Changeset 10644

Timestamp:

03/09/2016 02:58:35 PM (9 years ago)

Author:

djpaul

Message:

Attachments: when rendering inline CSS for cover images, use esc_url_raw to escape the image path.

This prevents entities such as & being decoded into &#038, which can break image URLs that rely on querystring parameters for functionality.

Fixes #6952 (2.5 branch)

File:

• branches/2.5/src/bp-core/bp-core-cssjs.php (modified) (1 diff)

branches/2.5/src/bp-core/bp-core-cssjs.php

@@ -438 +438 @@
 
         $inline_css = call_user_func_array( $params['callback'], array( array(
-            'cover_image' => esc_url( $cover_image ),
+            'cover_image' => esc_url_raw( $cover_image ),
             'component'   => sanitize_key( $cover_image_object['component'] ),
             'object_id'   => (int) $cover_image_object['object']->id,