Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
08/12/2013 10:53:30 PM (12 years ago)
Author:
johnjamesjacoby
Message:

Use esc_url() where esc_attr() was incorrectly used in activity/blogs/groups components. Also escape $link when it's fed into bp_activity_thumbnail_content_images() directly.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-activity/bp-activity-functions.php

    r7338 r7349  
    15251525 *
    15261526 * @param string $content The content to work with
    1527  * @param string $link Optional. The URL that the image should link to
     1527 * @param string $link Optional. The unescaped URL that the image should link to
    15281528 * @param array $activity_args Optional. The args passed to the activity
    15291529 *   creation function (eg bp_blogs_record_activity())
     
    15621562            $new_height = (int) $height >= 100 ? 100 : $height;
    15631563            $new_width  = $new_height * $ratio;
    1564 
    1565             $image = '<img src="' . esc_attr( $src ) . '" width="' . $new_width . '" height="' . $new_height . '" alt="' . __( 'Thumbnail', 'buddypress' ) . '" class="align-left thumbnail" />';
     1564            $image      = '<img src="' . esc_url( $src ) . '" width="' . absint( $new_width ) . '" height="' . absint( $new_height ) . '" alt="' . __( 'Thumbnail', 'buddypress' ) . '" class="align-left thumbnail" />';
    15661565
    15671566            if ( !empty( $link ) ) {
    1568                 $image = '<a href="' . $link . '">' . $image . '</a>';
     1567                $image = '<a href="' . esc_url( $link ) . '">' . $image . '</a>';
    15691568            }
    15701569
Note: See TracChangeset for help on using the changeset viewer.