[wp-trac] [WordPress Trac] #24248: 'guid' not properly escaped
WordPress Trac
noreply at wordpress.org
Fri Nov 14 14:36:18 UTC 2014
#24248: 'guid' not properly escaped
-------------------------------------------------+-------------------------
Reporter: meloniq | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future
Component: Posts, Post Types | Release
Severity: normal | Version: 2.5
Keywords: has-patch needs-unit-tests | Resolution:
3.7-early | Focuses:
-------------------------------------------------+-------------------------
Comment (by meloniq):
> The reason for this is that the conversion of "&" to "&" is
happening on the database insert, not on the retrieval from the database.
Conversion happening on post sanitization at beginning of this function
```$postarr = sanitize_post($postarr, 'db');```
The 'url fields' are filtered with ```wp_strip_all_tags()```,
```esc_url_raw()```, and ```wp_filter_kses()``` - the last one converts
```&``` to ```&```
Filters added here: https://github.com/WordPress/WordPress/blob/master/wp-
includes/default-filters.php#L59-L65
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24248#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list