summaryrefslogtreecommitdiffstats
path: root/wp-admin/upload-functions.php
diff options
context:
space:
mode:
Diffstat (limited to 'wp-admin/upload-functions.php')
-rw-r--r--wp-admin/upload-functions.php9
1 files changed, 5 insertions, 4 deletions
diff --git a/wp-admin/upload-functions.php b/wp-admin/upload-functions.php
index 31965bc..e2d734d 100644
--- a/wp-admin/upload-functions.php
+++ b/wp-admin/upload-functions.php
@@ -105,8 +105,9 @@ function wp_upload_form() {
$id = get_the_ID();
global $post_id, $tab, $style;
$enctype = $id ? '' : ' enctype="multipart/form-data"';
+ $post_id = (int) $post_id;
?>
- <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=upload&amp;post_id=$post_id"; ?>">
+ <form<?php echo $enctype; ?> id="upload-file" method="post" action="<?php echo get_option('siteurl') . '/wp-admin/upload.php?style=' . attribute_escape($style . '&amp;tab=upload&amp;post_id=' . $post_id); ?>">
<?php
if ( $id ) :
$attachment = get_post_to_edit( $id );
@@ -201,7 +202,7 @@ function wp_upload_tab_upload_action() {
if ( !current_user_can( 'upload_files' ) )
wp_die( __('You are not allowed to upload files.')
- . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=browse-all&amp;post_id=$post_id'>"
+ . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=browse-all&amp;post_id=$post_id") . "'>"
. __('Browse Files') . '</a>'
);
@@ -211,7 +212,7 @@ function wp_upload_tab_upload_action() {
if ( isset($file['error']) )
wp_die($file['error'] . "<br /><a href='" . get_option('siteurl')
- . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>" . __('Back to Image Uploading') . '</a>'
+ . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>" . __('Back to Image Uploading') . '</a>'
);
$url = $file['url'];
@@ -258,7 +259,7 @@ function wp_upload_tab_upload_action() {
if ( !current_user_can('edit_post', (int) $ID) )
wp_die( __('You are not allowed to delete this attachment.')
- . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=$style&amp;tab=$from_tab&amp;post_id=$post_id'>"
+ . " <a href='" . get_option('siteurl') . "/wp-admin/upload.php?style=" . attribute_escape($style . "&amp;tab=$from_tab&amp;post_id=$post_id") . "'>"
. __('Go back') . '</a>'
);
generated by cgit (git 2.34.1) at 2026-02-13 14:26:04 +0000