Opened 4 years ago
Closed 3 years ago
#9524 closed defect (bug) (fixed)
Exporter does not escape url
| Reported by: |
|
Owned by: |
|
|---|---|---|---|
| Priority: | normal | Milestone: | 2.9 |
| Component: | Export | Version: | 2.8 |
| Severity: | normal | Keywords: | has-patch tested reporter-feedback |
| Cc: |
Description
In wp-admin/includes/export.php, url does not escape correctly:
<wp:comment_author_url><?php echo $c->comment_author_url; ?></wp:comment_author_url>
htmlspecialchars() will escape only 4 chars when no options given (lt, gt, amp, quot), and these 4 chars are compatible to XML, so we can use htmlspecialchars() to fix the bug:
<wp:comment_author_url><?php echo htmlspecialchars($c->comment_author_url); ?></wp:comment_author_url>
Attachments (2)
Change History (13)
- Keywords needs-patch added
- Milestone changed from Unassigned to 2.8
- Version set to 2.8
- Keywords tested added
- Keywords commit added
- Keywords reporter-feedback added; commit removed
- Owner set to westi
- Status changed from new to accepted
clean_url looks like a better solution here.
However, it would be good to have an example of the actual url that was causing an issue to make sure that we have fixed the problem.
Removing commit for now while we get reporter feedback
I can only imagine it's a url from an old blog, that didn't go through the sanitizer when it was inserted. The clean_url() won't hurt either way.
clean_url() will escape ampersands by default. I don't think the importer handles that.
- Milestone changed from 2.8 to 2.9
Punting per IRC discussion.
comment:10
markjaquith — 3 years ago
esc_url_raw() is what you want — sanitizes without ampersand-entity-encoding.
comment:11
markjaquith — 3 years ago
- Resolution set to fixed
- Status changed from accepted to closed
(In [12359]) Use esc_url_raw() on wp:comment_author_url in exports. fixes #9524
Made patch implementing gslin's suggestion.