diff --git a/wp-admin/async-upload.php b/wp-admin/async-upload.php index fca14d2ab3..0b32fd1b07 100644 --- a/wp-admin/async-upload.php +++ b/wp-admin/async-upload.php @@ -32,7 +32,7 @@ if ( ! ( isset( $_REQUEST['action'] ) && 'upload-attachment' == $_REQUEST['actio require_once( ABSPATH . 'wp-admin/admin.php' ); -header( 'Content-Type: text/html; charset=' . get_option( 'blog_charset' ) ); +header( 'Content-Type: text/plain; charset=' . get_option( 'blog_charset' ) ); if ( isset( $_REQUEST['action'] ) && 'upload-attachment' === $_REQUEST['action'] ) { include( ABSPATH . 'wp-admin/includes/ajax-actions.php' ); diff --git a/wp-admin/includes/ajax-actions.php b/wp-admin/includes/ajax-actions.php index a3c7e19002..8d57c00367 100644 --- a/wp-admin/includes/ajax-actions.php +++ b/wp-admin/includes/ajax-actions.php @@ -2065,7 +2065,7 @@ function wp_ajax_upload_attachment() { 'success' => false, 'data' => array( 'message' => __( 'Sorry, you are not allowed to upload files.' ), - 'filename' => $_FILES['async-upload']['name'], + 'filename' => esc_html( $_FILES['async-upload']['name'] ), ) ) ); @@ -2079,7 +2079,7 @@ function wp_ajax_upload_attachment() { 'success' => false, 'data' => array( 'message' => __( 'Sorry, you are not allowed to attach files to this post.' ), - 'filename' => $_FILES['async-upload']['name'], + 'filename' => esc_html( $_FILES['async-upload']['name'] ), ) ) ); @@ -2103,7 +2103,7 @@ function wp_ajax_upload_attachment() { 'success' => false, 'data' => array( 'message' => __( 'The uploaded file is not a valid image. Please try again.' ), - 'filename' => $_FILES['async-upload']['name'], + 'filename' => esc_html( $_FILES['async-upload']['name'] ), ) ) ); @@ -2118,7 +2118,7 @@ function wp_ajax_upload_attachment() { 'success' => false, 'data' => array( 'message' => $attachment_id->get_error_message(), - 'filename' => $_FILES['async-upload']['name'], + 'filename' => esc_html( $_FILES['async-upload']['name'] ), ) ) );