[wp-trac] [WordPress Trac] #19877: wp_kses_stripslashes() should account for single quotes too
WordPress Trac
wp-trac at lists.automattic.com
Mon Jan 23 14:17:49 UTC 2012
#19877: wp_kses_stripslashes() should account for single quotes too
--------------------------+-----------------------------
Reporter: ethitter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Validation | Version: 3.3.1
Severity: normal | Keywords: has-patch
--------------------------+-----------------------------
Right now, wp_kses_stripslashes() only removes slashes before double
quotes, but should do the same for single quotes.
For example, if wp_kses() is applied to the following string (assuming
<script> tags are permitted), the <script> tag's attributes are removed:
<script type='text/javascript' src='foo.js'></script>
If the single quotes are switched to double quotes, the attributes are
properly sanitized against the list of allowed tags passed to wp_kses().
Updating wp_kses_stripslashes() to account for both types of quotes
eliminates the need to strip slashes before applying wp_kses().
--
Ticket URL: <http://core.trac.wordpress.org/ticket/19877>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list