use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

git-svn-id: http://svn.automattic.com/wordpress/trunk@5056 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/edit-page-form.php

@@ -13,7 +13,7 @@ if (0 == $post_ID) {
 	$form_extra = "<input type='hidden' id='post_ID' name='post_ID' value='$post_ID' />";
 }
 
-$sendto = attribute_escape(stripslashes(wp_get_referer()));
+$sendto = clean_url(stripslashes(wp_get_referer()));
 
 if ( 0 != $post_ID && $sendto == get_permalink($post_ID) )
 	$sendto = 'redo';