Skip to content

Commit b6a12a5

Browse files
committed
Media: Consistently escape URLs in attachment download links and JS data.
The "Download file" link in `attachment_submitbox_metadata()` escaped its `href` with `esc_attr()`, which only HTML-encodes the value. Use `esc_url()` instead, the correct function for a URL in an `href` attribute, since `$att_url` comes from `wp_get_attachment_url()`. This applies the same escaping method for the Download link in the media list table output by `WP_Media_List_Table::_get_row_actions()`. Apply the same correction to `wp_prepare_attachment_for_js()`, wrapping the attachment, intermediate size, full-size, original image, and image source URLs in `esc_url_raw()` so the Backbone-rendered media UI emits URLs filtered through `clean_url` just like the server-rendered templates. Developed in WordPress#12062. Follow-up to r21680, r47202, r55156, r55198, r55221. Props thisismyurl, westonruter, sabernhardt, gazipress, jamesbregenzer, manhar, sanayasir, freewebmentor. See #57574, #41474. Fixes #65397. git-svn-id: https://develop.svn.wordpress.org/trunk@62494 602fd350-edb4-49c9-b593-d223f7449a82
1 parent c384eff commit b6a12a5

2 files changed

Lines changed: 10 additions & 9 deletions

File tree

src/wp-admin/includes/media.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3387,7 +3387,7 @@ function attachment_submitbox_metadata() {
33873387
</span>
33883388
</div>
33893389
<div class="misc-pub-section misc-pub-download">
3390-
<a href="<?php echo esc_attr( $att_url ); ?>" download><?php _e( 'Download file' ); ?></a>
3390+
<a href="<?php echo esc_url( $att_url ); ?>" download><?php _e( 'Download file' ); ?></a>
33913391
</div>
33923392
<div class="misc-pub-section misc-pub-filename">
33933393
<?php _e( 'File name:' ); ?> <strong><?php echo $filename; ?></strong>

src/wp-includes/media.php

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4573,7 +4573,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
45734573
'id' => $attachment->ID,
45744574
'title' => $attachment->post_title,
45754575
'filename' => wp_basename( get_attached_file( $attachment->ID ) ),
4576-
'url' => $attachment_url,
4576+
'url' => esc_url_raw( $attachment_url ),
45774577
'link' => get_attachment_link( $attachment->ID ),
45784578
'alt' => get_post_meta( $attachment->ID, '_wp_attachment_image_alt', true ),
45794579
'author' => $attachment->post_author,
@@ -4679,7 +4679,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
46794679
$sizes[ $size ] = array(
46804680
'height' => $downsize[2],
46814681
'width' => $downsize[1],
4682-
'url' => $downsize[0],
4682+
'url' => esc_url_raw( $downsize[0] ),
46834683
'orientation' => $downsize[2] > $downsize[1] ? 'portrait' : 'landscape',
46844684
);
46854685
} elseif ( isset( $meta['sizes'][ $size ] ) ) {
@@ -4695,19 +4695,20 @@ function wp_prepare_attachment_for_js( $attachment ) {
46954695
$sizes[ $size ] = array(
46964696
'height' => $height,
46974697
'width' => $width,
4698-
'url' => $base_url . $size_meta['file'],
4698+
'url' => esc_url_raw( $base_url . $size_meta['file'] ),
46994699
'orientation' => $height > $width ? 'portrait' : 'landscape',
47004700
);
47014701
}
47024702
}
47034703

47044704
if ( 'image' === $type ) {
47054705
if ( ! empty( $meta['original_image'] ) ) {
4706-
$response['originalImageURL'] = wp_get_original_image_url( $attachment->ID );
4706+
$original_image_url = wp_get_original_image_url( $attachment->ID );
4707+
$response['originalImageURL'] = $original_image_url ? esc_url_raw( $original_image_url ) : '';
47074708
$response['originalImageName'] = wp_basename( wp_get_original_image_path( $attachment->ID ) );
47084709
}
47094710

4710-
$sizes['full'] = array( 'url' => $attachment_url );
4711+
$sizes['full'] = array( 'url' => esc_url_raw( $attachment_url ) );
47114712

47124713
if ( isset( $meta['height'], $meta['width'] ) ) {
47134714
$sizes['full']['height'] = $meta['height'];
@@ -4718,7 +4719,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
47184719
$response = array_merge( $response, $sizes['full'] );
47194720
} elseif ( $meta['sizes']['full']['file'] ) {
47204721
$sizes['full'] = array(
4721-
'url' => $base_url . $meta['sizes']['full']['file'],
4722+
'url' => esc_url_raw( $base_url . $meta['sizes']['full']['file'] ),
47224723
'height' => $meta['sizes']['full']['height'],
47234724
'width' => $meta['sizes']['full']['width'],
47244725
'orientation' => $meta['sizes']['full']['height'] > $meta['sizes']['full']['width'] ? 'portrait' : 'landscape',
@@ -4757,7 +4758,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
47574758
$response_image_full = wp_get_attachment_image_src( $id, 'full' );
47584759
if ( is_array( $response_image_full ) ) {
47594760
$response['image'] = array(
4760-
'src' => $response_image_full[0],
4761+
'src' => esc_url_raw( $response_image_full[0] ),
47614762
'width' => $response_image_full[1],
47624763
'height' => $response_image_full[2],
47634764
);
@@ -4766,7 +4767,7 @@ function wp_prepare_attachment_for_js( $attachment ) {
47664767
$response_image_thumb = wp_get_attachment_image_src( $id, 'thumbnail' );
47674768
if ( is_array( $response_image_thumb ) ) {
47684769
$response['thumb'] = array(
4769-
'src' => $response_image_thumb[0],
4770+
'src' => esc_url_raw( $response_image_thumb[0] ),
47704771
'width' => $response_image_thumb[1],
47714772
'height' => $response_image_thumb[2],
47724773
);

0 commit comments

Comments
 (0)