[wp-trac] [WordPress Trac] #33732: Exporter fails to escape many XML elements text content

WordPress Trac noreply at wordpress.org
Fri Sep 4 18:40:11 UTC 2015


#33732: Exporter fails to escape many XML elements text content
--------------------------+-----------------------------
 Reporter:  westonruter   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Export        |    Version:  3.0
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 We have a plugin with a custom post type that stores a query string (e.g.
 `year=2015&month=5`) in the `post_name`. It is stored here for the sake of
 the field being indexed in MySQL. When exporting such posts via the
 WordPress exporter, it results in a post that contains an `item` with:

 {{{#!xml
 <wp:post_name>year=2015&month=5</wp:post_name>
 }}}

 This results in an XML parse error because the `&` is not escaped/encoded
 as `&`. Alternatively it could also be safely represented as:

 {{{#!xml
 <wp:post_name><![CDATA[year=2015&month=5]]></wp:post_name>
 }}}

 The function that does the CDATA-ification for the exporter is
 `wxr_cdata()` and it is used elsewhere in the exporter where WordPress
 expects to see XML meta characters in user data. But it is not using it
 elsewhere in places where plugins could also introduce XML meta characters
 in the data being output.

 I suggest that we ensure that all the data in the feed be late-escaped
 without assuming that it is going to be safe.

 See also: #15203, #19998

--
Ticket URL: <https://core.trac.wordpress.org/ticket/33732>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list