WordPress.org

Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#15505 closed defect (bug) (fixed)

Excerpt is being double-escaped

Reported by: Viper007Bond Owned by:
Milestone: 3.1 Priority: normal
Severity: normal Version: 3.1
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

If you use HTML inside of the excerpt box in the admin area and then save the post, it will show up in the textarea being double-escaped. This is because $post->post_excerpt is already being escaped elsewhere (sanitize_post() or whatever, I don't have time at the moment to track it down).

The solution is to not use esc_textarea() in this particular case.

Attachments (1)

15505.patch (921 bytes) - added by Viper007Bond 3 years ago.

Download all attachments as: .zip

Change History (5)

Viper007Bond3 years ago

comment:1 nacin3 years ago

I'd like to make a comment there then, that says "already escaped". I would really like to track down where it is being escaped, to ensure it is being consistently escaped, and possibly comment there too that it's being used in a textarea.

Are we sure it's being escaped completely? We need to double-encode entities.

comment:2 ryan3 years ago

The edit action in wp-admin/post.php fetches the post with get_post_to_edit(). This goes through the post sanitation and eventually calls format_to_edit() on the excerpt. This escaped post object is pass to all of the meta boxes. post_content, post_title, post_excerot, and post_password all get the format_to_edit() treatment.

Aside: Perhaps format_to_edit() should use esc_textarea().

comment:3 ryan3 years ago

(In [16502]) Don't esc_textarea() in meta boxes since the post object is already escaped. Props Viper007Bond. see #15505

comment:4 ryan3 years ago

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.