[wp-trac] [WordPress Trac] #15454: esc_textarea() for obvious textarea escaping function.
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 25 18:42:24 UTC 2010
#15454: esc_textarea() for obvious textarea escaping function.
-------------------------------------+-----------------------
Reporter: markjaquith | Owner:
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 3.1
Component: General | Version: 3.1
Severity: major | Resolution:
Keywords: has-patch needs-testing |
-------------------------------------+-----------------------
Comment (by nacin):
Alright. Just went through and audited the three dozen or so esc_textarea
calls.
There are three textareas we're still escaping farther up the stack. In
wp-admin/includes/nav-menu.php, there is a menu item description.
Reverting to esc_html() handles everything except `&`, so that's
exactly what I'm doing.
Indeed there is a problem with both link_notes and term_description, but
this is not a regression from 3.0. No one has noticed, so I'm inclined to
punt and do a better audit of what's going on there (both into the DB and
out again) in 3.2.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15454#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list