[wp-trac] Re: [WordPress Trac] #3592: Links with double-quotes fail
to validate
WordPress Trac
wp-trac at lists.automattic.com
Wed Jan 17 14:38:58 GMT 2007
#3592: Links with double-quotes fail to validate
-------------------------------+--------------------------------------------
Reporter: irayo | Owner: anonymous
Type: defect | Status: new
Priority: low | Milestone:
Component: General | Version: 2.0.7
Severity: minor | Resolution:
Keywords: reporter-feedback |
-------------------------------+--------------------------------------------
Comment (by charleshooper):
I have managed to duplicate this bug (Env 2.1-beta4)
Steps to duplicate
1) Go to write post (wp-admin/post-new.php)
2) Enter some text using the RTE
3) Highlight the next and click hyperlink
4) Enter description with quotes in it, ie: Who's your "daddy?"
Alternatively:
1) Go to write post (wp-admin/post-new.php)
2) In the RTE, click "code"
3) Add the link as described in the top of this page, ie: <a
href="http://google.com/" title="Who's your "daddy?"">Google!</a>
Quotes should be escaped to """ strip_tags() still works /however/
there still exists a XSS vulnerability due to a "author" being able to add
Javascript to the links via events (such as onClick, onMouseOver, etc)
--
Ticket URL: <http://trac.wordpress.org/ticket/3592#comment:3>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list