[wp-trac] [WordPress Trac] #18056: dc:creator needs to be escaped in RSS feed
WordPress Trac
noreply at wordpress.org
Sun Jul 7 02:48:44 UTC 2013
#18056: dc:creator needs to be escaped in RSS feed
--------------------------+------------------------------
Reporter: Nettsentrisk | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Feeds | Version: 3.2
Severity: major | Resolution:
Keywords: has-patch |
--------------------------+------------------------------
Old description:
> If the author name contains any special characters, they might end up in
> the RSS feed unescaped, causing failed feed validation and thus causing
> problems for many readers.
>
> The code now is:
>
> <dc:creator><?php the_author() ?></dc:creator>
>
> Shouldn't this be:
>
> <dc:creator><![CDATA[<?php the_author() ?>]]></dc:creator>
>
> Or:
>
> <dc:creator><?php htmlspecialchars(the_author()) ?></dc:creator>
>
> This might be a result of a custom author plugin not escaping these
> characters on the way into the database, but Wordpress should handle this
> more robustly to prevent plugin authors from messing things up like this.
New description:
If the author name contains any special characters, they might end up in
the RSS feed unescaped, causing failed feed validation and thus causing
problems for many readers.
The code now is:
{{{
<dc:creator><?php the_author() ?></dc:creator>
}}}
Shouldn't this be:
{{{
<dc:creator><![CDATA[<?php the_author() ?>]]></dc:creator>
}}}
Or:
{{{
<dc:creator><?php htmlspecialchars(the_author()) ?></dc:creator>
}}}
This might be a result of a custom author plugin not escaping these
characters on the way into the database, but Wordpress should handle this
more robustly to prevent plugin authors from messing things up like this.
--
Comment (by SergeyBiryukov):
Related: #17767
--
Ticket URL: <http://core.trac.wordpress.org/ticket/18056#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list