Properly escape source parameter in audio/video shortcodes. See #23282.

git-svn-id: http://core.svn.wordpress.org/trunk@24334 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/media.php

@@ -861,7 +861,7 @@ function wp_audio_shortcode( $attr ) {
 	if ( ! empty( $src ) ) {
 		$type = wp_check_filetype( $src );
 		if ( ! in_array( $type['ext'], $default_types ) )
-			return sprintf( '<a class="wp-post-format-link-audio" href="%1$s">%1$s</a>', $src );
+			return sprintf( '<a class="wp-post-format-link-audio" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
 		$primary = true;
 		array_unshift( $default_types, 'src' );
 	} else {
@@ -907,7 +907,7 @@ function wp_audio_shortcode( $attr ) {
 			if ( empty( $fileurl ) )
 				$fileurl = $$fallback;
 			$type = wp_check_filetype( $$fallback );
-			$html .= sprintf( $source, $type['type'], $$fallback );
+			$html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
 		}
 	}
 
@@ -979,7 +979,7 @@ function wp_video_shortcode( $attr ) {
 	if ( ! empty( $src ) ) {
 		$type = wp_check_filetype( $src );
 		if ( ! in_array( $type['ext'], $default_types ) )
-			return sprintf( '<a class="wp-post-format-link-video" href="%1$s">%1$s</a>', $src );
+			return sprintf( '<a class="wp-post-format-link-video" href="%s">%s</a>', esc_url( $src ), esc_html( $src ) );
 		$primary = true;
 		array_unshift( $default_types, 'src' );
 	} else {
@@ -1033,7 +1033,7 @@ function wp_video_shortcode( $attr ) {
 			// m4v sometimes shows up as video/mpeg which collides with mp4
 			if ( 'm4v' === $type['ext'] )
 				$type['type'] = 'video/m4v';
-			$html .= sprintf( $source, $type['type'], $$fallback );
+			$html .= sprintf( $source, $type['type'], esc_url( $$fallback ) );
 		}
 	}
 	if ( 'mediaelement' === $library )
@@ -2634,4 +2634,4 @@ function img_html_to_post_id( $html, &$matched_html = null ) {
 		$attachment_id = attachment_url_to_postid( $attr['src'] );
 
 	return $attachment_id;
-}
+}