WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 20 months ago

#14996 closed defect (bug) (fixed)

Inserting an video/audio/media with an apostrophe in the title results in \' in the HTML

Reported by: layotte Owned by: nacin
Priority: normal Milestone: 3.3
Component: Administration Version: 3.0.1
Severity: normal Keywords: has-patch commit
Cc: layotte, mike.schroder@…

Description

If you insert a link using the Video, Audio, or Media buttons (note the Image button) and the Title has an apostrophe, the apostrophe is escaped with a slash.

e.g.

Video URL: http://my.awesomevideo.com/video

Title: Lew's Awesome Video

<a href="http://my.awesomevideo.com/video">Lew\'s Awesome Video</a>

Seems related to an old (already fixed) bug #6414

Attachments (3)

media.patch (1.3 KB) - added by layotte 3 years ago.
stripslashes from $_POSTinstertonly?title?
14996.diff (1.3 KB) - added by DH-Shredder 22 months ago.
refreshed to current version & used svn diff to make this a bit easier to apply.
14996.2.diff (1.3 KB) - added by DH-Shredder 22 months ago.
Got rid of the coding standards tabbing fix, since there are a lot more instances. That'll be for a different patch.

Download all attachments as: .zip

Change History (13)

layotte3 years ago

stripslashes from $_POSTinstertonly?title?

comment:1 azaozz3 years ago

The proper fix here would probably be to entity-encode the html special chars. This will also produce valid HTML when > and < are entered.

comment:2 layotte3 years ago

The > < chars are already fine already...

Only the quotes are being escaped and it looks like it is part of $_POST[insertonly][title]...

esc_attr is already being applied, but I think because the quotes are already escaped it isn't trying to convert them. I tried switching to esc_html and htmlspecialchars with no difference.

So this:

Lew's >, <, & "quote"

becomes:

Lew\'s >, <, & \"quote\"

If I don't stripslashes.

comment:3 nacin2 years ago

  • Keywords commit 3.2-early added; needs-testing removed
  • Milestone changed from Awaiting Review to Future Release

comment:4 DH-Shredder22 months ago

  • Cc mike.schroder@… added
  • Keywords reporter-feedback added

Can you double-check to see if this is still a problem for you?
I'm not able to reproduce the issue on 3.2.1 or trunk -- perhaps it has been since fixed?

comment:5 SergeyBiryukov22 months ago

I can reproduce on trunk by clicking Add Video > From URL and putting the values mentioned in the ticket into the fields.

DH-Shredder22 months ago

refreshed to current version & used svn diff to make this a bit easier to apply.

DH-Shredder22 months ago

Got rid of the coding standards tabbing fix, since there are a lot more instances. That'll be for a different patch.

comment:6 DH-Shredder22 months ago

  • Keywords reporter-feedback removed

You're correct! Apparently I tried every method of inserting but that one.
Patch works as advertised -- refreshed the patch to current code, and to get rid of the extra tabs added by the newlines in the patch.

comment:8 SergeyBiryukov22 months ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.3

comment:9 ryan20 months ago

Patch need refresh. 3.3 seems to have additional problems:

PHP Notice:  Undefined index: insertonly in /trunk/wp-admin/includes/media.php on line 515, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url
PHP Notice:  Undefined index: insertonly in /trunk/wp-admin/includes/media.php on line 520, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url
PHP Notice:  Undefined variable: html in /trunk/wp-admin/includes/media.php on line 532, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url

comment:10 nacin20 months ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [18992]:

Fix media/audio/file URL insertion. Strip slashes off title text. Leave red X to images only. fixes #14996. fixes #17578.

Note: See TracTickets for help on using tickets.