[wp-trac] Re: [WordPress Trac] #3592: Links with double-quotes fail to validate

WordPress Trac wp-trac at lists.automattic.com
Wed Jan 17 14:38:58 GMT 2007


#3592: Links with double-quotes fail to validate
-------------------------------+--------------------------------------------
 Reporter:  irayo              |        Owner:  anonymous
     Type:  defect             |       Status:  new      
 Priority:  low                |    Milestone:           
Component:  General            |      Version:  2.0.7    
 Severity:  minor              |   Resolution:           
 Keywords:  reporter-feedback  |  
-------------------------------+--------------------------------------------
Comment (by charleshooper):

 I have managed to duplicate this bug (Env 2.1-beta4)

 Steps to duplicate
 1) Go to write post (wp-admin/post-new.php)
 2) Enter some text using the RTE
 3) Highlight the next and click hyperlink
 4) Enter description with quotes in it, ie: Who's your "daddy?"

 Alternatively:
 1) Go to write post (wp-admin/post-new.php)
 2) In the RTE, click "code"
 3) Add the link as described in the top of this page, ie: <a
 href="http://google.com/" title="Who's your "daddy?"">Google!</a>

 Quotes should be escaped to "&quot;" strip_tags() still works /however/
 there still exists a XSS vulnerability due to a "author" being able to add
 Javascript to the links via events (such as onClick, onMouseOver, etc)

-- 
Ticket URL: <http://trac.wordpress.org/ticket/3592#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list