[wp-trac] [WordPress Trac] #17780: Use PHP native double encoding prevention in htmlspecialchars()

WordPress Trac noreply at wordpress.org
Tue Jul 14 01:37:24 UTC 2015


#17780: Use PHP native double encoding prevention in htmlspecialchars()
----------------------------------------+--------------------------
 Reporter:  nbachiyski                  |       Owner:  miqrogroove
     Type:  defect (bug)                |      Status:  reopened
 Priority:  high                        |   Milestone:  4.3
Component:  Formatting                  |     Version:
 Severity:  major                       |  Resolution:
 Keywords:  needs-unit-tests has-patch  |     Focuses:
----------------------------------------+--------------------------

Comment (by azaozz):

 Looking back at the changes to the post_title field: seems this is a long
 existing bug that was masked by the "unusual" behaviour of
 `_wp_specialchars()`. The post_title is escaped first with
 `sanitize_post_field()` then with `htmlspecialchars()` and finally with
 `esc_attr()`.

 As far as I see this is the only place where `esc_attr()` and
 `htmlspecialchars()` are nested. Not sure if fixing this at the beginning
 of a cycle will be any different than fixing it now. In both cases plugins
 that have copied that particular code from core (and don't follow
 WordPress development) will break. Chances are that most plugin authors
 will test their plugins in RC or perhaps when they receive the "What's new
 in 4.3" email :)

--
Ticket URL: <https://core.trac.wordpress.org/ticket/17780#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list