Opened 6 years ago

Closed 6 years ago

#3873 closed defect (bug) (fixed)

wp_import_upload_form() needs to escape ampersands

Reported by: JeremyVisser Owned by: anonymous
Priority: normal Milestone: 2.1.3
Component: Administration Version: 2.1.1
Severity: normal Keywords: has-patch
Cc:

Description

If you navigate to the Movable Type importer at /wp-admin/admin.php?import=mt, you'll find that there is an ampersand (&) all by its lonesome in the action attribute of a form element. This completely breaks the page for people using application/xhtml+xml as their html_type option value.

Patch coming soon, unless someone else gets there first.

Attachments (1)

admin-functions.php.diff (730 bytes) - added by JeremyVisser 6 years ago.
Fixes the XHTML invalidity.

Download all attachments as: .zip

Change History (6)

comment:1   JeremyVisser6 years ago

This appears to be originating in the add_query_arg() function. I don't know how to fix it, as remove_query_arg() would need to be modified as well.

Perhaps a milestone of 2.2 would be better?

JeremyVisser6 years ago

Fixes the XHTML invalidity.

comment:2   JeremyVisser6 years ago

  • Summary changed from Movable Type importer needs to escape ampersands to wp_import_upload_form() needs to escape ampersands

OK, the problem was in /wp-admin/admin-functions.php, where wp_import_upload_form didn't encode the $action being passed to it.

comment:3   JeremyVisser6 years ago

  • Keywords has-patch added

comment:4   ryan6 years ago

I think we should use attribute_escape here, yes?

comment:5   ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Fixed for #3937.

Note: See TracTickets for help on using tickets.