Making WordPress.org

Changeset 1491


Ignore:
Timestamp:
04/21/2015 12:48:49 AM (10 years ago)
Author:
iandunn
Message:

WordCamp Post Type: Escape pagination base URL.

Letting add_query_arg() fall back to using $_SERVER['REQUEST_URI'] can introduce malicious user input.

See https://make.wordpress.org/plugins/2015/04/20/fixing-add_query_arg-and-remove_query_arg-usage/

File:
1 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordcamp.org/public_html/wp-content/plugins/wcpt/wcpt-wordcamp/wordcamp-template.php

    r191 r1491  
    5656        // Pagination settings with filter
    5757        $wcpt_pagination = apply_filters( 'wcpt_pagination', array (
    58             'base'      => add_query_arg( 'wcpage', '%#%' ),
     58            'base'      => esc_url_raw( add_query_arg( 'wcpage', '%#%' ) ),
    5959            'format'    => '',
    6060            'total'     => ceil( (int)$wcpt_template->found_posts / (int)$posts_per_page ),
Note: See TracChangeset for help on using the changeset viewer.