[wp-trac] [WordPress Trac] #15454: esc_textarea() for obvious textarea escaping function.

WordPress Trac wp-trac at lists.automattic.com
Thu Dec 16 13:35:32 UTC 2010

#15454: esc_textarea() for obvious textarea escaping function.
 Reporter:  markjaquith              |       Owner:
     Type:  defect (bug)             |      Status:  reopened
 Priority:  high                     |   Milestone:  3.1
Component:  General                  |     Version:  3.1
 Severity:  major                    |  Resolution:
 Keywords:  has-patch needs-testing  |
Changes (by garyc40):

 * keywords:  needs-patch => has-patch needs-testing


 There's this weird thing with sanitize_bookmark_field() and

 Originally, when $context = 'edit', they will run 'link_notes' and
 'term_description' through format_to_edit($value). The 2nd parameter of
 format_to_edit() is left to default (which is fault), which means
 format_to_edit($value) will escape the $value.

 However, 'link_notes' and 'term_description' are already escaped before
 being inserted into the database (when $context = 'db'), because they're
 processed by "pre_link_notes" and "pre_term_description" filters, to which
 wp_filter_kses() is attached.

 As a result, compounded with the effect of esc_textarea, these values are

 I removed "format_to_edit()" from sanitize_bookmark_field() and
 sanitize_term_field(). However, this needs a sanity check.

Ticket URL: <http://core.trac.wordpress.org/ticket/15454#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list