WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 9 years ago

#14996 closed defect (bug) (fixed)

Inserting an video/audio/media with an apostrophe in the title results in \' in the HTML

Reported by: layotte Owned by: nacin
Milestone: 3.3 Priority: normal
Severity: normal Version: 3.0.1
Component: Administration Keywords: has-patch commit
Focuses: Cc:

Description

If you insert a link using the Video, Audio, or Media buttons (note the Image button) and the Title has an apostrophe, the apostrophe is escaped with a slash.

e.g.

Video URL: http://my.awesomevideo.com/video

Title: Lew's Awesome Video

<a href="http://my.awesomevideo.com/video">Lew\'s Awesome Video</a>

Seems related to an old (already fixed) bug #6414

Attachments (3)

media.patch (1.3 KB) - added by layotte 10 years ago.
stripslashes from $_POSTinstertonly?title?
14996.diff (1.3 KB) - added by mikeschroder 9 years ago.
refreshed to current version & used svn diff to make this a bit easier to apply.
14996.2.diff (1.3 KB) - added by mikeschroder 9 years ago.
Got rid of the coding standards tabbing fix, since there are a lot more instances. That'll be for a different patch.

Download all attachments as: .zip

Change History (13)

@layotte
10 years ago

stripslashes from $_POSTinstertonly?title?

#1 @azaozz
10 years ago

The proper fix here would probably be to entity-encode the html special chars. This will also produce valid HTML when > and < are entered.

#2 @layotte
10 years ago

The > < chars are already fine already...

Only the quotes are being escaped and it looks like it is part of $_POST[insertonly][title]...

esc_attr is already being applied, but I think because the quotes are already escaped it isn't trying to convert them. I tried switching to esc_html and htmlspecialchars with no difference.

So this:

Lew's >, <, & "quote"

becomes:

Lew\'s >, <, & \"quote\"

If I don't stripslashes.

#3 @nacin
10 years ago

  • Keywords commit 3.2-early added; needs-testing removed
  • Milestone changed from Awaiting Review to Future Release

#4 @mikeschroder
9 years ago

  • Cc mike.schroder@… added
  • Keywords reporter-feedback added

Can you double-check to see if this is still a problem for you?
I'm not able to reproduce the issue on 3.2.1 or trunk -- perhaps it has been since fixed?

#5 @SergeyBiryukov
9 years ago

I can reproduce on trunk by clicking Add Video > From URL and putting the values mentioned in the ticket into the fields.

@mikeschroder
9 years ago

refreshed to current version & used svn diff to make this a bit easier to apply.

@mikeschroder
9 years ago

Got rid of the coding standards tabbing fix, since there are a lot more instances. That'll be for a different patch.

#6 @mikeschroder
9 years ago

  • Keywords reporter-feedback removed

You're correct! Apparently I tried every method of inserting but that one.
Patch works as advertised -- refreshed the patch to current code, and to get rid of the extra tabs added by the newlines in the patch.

#8 @SergeyBiryukov
9 years ago

  • Keywords 3.2-early removed
  • Milestone changed from Future Release to 3.3

#9 @ryan
9 years ago

Patch need refresh. 3.3 seems to have additional problems:

PHP Notice:  Undefined index: insertonly in /trunk/wp-admin/includes/media.php on line 515, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url
PHP Notice:  Undefined index: insertonly in /trunk/wp-admin/includes/media.php on line 520, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url
PHP Notice:  Undefined variable: html in /trunk/wp-admin/includes/media.php on line 532, referer: http://localhost/trunk/wp-admin/media-upload.php?post_id=2507&tab=type_url

#10 @nacin
9 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In [18992]:

Fix media/audio/file URL insertion. Strip slashes off title text. Leave red X to images only. fixes #14996. fixes #17578.

Note: See TracTickets for help on using tickets.