[wp-trac] [WordPress Trac] #24580: wp-admin/includes/media.php: edit_form_image_editor() missing esc_attr() on Caption textarea.
WordPress Trac
noreply at wordpress.org
Fri Jun 14 20:54:58 UTC 2013
#24580: wp-admin/includes/media.php: edit_form_image_editor() missing esc_attr() on
Caption textarea.
----------------------------+-----------------------------
Reporter: AlexanderOMara | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: trunk
Severity: minor | Keywords: has-patch
----------------------------+-----------------------------
In wp-admin/includes/media.php, the funciton edit_form_image_editor()
directly prints the raw post_excerpt into the description textarea. This
means that if the user inputs HTML tags, the HTML when returning to edit
it is invalid or potentially broken.
This:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php
echo $post->post_excerpt; ?></textarea>
Should be:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php
echo esc_attr( $post->post_excerpt ); ?></textarea>
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24580>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list