[wp-trac] [WordPress Trac] #21613: format_to_edit runs esc_textarea if $richedit param is set to false, not true

WordPress Trac wp-trac at lists.automattic.com
Thu Aug 16 19:59:20 UTC 2012 

#21613: format_to_edit runs esc_textarea if $richedit param is set to false, not
true
--------------------------+-----------------------------
 Reporter:  vhauri        |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  minor         |   Keywords:
--------------------------+-----------------------------
 Currently, the docs on format_to_edit() indicate that it runs the content
 through esc_textarea (which in turn runs htmlspecialchars() ) if the
 $richedit param is set to true. The code, however, runs the filter if the
 param is not set (or passed as false, see line 1270).

 {{{
 #!php
 1255 /**
 1256  * Acts on text which is about to be edited.
 1257  *
 1258  * The $content is run through esc_textarea(), which uses
 htmlspecialchars(
 1259  * to convert special characters to HTML entities. If $richedit is
 set to t
 1260  * it is simply a holder for the 'format_to_edit' filter.
 1261  *
 1262  * @since 0.71
 1263  *
 1264  * @param string $content The text about to be edited.
 1265  * @param bool $richedit Whether the $content should not pass through
 htmls
 1266  * @return string The text after the filter (and possibly
 htmlspecialchars(
 1267  */
 1268 function format_to_edit( $content, $richedit = false ) {
 1269   $content = apply_filters( 'format_to_edit', $content );
 1270   if ( ! $richedit )
 1271     $content = esc_textarea( $content );
 1272   return $content;
 1273 }
 1274
 }}}

 My thought is the if statement should evaluate whether $richedit is true,
 rather than false, and therefore apply the esc_textarea function only when
 explicitly passed as a param. This would, however, result in unexpected
 behavior for anyone currently passing only the default $content param and
 getting sanitized output.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/21613>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list