<div class="wrap">
<h2><?php _e('Miscellaneous Options') ?></h2>
<form method="post" action="options.php">
-
+<?php wp_nonce_field('update-options') ?>
<fieldset class="options">
<legend><?php _e('Uploading'); ?></legend>
<table class="editform optiontable">
<tr valign="top">
<th scope="row"><?php _e('Store uploads in this folder'); ?>:</th>
-<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo str_replace(ABSPATH, '', get_settings('upload_path')); ?>" size="40" />
+<td><input name="upload_path" type="text" id="upload_path" class="code" value="<?php echo attribute_escape(str_replace(ABSPATH, '', get_settings('upload_path'))); ?>" size="40" />
<br />
<?php _e('Default is <code>wp-content/uploads</code>'); ?>
</td>