixed)

Add esc_url() to header_image()

Reported by: SergeyBiryukov Owned by: SergeyBiryukov
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Themes Keywords: has-patch
Focuses: Cc:

Description

Spotted this in Twenty Thirteen: esc_url( header_image() ) (see #23663).

It doesn't work as intended, since header_image() echoes the value directly:
http://core.trac.wordpress.org/browser/tags/3.5.1/wp-includes/theme.php#L983

I guess we should add esc_url() to header_image() itself, like we did in [14949] for the_guid() and in [23527] for the_permalink().

Attachments (1)

23664.patch (330 bytes) - added by SergeyBiryukov 17 months ago.

Download all attachments as: .zip

Change History (2)

SergeyBiryukov17 months ago

comment:1 SergeyBiryukov16 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 23633:

Always escape the URL echoed by header_image(). fixes #23664.

Note: See TracTickets for help on using tickets.