WordPress.org

Plugin Directory

Changeset 622236


Ignore:
Timestamp:
11/07/12 18:52:24 (18 months ago)
Author:
mdawaffe
Message:

Sharing: esc_url_raw() does not protect against certain CSS injection attacks.

Quote the URL.

Props @xknown

File:
1 edited

Legend:

Unmodified
Added
Removed
  • jetpack/trunk/modules/sharedaddy/sharing-sources.php

    r621554 r622236  
    934934    public function get_display( $post ) { 
    935935        $str = $this->get_link( get_permalink( $post->ID ), esc_html( $this->name ), __( 'Click to share', 'jetpack' ), 'share='.$this->id ); 
    936         return str_replace( '<span>', '<span style="' . esc_attr( 'background-image:url(' . esc_url_raw( $this->icon ) . ');' ) . '">', $str ); 
     936        return str_replace( '<span>', '<span style="' . esc_attr( 'background-image:url("' . addcslashes( esc_url_raw( $this->icon ), '"' ) . '");' ) . '">', $str ); 
    937937    } 
    938938 
Note: See TracChangeset for help on using the changeset viewer.