vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 22:30:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for trunk.

Browse Source 
git-svn-id: https://develop.svn.wordpress.org/trunk@5056 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Mark Jaquith
2007-03-17 08:46:59 +00:00
parent 4926111056
commit d8336eed5c
18 changed files with 39 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
wp-includes/script-loader.php
View File

@@ -150,7 +150,7 @@ class WP_Scripts {
$ver .= '&' . $this->args[$handle];
$src = 0 === strpos($this->scripts[$handle]->src, 'http://') ? $this->scripts[$handle]->src : get_option( 'siteurl' ) . $this->scripts[$handle]->src;
$src = add_query_arg('ver', $ver, $src);
$src = attribute_escape(apply_filters( 'script_loader_src', $src ));
$src = clean_url(apply_filters( 'script_loader_src', $src ));
echo "<script type='text/javascript' src='$src'></script>\n";
$this->print_scripts_l10n( $handle );
}