Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#6898 closed defect (bug) (fixed)

Bad quote escaping in media uploader?

Reported by: Otto42 Owned by: anonymous
Priority: normal Milestone: 2.6
Component: General Version: 2.5.1
Severity: normal Keywords:
Cc:

Description

Report and fix here:
http://wordpress.org/support/topic/164563/page/2?replies=50#post-737670

Other people report the same issue and that the fix works too.

Short version:
wp-admin/includes/media.php, line 57

$html = "<a href='".attribute_escape($url)."'$rel>$html</a>";

Should be this:

$html = "<a href=\"".attribute_escape($url)."\"$rel>$html</a>";

Because the single quote there can hork up some javascript code that it gets inserted into.

Change History (5)

comment:1   ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7874]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for trunk

comment:2   ryan5 years ago

(In [7875]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for 2.5

comment:3   ryan5 years ago

  • Milestone changed from 2.6 to 2.5.2

comment:4   ryan5 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

comment:5   westi5 years ago

  • Milestone changed from 2.9 to 2.6
Note: See TracTickets for help on using tickets.