[wp-trac] [WordPress Trac] #32257: Patch: add support for multi-line textarea sanitization

WordPress Trac noreply at wordpress.org
Tue Oct 25 10:32:49 UTC 2016

#32257: Patch: add support for multi-line textarea sanitization
 Reporter:  ottok                     |       Owner:  chriscct7
     Type:  enhancement               |      Status:  accepted
 Priority:  normal                    |   Milestone:  4.7
Component:  Formatting                |     Version:
 Severity:  normal                    |  Resolution:
 Keywords:  has-patch has-unit-tests  |     Focuses:
Changes (by pento):

 * keywords:  has-patch has-unit-tests commit => has-patch has-unit-tests


 The failing unit test I included is still failing.

 `sanitize_textarea_field( "foo <\ndiv\n> bar" )` produces `"foo <\ndiv\n>
 bar"`, when it should produce `"foo <\ndiv\n> bar"`. The more I think
 about it, the more I'm concerned that this could be a vector for an XSS
 attack - if the textarea is sanitised using `sanitize_textarea_field()`,
 but then the `\n` is stripped sometime later when displaying the content,
 it will start parsing as HTML, bypassing earlier KSES checking.

Ticket URL: <https://core.trac.wordpress.org/ticket/32257#comment:22>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list