[wp-trac] [WordPress Trac] #32257: Patch: add support for multi-line textarea sanitization
WordPress Trac
noreply at wordpress.org
Tue Oct 25 10:32:49 UTC 2016
#32257: Patch: add support for multi-line textarea sanitization
--------------------------------------+------------------------
Reporter: ottok | Owner: chriscct7
Type: enhancement | Status: accepted
Priority: normal | Milestone: 4.7
Component: Formatting | Version:
Severity: normal | Resolution:
Keywords: has-patch has-unit-tests | Focuses:
--------------------------------------+------------------------
Changes (by pento):
* keywords: has-patch has-unit-tests commit => has-patch has-unit-tests
Comment:
The failing unit test I included is still failing.
`sanitize_textarea_field( "foo <\ndiv\n> bar" )` produces `"foo <\ndiv\n>
bar"`, when it should produce `"foo <\ndiv\n> bar"`. The more I think
about it, the more I'm concerned that this could be a vector for an XSS
attack - if the textarea is sanitised using `sanitize_textarea_field()`,
but then the `\n` is stripped sometime later when displaying the content,
it will start parsing as HTML, bypassing earlier KSES checking.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/32257#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list