IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

Browse Source 
git-svn-id: http://svn.automattic.com/wordpress/trunk@5056 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
markjaquith
2007-03-17 08:46:59 +00:00
parent 7136d65028
commit 611b037efa
18 changed files with 39 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wp-admin/user-edit.php
View File

@@ -55,7 +55,7 @@ include ('admin-header.php');
<div id="message" class="updated fade">
<p><strong><?php _e('User updated.') ?></strong></p>
<?php if ( $wp_http_referer ) : ?>
<p><a href="<?php echo attribute_escape($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
<p><a href="<?php echo clean_url($wp_http_referer); ?>"><?php _e('&laquo; Back to Authors and Users'); ?></a></p>
<?php endif; ?>
</div>
<?php endif; ?>