#15454 closed defect (bug) (fixed)
esc_textarea() for obvious textarea escaping function.
Reported by: | markjaquith | Owned by: | |
---|---|---|---|
Milestone: | 3.1 | Priority: | high |
Severity: | major | Version: | 3.1 |
Component: | General | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
Alex King brought this up privately (in case it had security implications).
We escape data in textareas a bunch of different ways. Let's introduce esc_textarea()
and standardize around that.
Attachments (4)
Change History (27)
#6
@
14 years ago
- Resolution fixed deleted
- Severity changed from normal to major
- Status changed from closed to reopened
I found another instance of us double-escaping something that somehow hasn't been noticed yet. I think we should audit each of these situations by hand to ensure we're not accidentally double-escaping.
#11
@
14 years ago
- Keywords has-patch needs-testing added; needs-patch removed
There's this weird thing with sanitize_bookmark_field() and sanitize_term_field().
Originally, when $context = 'edit', they will run 'link_notes' and 'term_description' through format_to_edit($value). The 2nd parameter of format_to_edit() is left to default (which is false), which means format_to_edit($value) will escape the $value.
However, 'link_notes' and 'term_description' are already escaped before being inserted into the database (when $context = 'db'), because they're processed by "pre_link_notes" and "pre_term_description" filters, to which wp_filter_kses() is attached.
As a result, compounded with the effect of esc_textarea, these values are "triple-escaped".
I removed "format_to_edit()" from sanitize_bookmark_field() and sanitize_term_field(). However, this needs a sanity check.
#12
@
14 years ago
In current trunk, try entering this in Link Notes (Links -> Add Link), or Category Description (Post -> Categories -> Edit a category), or Biography Info (profile.php):
Test String < Hello
It will become this inside the textarea:
Test String < Hello
In the source code:
Test String &lt; Hello
This is probably the rationale behind esc_html() in sanitize_user_field() in the first place.
#14
@
14 years ago
Partial commit of rev3. I'll look at the remainder a little later. I think the htmlspecialchars() on selection in press-this.php was added for XSS reasons.
#15
@
14 years ago
For 3.1, let's limit this to fixing areas broken by the esc_textarea() commit. Let's leave the calls to format_to_edit() alone until 3.2.
#18
@
14 years ago
Alright. Just went through and audited the three dozen or so esc_textarea calls.
There are three textareas we're still escaping farther up the stack. In wp-admin/includes/nav-menu.php, there is a menu item description. Reverting to esc_html() handles everything except &
, so that's exactly what I'm doing.
Indeed there is a problem with both link_notes and term_description, but this is not a regression from 3.0. No one has noticed, so I'm inclined to punt and do a better audit of what's going on there (both into the DB and out again) in 3.2.
@
14 years ago
Hack to handle link_notes and term_description, from garyc40's 3rd patch. NOT a regression.
#20
@
14 years ago
- Keywords commit added; needs-testing removed
I'm satisfied that there are no more regressions caused by [16431].
Everything in garyc40-15454-rev3.patch is either handled by a recent commit or 15454.diff. Or, it's in press-this.php, which there's no need to touch. (We've broken press-this enough this cycle.)
Leaving open for final review by ryan. Suggesting commit 15454.diff and close as fixed for 3.1, and we can revisit textarea_escaped instances in a new ticket. Alternatively, punt to 3.2-early, but a note on the attachment, esc_html() handles everything that esc_textarea() does except that it does not re-escape, and it does not handle &
. So it should be considered safe. (And is far less destructive.)
#22
@
10 years ago
@nacin or @ryan or @markjaquith: Any odds you could chime in when you've a moment, to explain when and why esc_textarea()
is supposed to be used rather than esc_html()
? The codex is rather unclear on when to use it, and this ticket and others related to it give the impression that the only thing we introduced with esc_textarea()
were bugs and regressions.
The main difference I'm seeing between the two are:
esc_textarea()
will blissfully spit out invalid utf8 chars, whereasesc_html()
will strip themesc_textarea()
will double-encode html entities, whereasesc_html()
will not
I'm +1 for the idea.