From 679dcfd9f7ca197004d2f9da0f0183126442f55d Mon Sep 17 00:00:00 2001 From: Bart Jaskulski <bartek.jaskulski@wpdesk.net> Date: Mon, 20 Sep 2021 11:26:37 +0200 Subject: [PATCH] fix: use appropiate escaping function in url --- templates/input-image.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/templates/input-image.php b/templates/input-image.php index 313e0e6..5111c4c 100644 --- a/templates/input-image.php +++ b/templates/input-image.php @@ -13,15 +13,15 @@ $media_container_id = 'media_' . sanitize_key( $field->get_id() ); id="<?php echo \esc_attr( $field->get_id() ); ?>"/> <div class="custom-img-container"> <?php if ( $value ) : ?> - <img src="<?php echo \esc_html( $value ) ?>" alt="" width="100"/> + <img src="<?php echo \esc_url( $value ) ?>" alt="" width="100"/> <?php endif; ?> </div> <p class="hide-if-no-js"> - <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_html( $value ) ?>"> - <?php _e( 'Set image', 'wp-forms' ) ?> + <a class="upload-custom-img <?php if ( $value ): ?>hidden<?php endif ?>" href="<?php echo \esc_url( $value ) ?>"> + <?php \esc_html_e( 'Set image', 'wp-forms' ) ?> </a> <a class="delete-custom-img <?php if ( ! $value ): ?>hidden<?php endif ?>" href="#"> - <?php _e( 'Remove image', 'wp-forms' ) ?> + <?php \esc_html_e( 'Remove image', 'wp-forms' ) ?> </a> </p> </div> -- GitLab