Added escaping to wp_shortlink_wp_head() too. See #10640 props sirzooro.

git-svn-id: http://svn.automattic.com/wordpress/trunk@14207 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2010-04-23 21:20:16 +00:00 · 2010-04-23 21:20:16 +00:00 · e88b66ee00
parent bc0947b075
commit e88b66ee00
1 changed files with 13 additions and 10 deletions
--- a/wp-includes/link-template.php
+++ b/wp-includes/link-template.php
@ -2199,12 +2199,12 @@ function wp_get_shortlink($id = 0, $context = 'post', $allow_slugs = true) {
 * @uses wp_get_shortlink()
 */
 function wp_shortlink_wp_head() {
-	$shortlink = wp_get_shortlink(0, 'query');
+	$shortlink = wp_get_shortlink( 0, 'query' );
-	if ( empty($shortlink) )
+	if ( empty( $shortlink ) )
 		return;
-	echo "<link rel='shortlink' href='" . $shortlink . "' />\n";
+	echo "<link rel='shortlink' href='" . esc_attr( $shortlink ) . "' />\n";
 }
 /**
@ -2242,19 +2242,22 @@ function wp_shortlink_header() {
 * @param string $before Optional HTML to display before the link.
 * @param string $before Optional HTML to display after the link.
 */
-function the_shortlink($text = '', $title = '', $before = '', $after = '') {
+function the_shortlink( $text = '', $title = '', $before = '', $after = '' ) {
 	global $post;
-	if ( empty($text) )
+	if ( empty( $text ) )
 		$text = __('This is the short link.');
-	if ( empty($title) )
+	if ( empty( $title ) )
-		$title = the_title_attribute( array('echo' => FALSE) );
+		$title = the_title_attribute( array( 'echo' => FALSE ) );
-	$shortlink = wp_get_shortlink($post->ID);
+	$shortlink = wp_get_shortlink( $post->ID );
-	if ( !empty($shortlink) )
+	if ( !empty( $shortlink ) ) {
-		echo "$before<a rel='shortlink' href='$shortlink' title='$title'>$text</a>$after";
+		$link = '<a rel="shortlink" href="' . esc_attr( $shortlink ) . '" title="' . $title . '">' . $text . '</a>';
 		$link = apply_filters( 'the_shortlink', $link, $shortlink, $text, $title );
 		echo $before, $link, $after;
 	}
 }
 ?>