[wp-trac] [WordPress Trac] #15454: esc_textarea() for obvious textarea escaping function.
WordPress Trac
wp-trac at lists.automattic.com
Thu Dec 16 13:35:32 UTC 2010
#15454: esc_textarea() for obvious textarea escaping function.
-------------------------------------+-----------------------
Reporter: markjaquith | Owner:
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 3.1
Component: General | Version: 3.1
Severity: major | Resolution:
Keywords: has-patch needs-testing |
-------------------------------------+-----------------------
Changes (by garyc40):
* keywords: needs-patch => has-patch needs-testing
Comment:
There's this weird thing with sanitize_bookmark_field() and
sanitize_term_field().
Originally, when $context = 'edit', they will run 'link_notes' and
'term_description' through format_to_edit($value). The 2nd parameter of
format_to_edit() is left to default (which is fault), which means
format_to_edit($value) will escape the $value.
However, 'link_notes' and 'term_description' are already escaped before
being inserted into the database (when $context = 'db'), because they're
processed by "pre_link_notes" and "pre_term_description" filters, to which
wp_filter_kses() is attached.
As a result, compounded with the effect of esc_textarea, these values are
"triple-escaped".
I removed "format_to_edit()" from sanitize_bookmark_field() and
sanitize_term_field(). However, this needs a sanity check.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15454#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list