Correctly escape the URL used in the At A Glance dashboard widget.

johnbillion · Mar 10, 2016 · 34a7f6d · 34a7f6d
1 parent d3c441c
commit 34a7f6d
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/extended-cpts.php b/extended-cpts.php
@@ -1268,7 +1268,10 @@ public function glance_items( array $items ) {
 		$num   = number_format_i18n( $count->publish );
 
 		# This is absolutely not localisable. WordPress 3.8 didn't add a new post type label.
-		$text = '<a href="edit.php?post_type=' . esc_attr( $this->cpt->post_type ) . '">' . esc_html( $num . ' ' . $text ) . '</a>';
+		$url = add_query_arg( [
+			'post_type' => $this->cpt->post_type,
+		], admin_url( 'edit.php' ) );
+		$text = '<a href="' . esc_url( $url ) . '">' . esc_html( $num . ' ' . $text ) . '</a>';
 
 		# Go!
 		$items[] = $text;