[wp-trac] [WordPress Trac] #10056: href not sanitized in media
uploader
WordPress Trac
wp-trac at lists.automattic.com
Sun Jun 7 02:09:20 GMT 2009
#10056: href not sanitized in media uploader
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.9
Component: Media | Version: 2.8
Severity: normal | Keywords:
-------------------------------+--------------------------------------------
there are lines such as:
{{{
if ( !empty($_POST['insertonlybutton']) ) {
$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
$href = "http://$href";
}}}
they should get an additional:
$href = esc_url_raw($href); // for the filter
and the link should use esc_url($href)
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10056>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list