[wp-trac] [WordPress Trac] #24420: Message in the_post_format_chat() should be escaped
WordPress Trac
noreply at wordpress.org
Sat May 25 06:01:56 UTC 2013
#24420: Message in the_post_format_chat() should be escaped
--------------------------+-----------------------------
Reporter: tollmanz | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Post Formats | Version: trunk
Severity: normal | Keywords:
--------------------------+-----------------------------
Looks like this [http://core.trac.wordpress.org/ticket/23625#comment:41
was mentioned by lancewillet] in #23625, but never addressed.
When the chat message is printed, it needs to be run through `esc_html()`.
As lancewillet indicated, it was removed in r23876 because the links in
the content were made to be clickable and escaping the data would nullify
these efforts. While clickable links are great, I think escaping the data
in much more important. I think that this issue should not be overlooked
and this data should be properly escaped.
I think that one way of handling the issue would be to remove
`make_clickable()` from `get_content_chat()`. There probably are a number
of worthy use cases for getting that data in its rawest form anyway (e.g.,
some chat apps won't make links clickable). If we remove the
`make_clickable()` call, we can easily call `esc_html()` on the content
without concern. Functions calling `the_post_format_chat()` can then
decide whether or not to make the links clickable (or we could even add an
optional parameter to the function).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24420>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list