Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
08/12/2013 10:53:30 PM (12 years ago)
Author:
johnjamesjacoby
Message:

Use esc_url() where esc_attr() was incorrectly used in activity/blogs/groups components. Also escape $link when it's fed into bp_activity_thumbnail_content_images() directly.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/bp-groups/bp-groups-template.php

    r7339 r7349  
    522522        /* Fetch the avatar from the folder, if not provide backwards compat. */
    523523        if ( !$avatar = bp_core_fetch_avatar( array( 'item_id' => $groups_template->group->id, 'object' => 'group', 'type' => $type, 'avatar_dir' => 'group-avatars', 'alt' => $alt, 'css_id' => $id, 'class' => $class, 'width' => $width, 'height' => $height, 'title' => $groups_template->group->name, 'alt' => $alt ) ) )
    524             $avatar = '<img src="' . esc_attr( $groups_template->group->avatar_thumb ) . '" class="avatar" alt="' . esc_attr( $groups_template->group->name ) . '" />';
     524            $avatar = '<img src="' . esc_url( $groups_template->group->avatar_thumb ) . '" class="avatar" alt="' . esc_attr( $groups_template->group->name ) . '" />';
    525525
    526526        return apply_filters( 'bp_get_group_avatar', $avatar );
     
    26052605    if ( $bp->groups->current_group->avatar_full ) { ?>
    26062606
    2607         <img src="<?php echo esc_attr( $bp->groups->current_group->avatar_full ) ?>" alt="<?php _e( 'Group Avatar', 'buddypress' ) ?>" class="avatar" />
     2607        <img src="<?php echo esc_url( $bp->groups->current_group->avatar_full ); ?>" alt="<?php _e( 'Group Avatar', 'buddypress' ) ?>" class="avatar" />
    26082608
    26092609    <?php } else { ?>
    26102610
    2611         <img src="<?php echo $bp->groups->image_base . '/none.gif' ?>" alt="<?php _e( 'No Group Avatar', 'buddypress' ) ?>" class="avatar" />
     2611        <img src="<?php echo esc_url( $bp->groups->image_base . '/none.gif' ); ?>" alt="<?php _e( 'No Group Avatar', 'buddypress' ) ?>" class="avatar" />
    26122612
    26132613    <?php }
Note: See TracChangeset for help on using the changeset viewer.