--- a/wp/wp-admin/async-upload.php	Fri Sep 05 18:40:08 2025 +0200
+++ b/wp/wp-admin/async-upload.php	Fri Sep 05 18:52:52 2025 +0200
@@ -14,11 +14,8 @@
 	define( 'WP_ADMIN', true );
 }
 
-if ( defined( 'ABSPATH' ) ) {
-	require_once ABSPATH . 'wp-load.php';
-} else {
-	require_once dirname( __DIR__ ) . '/wp-load.php';
-}
+/** Load WordPress Bootstrap */
+require_once dirname( __DIR__ ) . '/wp-load.php';
 
 require_once ABSPATH . 'wp-admin/admin.php';
 
@@ -74,7 +71,9 @@
 							}
 							?>
 							<span class="media-item-copy-container copy-to-clipboard-container edit-attachment">
-								<button type="button" class="button button-small copy-attachment-url" data-clipboard-text="<?php echo $file_url; ?>"><?php _e( 'Copy URL to clipboard' ); ?></button>
+								<button type="button" class="button button-small copy-attachment-url"
+									data-clipboard-text="<?php echo esc_url( $file_url ); ?>"
+								><?php _e( 'Copy URL to clipboard' ); ?></button>
 								<span class="success hidden" aria-hidden="true"><?php _e( 'Copied!' ); ?></span>
 							</span>
 						</div>
@@ -113,10 +112,12 @@
 
 $id = media_handle_upload( 'async-upload', $post_id );
 if ( is_wp_error( $id ) ) {
-	$message = sprintf(
+	$button_unique_id = uniqid( 'dismiss-' );
+	$message          = sprintf(
 		'%s <strong>%s</strong><br />%s',
 		sprintf(
-			'<button type="button" class="dismiss button-link" onclick="jQuery(this).parents(\'div.media-item\').slideUp(200, function(){jQuery(this).remove();});">%s</button>',
+			'<button type="button" id="%s" class="dismiss button-link">%s</button>',
+			esc_attr( $button_unique_id ),
 			__( 'Dismiss' )
 		),
 		sprintf(
@@ -133,6 +134,7 @@
 			'paragraph_wrap'     => false,
 		)
 	);
+	echo "<script>jQuery( 'button#{$button_unique_id}' ).on( 'click', function() {jQuery(this).parents('div.media-item').slideUp(200, function(){jQuery(this).remove();})});</script>\n";
 	exit;
 }