Opened 15 years ago
Closed 14 years ago
#17401 closed defect (bug) (fixed)
Problems sanitizing image titles
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | 3.3 | Priority: | low |
| Severity: | minor | Version: | 3.2 |
| Component: | Formatting | Keywords: | needs-patch |
| Focuses: | Cc: |
Description
Hello there.
If you upload an image in any article, you can put a title to it. If this title has a >, it breaks the img tag and shows incorrectly (broken) when publishing.
In the editor, when editing an article, all images are shown, even if they are broken when published.
I have tried to exploit it, but " is sanitized to ", so this is not a serious problem.
Change History (8)
#3
in reply to:
↑ 2
@
15 years ago
- Milestone changed from Awaiting Review to 3.2
Replying to mfields:
This bug does not seem to be present in WordPress 3.1.3.
#4
@
15 years ago
- Component changed from TinyMCE to Formatting
Yes, this is a TinyMCE change or fix (that we don't have control over). It seems < and > are allowed inside a title="..." attribute.
Actually the image breaks only if /> is used in the title and the breakage is caused by wp_texturize() that turns the remaining double quotes into curly quotes on display.
#6
follow-up:
↓ 7
@
15 years ago
- Milestone changed from 3.2 to Future Release
- Priority changed from normal to low
- Severity changed from normal to minor
In any case this will probably be fixed in updated version of TinyMCE.
I was able to reproduce this bug in the latest nightly. Note: this applies only to the visual editor. Here is what I did:
The image should be sent to the editor and display correctly, however when you switch to the HTML tab, you will notice that the html looks something like this:
instead of this:
I inspected many of the php functions used during and "Insert into Post" request and they all appear to be escaping the title through esc_attr(). I believe that this is bug is being caused by the html being processed by one of the TinyMCE libraries.