Show
Ignore:
Timestamp:
03/17/07 08:47:29 (2 years ago)
Author:
markjaquith
Message:

use clean_url() instead of attribute_escape() when dealing with src/href to protect against XSS. props xknown. fixes #3986 for 2.1.

Files:

Legend:

Unmodified
Added
Removed
Modified
Copied
Moved

  • branches/2.1/wp-admin/bookmarklet.php

    r4656 r5057  
    3838 
    3939$content  = wp_specialchars($_REQUEST['content']); 
    40 $popupurl = attribute_escape($_REQUEST['popupurl']); 
     40$popupurl = clean_url($_REQUEST['popupurl']); 
    4141if ( !empty($content) ) { 
    4242    $post->post_content = wp_specialchars( stripslashes($_REQUEST['content']) );