Opened 2 years ago

Closed 19 months ago

#17408 closed defect (bug) (fixed)

feed_links_extra does not escape html entities, causing invalid (X)HTML

Reported by: solarissmoke Owned by: ryan
Priority: normal Milestone: 3.3
Component: Template Version: 3.1
Severity: normal Keywords: has-patch dev-feedback
Cc: peaceable_whale@…

Description

I was investigating this forum thread and found that the issue was with core.

When pretty permalinks are disabled, feed_links_extra() can generate URLs like this for a search result:

href="http://localhost/wp/?s=something&feed=rss2"

...which is invalid html because the ampersand should be escaped as an entity.

Patch attached.

Attachments (1)

17408.diff (2.3 KB) - added by solarissmoke 2 years ago.
Escape href before outputting. Also, there is no need to escape the title in each if{} block, just do it at the end.

Download all attachments as: .zip

Change History (8)

comment:1   solarissmoke2 years ago

  • Component changed from General to Template

solarissmoke2 years ago

Escape href before outputting. Also, there is no need to escape the title in each if{} block, just do it at the end.

comment:2   peaceablewhale2 years ago

  • Cc peaceable_whale@… added

comment:3   hakre22 months ago

Can confirm against 3.2.1. Patch looks good IMHO.

comment:4   hakre22 months ago

Patch still applies clean, just tested.

comment:5   SergeyBiryukov22 months ago

  • Milestone changed from Awaiting Review to 3.3

comment:6   hakre19 months ago

  • Keywords dev-feedback added

Anything that prevents this from commit?

comment:7   ryan19 months ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [19096]:

Escape href in feed_links_extra(). Props solarissmoke. fixes #17408

Note: See TracTickets for help on using tickets.