WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#10056 closed defect (bug) (fixed)

href not sanitized in media uploader

Reported by: Denis-de-Bernardy Owned by:
Milestone: 2.9 Priority: high
Severity: normal Version: 2.8
Component: Media Keywords: has-patch
Focuses: Cc:

Description

there are lines such as:

if ( !empty($_POST['insertonlybutton']) ) {
	$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
	$href = "http://$href";

they should get an additional:

$href = esc_url_raw($href); for the filter

and the link should use esc_url($href)

Attachments (1)

10056.diff (2.1 KB) - added by ryan 5 years ago.

Download all attachments as: .zip

Change History (5)

comment:1 Denis-de-Bernardy5 years ago

  • Priority changed from normal to high

adding to this ticket, this line is problematic:

$title = esc_attr($_POST['insertonly']['title']);

If the stuff is then inserted in a shortcode, it's more convenient (and relevant) to have the raw value in the shortcode, since the user might as well enter a shortcode manually. The escaped value should be used in the default $html, but the raw value should be passed to the filter.

Additionally, there is no stripslashes call anywhere.

ryan5 years ago

comment:2 Denis-de-Bernardy5 years ago

  • Keywords has-patch added

seems right, yeah. I noted another one, but the $src was extracted from media_handle_sideload(). so it probably isn't worth adding another esc_url_raw().

one day, we should really settle on a version, and ensure that the WP internals require and return data in a consistently sanitized manner (i.e. with/without slashes and/or html encoding).

comment:3 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [12295]) escape hrefs. Props Denis-de-Bernardy. fixes #10056

comment:4 ryan5 years ago

(In [12296]) escape hrefs. Props Denis-de-Bernardy. fixes #10056 for 2.8

Note: See TracTickets for help on using tickets.