Properly escape source parameter in audio/video shortcodes. See #23282.

git-svn-id: http://core.svn.wordpress.org/trunk@24334 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Jon Cave 2013-05-23 17:45:59 +00:00
parent 81b18ddade
commit 94a56f3bbf

View File

@ -861,7 +861,7 @@ function wp_audio_shortcode( $attr ) {
if ( ! empty( $src ) ) {
$type = wp_check_filetype( $src );
if ( ! in_array( $type['ext'], $default_types ) )
return sprintf( '<a class="wp-post-format-link-audio" href="%1$s">%1$s</a>', $src );
return sprintf( '<a class="wp-post-format-link-audio" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
$primary = true;
array_unshift( $default_types, 'src' );
} else {
@ -907,7 +907,7 @@ function wp_audio_shortcode( $attr ) {
if ( empty( $fileurl ) )
$fileurl = $$fallback;
$type = wp_check_filetype( $$fallback );
$html .= sprintf( $source, $type['type'], $$fallback );
$html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
}
}
@ -979,7 +979,7 @@ function wp_video_shortcode( $attr ) {
if ( ! empty( $src ) ) {
$type = wp_check_filetype( $src );
if ( ! in_array( $type['ext'], $default_types ) )
return sprintf( '<a class="wp-post-format-link-video" href="%1$s">%1$s</a>', $src );
return sprintf( '<a class="wp-post-format-link-video" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
$primary = true;
array_unshift( $default_types, 'src' );
} else {
@ -1033,7 +1033,7 @@ function wp_video_shortcode( $attr ) {
// m4v sometimes shows up as video/mpeg which collides with mp4
if ( 'm4v' === $type['ext'] )
$type['type'] = 'video/m4v';
$html .= sprintf( $source, $type['type'], $$fallback );
$html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
}
}
if ( 'mediaelement' === $library )
@ -2634,4 +2634,4 @@ function img_html_to_post_id( $html, &$matched_html = null ) {
$attachment_id = attachment_url_to_postid( $attr['src'] );
return $attachment_id;
}
}