Opened 14 years ago
Closed 14 years ago
#15505 closed defect (bug) (fixed)
Excerpt is being double-escaped
Reported by: | Viper007Bond | Owned by: | |
---|---|---|---|
Milestone: | 3.1 | Priority: | normal |
Severity: | normal | Version: | 3.1 |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
If you use HTML inside of the excerpt box in the admin area and then save the post, it will show up in the textarea being double-escaped. This is because $post->post_excerpt
is already being escaped elsewhere (sanitize_post()
or whatever, I don't have time at the moment to track it down).
The solution is to not use esc_textarea()
in this particular case.
Attachments (1)
Change History (5)
#2
@
14 years ago
The edit action in wp-admin/post.php fetches the post with get_post_to_edit(). This goes through the post sanitation and eventually calls format_to_edit() on the excerpt. This escaped post object is pass to all of the meta boxes. post_content, post_title, post_excerot, and post_password all get the format_to_edit() treatment.
Aside: Perhaps format_to_edit() should use esc_textarea().
I'd like to make a comment there then, that says "already escaped". I would really like to track down where it is being escaped, to ensure it is being consistently escaped, and possibly comment there too that it's being used in a textarea.
Are we sure it's being escaped completely? We need to double-encode entities.