enmi-conf.org: comparison wp/wp-admin/menu-header.php

equal deleted inserted replaced

-:be944660c56a
+:3d72ae0968f4
 *
 * @global string $self
 * @global string $parent_file
 * @global string $submenu_file
 * @global string $plugin_page
-* @global string $typenow
+* @global string $typenow      The post type of the current screen.
 *
 * @param array $menu
 * @param array $submenu
 * @param bool  $submenu_as_parent
 */
 		 * the default menu image so an icon can be added to div.wp-menu-image as background
 		 * with CSS. Dashicons and base64-encoded data:image/svg_xml URIs are also handled
 		 * as special cases.
 		 */
 		if ( ! empty( $item[6] ) ) {
-			$img = '<img src="' . $item[6] . '" alt="" />';
+			$img = '<img src="' . esc_url( $item[6] ) . '" alt="" />';
 			if ( 'none' === $item[6] || 'div' === $item[6] ) {
 				$img = '<br />';
 			} elseif ( 0 === strpos( $item[6], 'data:image/svg+xml;base64,' ) ) {
-				$img       = '<br />';
+				$img = '<br />';
+				// The value is base64-encoded data, so esc_attr() is used here instead of esc_url().
 				$img_style = ' style="background-image:url(\'' . esc_attr( $item[6] ) . '\')"';
 				$img_class = ' svg';
 			} elseif ( 0 === strpos( $item[6], 'dashicons-' ) ) {
 				$img       = '<br />';
 				$img_class = ' dashicons-before ' . sanitize_html_class( $item[6] );