id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
18445	Unifiltered text can be inserted via Link Image To field when side-loading media	DrewAPicture	azaozz	"It looks like the replace methods were left out for {{{f.url.value}}} in ''wp-admin/includes/media.php''. Thus, unfiltered text including complete javascript strings can be passed through the 'Link Image To' field when side-loading media via the 'From URL' tab. The unfiltered text is dropped untouched into the media's link tag and has potential to wreak havoc.

Reproduce:

In posting page-> Add media > Goto 'From URL' tab > Input a url to a valid remote image > Input special characters into the 'Link Image To' field > Insert into post."	defect (bug)	closed	normal	3.3	Formatting	3.2.1	normal	fixed	has-patch dev-feedback