href not sanitized in media uploader

[Denis-de-Bernardy]

there are lines such as:

if ( !empty($_POST['insertonlybutton']) ) {
	$href = $_POST['insertonly']['href'];
if ( !empty($href) && !strpos($href, '://') )
	$href = "http://$href";

they should get an additional:

$href = esc_url_raw($href); for the filter

and the link should use esc_url($href)

[Denis-de-Bernardy]

adding to this ticket, this line is problematic:

$title = esc_attr($_POST['insertonly']['title']);

If the stuff is then inserted in a shortcode, it's more convenient (and relevant) to have the raw value in the shortcode, since the user might as well enter a shortcode manually. The escaped value should be used in the default $html, but the raw value should be passed to the filter.

Additionally, there is no stripslashes call anywhere.

[Denis-de-Bernardy]

seems right, yeah. I noted another one, but the $src was extracted from media_handle_sideload(). so it probably isn't worth adding another esc_url_raw().

one day, we should really settle on a version, and ensure that the WP internals require and return data in a consistently sanitized manner (i.e. with/without slashes and/or html encoding).

[ryan]

(In [12295]) escape hrefs. Props Denis-de-Bernardy. fixes #10056

[ryan]

(In [12296]) escape hrefs. Props Denis-de-Bernardy. fixes #10056 for 2.8