mirror of
https://github.com/WordPress/WordPress.git
synced 2024-11-18 16:45:31 +01:00
More upload escaping. Props Brian Layman. fixes #4689 for trunk
git-svn-id: http://svn.automattic.com/wordpress/trunk@5837 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
f526180278
commit
f359dab72e
@ -107,7 +107,7 @@ function wp_upload_form() {
|
||||
$enctype = $id ? '' : ' enctype="multipart/form-data"';
|
||||
$post_id = (int) $post_id;
|
||||
?>
|
||||
<form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style) . '&tab=upload&post_id=' . $post_id; ?>">
|
||||
<form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&tab=upload&post_id=' . $post_id); ?>">
|
||||
<?php
|
||||
if ( $id ) :
|
||||
$attachment = get_post_to_edit( $id );
|
||||
@ -202,7 +202,7 @@ function wp_upload_tab_upload_action() {
|
||||
|
||||
if ( !current_user_can( 'upload_files' ) )
|
||||
wp_die( __('You are not allowed to upload files.')
|
||||
. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=browse-all&post_id=$post_id'>"
|
||||
. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=browse-all&post_id=$post_id") . "'>"
|
||||
. __('Browse Files') . '</a>'
|
||||
);
|
||||
|
||||
@ -212,7 +212,7 @@ function wp_upload_tab_upload_action() {
|
||||
|
||||
if ( isset($file['error']) )
|
||||
wp_die($file['error'] . "<br /><a href='" . get_option('siteurl')
|
||||
. "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id'>" . __('Back to Image Uploading') . '</a>'
|
||||
. "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>'
|
||||
);
|
||||
|
||||
$url = $file['url'];
|
||||
@ -259,7 +259,7 @@ function wp_upload_tab_upload_action() {
|
||||
|
||||
if ( !current_user_can('edit_post', (int) $ID) )
|
||||
wp_die( __('You are not allowed to delete this attachment.')
|
||||
. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&tab=$from_tab&post_id=$post_id'>"
|
||||
. " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&tab=$from_tab&post_id=$post_id") . "'>"
|
||||
. __('Go back') . '</a>'
|
||||
);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user