Ticket #3873 (closed defect (bug): fixed)

Opened 5 years ago

Last modified 5 years ago

wp_import_upload_form() needs to escape ampersands

Reported by: JeremyVisser Owned by: anonymous
Priority: normal Milestone: 2.1.3
Component: Administration Version: 2.1.1
Severity: normal Keywords: has-patch
Cc:

Description

If you navigate to the Movable Type importer at /wp-admin/admin.php?import=mt, you'll find that there is an ampersand (&) all by its lonesome in the action attribute of a form element. This completely breaks the page for people using application/xhtml+xml as their html_type option value.

Patch coming soon, unless someone else gets there first.

Attachments

admin-functions.php.diff Download (730 bytes) - added by JeremyVisser 5 years ago.
Fixes the XHTML invalidity.

Change History

comment:1   JeremyVisser5 years ago

This appears to be originating in the add_query_arg() function. I don't know how to fix it, as remove_query_arg() would need to be modified as well.

Perhaps a milestone of 2.2 would be better?

JeremyVisser5 years ago

Fixes the XHTML invalidity.

comment:2   JeremyVisser5 years ago

  • Summary changed from Movable Type importer needs to escape ampersands to wp_import_upload_form() needs to escape ampersands

OK, the problem was in /wp-admin/admin-functions.php, where wp_import_upload_form didn't encode the $action being passed to it.

comment:3   JeremyVisser5 years ago

  • Keywords has-patch added

comment:4   ryan5 years ago

I think we should use attribute_escape here, yes?

comment:5   ryan5 years ago

  • Status changed from new to closed
  • Resolution set to fixed

Fixed for #3937.

Note: See TracTickets for help on using tickets.