Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix #12570: Invalid XHTML due to lack of escaping of attachment URL
file_api returns attachment URLs in their raw unescaped format. Before placing these URLs inside the "href" attribute of an "a" element we must run it through string_attribute() first to escape ampersands and other unsafe characters. Within the same section of code a typo also existed with quotation marks accidentally being outputted around a "class" attribute on a span element. Thanks to Tamás Gulácsi for the initial patch and bug report.
- Loading branch information