[wp-trac] [WordPress Trac] #33732: Exporter fails to escape many XML elements text content
WordPress Trac
noreply at wordpress.org
Fri Sep 4 18:40:11 UTC 2015
#33732: Exporter fails to escape many XML elements text content
--------------------------+-----------------------------
Reporter: westonruter | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Export | Version: 3.0
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
We have a plugin with a custom post type that stores a query string (e.g.
`year=2015&month=5`) in the `post_name`. It is stored here for the sake of
the field being indexed in MySQL. When exporting such posts via the
WordPress exporter, it results in a post that contains an `item` with:
{{{#!xml
<wp:post_name>year=2015&month=5</wp:post_name>
}}}
This results in an XML parse error because the `&` is not escaped/encoded
as `&`. Alternatively it could also be safely represented as:
{{{#!xml
<wp:post_name><![CDATA[year=2015&month=5]]></wp:post_name>
}}}
The function that does the CDATA-ification for the exporter is
`wxr_cdata()` and it is used elsewhere in the exporter where WordPress
expects to see XML meta characters in user data. But it is not using it
elsewhere in places where plugins could also introduce XML meta characters
in the data being output.
I suggest that we ensure that all the data in the feed be late-escaped
without assuming that it is going to be safe.
See also: #15203, #19998
--
Ticket URL: <https://core.trac.wordpress.org/ticket/33732>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list