[wp-trac] Re: [WordPress Trac] #10056: href not sanitized in media
uploader
WordPress Trac
wp-trac at lists.automattic.com
Sun Jun 7 02:38:46 GMT 2009
#10056: href not sanitized in media uploader
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.9
Component: Media | Version: 2.8
Severity: normal | Keywords:
-------------------------------+--------------------------------------------
Changes (by Denis-de-Bernardy):
* priority: normal => high
Comment:
adding to this ticket, this line is problematic:
{{{
$title = esc_attr($_POST['insertonly']['title']);
}}}
If the stuff is then inserted in a shortcode, it's more convenient (and
relevant) to have the raw value in the shortcode, since the user might as
well enter a shortcode manually. The escaped value should be used in the
default $html, but the raw value should be passed to the filter.
Additionally, there is no stripslashes call anywhere.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/10056#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list