[wp-trac] [WordPress Trac] #17780: Use PHP native double encoding prevention in htmlspecialchars()
WordPress Trac
noreply at wordpress.org
Tue Jul 14 01:37:24 UTC 2015
#17780: Use PHP native double encoding prevention in htmlspecialchars()
----------------------------------------+--------------------------
Reporter: nbachiyski | Owner: miqrogroove
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 4.3
Component: Formatting | Version:
Severity: major | Resolution:
Keywords: needs-unit-tests has-patch | Focuses:
----------------------------------------+--------------------------
Comment (by azaozz):
Looking back at the changes to the post_title field: seems this is a long
existing bug that was masked by the "unusual" behaviour of
`_wp_specialchars()`. The post_title is escaped first with
`sanitize_post_field()` then with `htmlspecialchars()` and finally with
`esc_attr()`.
As far as I see this is the only place where `esc_attr()` and
`htmlspecialchars()` are nested. Not sure if fixing this at the beginning
of a cycle will be any different than fixing it now. In both cases plugins
that have copied that particular code from core (and don't follow
WordPress development) will break. Chances are that most plugin authors
will test their plugins in RC or perhaps when they receive the "What's new
in 4.3" email :)
--
Ticket URL: <https://core.trac.wordpress.org/ticket/17780#comment:40>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list