WordPress.org

Make WordPress Core

Opened 9 years ago

Closed 8 years ago

#17401 closed defect (bug) (fixed)

Problems sanitizing image titles

Reported by: bi0xid Owned by:
Milestone: 3.3 Priority: low
Severity: minor Version: 3.2
Component: Formatting Keywords: needs-patch
Focuses: Cc:
PR Number:

Description

Hello there.

If you upload an image in any article, you can put a title to it. If this title has a >, it breaks the img tag and shows incorrectly (broken) when publishing.

In the editor, when editing an article, all images are shown, even if they are broken when published.

I have tried to exploit it, but " is sanitized to ", so this is not a serious problem.

Change History (8)

#1 @mfields
8 years ago

  • Cc michael@… added
  • Component changed from Media to TinyMCE

I was able to reproduce this bug in the latest nightly. Note: this applies only to the visual editor. Here is what I did:

  1. Edit a published post.
  2. Ensure the the Visual tab is active in the editor.
  3. Click on a media icon and upload a new image.
  4. Set the title to: ">title< <title>" or similar.
  5. Click the "Insert int Post" button.

The image should be sent to the editor and display correctly, however when you switch to the HTML tab, you will notice that the html looks something like this:

title=">title< <title>"

instead of this:

title="&gt; title &lt; &lt;title&gt;"

I inspected many of the php functions used during and "Insert into Post" request and they all appear to be escaping the title through esc_attr(). I believe that this is bug is being caused by the html being processed by one of the TinyMCE libraries.

#2 follow-ups: @mfields
8 years ago

This bug does not seem to be present in WordPress 3.1.3.

#3 in reply to: ↑ 2 @nacin
8 years ago

  • Milestone changed from Awaiting Review to 3.2

Replying to mfields:

This bug does not seem to be present in WordPress 3.1.3.

#4 @azaozz
8 years ago

  • Component changed from TinyMCE to Formatting

Yes, this is a TinyMCE change or fix (that we don't have control over). It seems < and > are allowed inside a title="..." attribute.

Actually the image breaks only if /> is used in the title and the breakage is caused by wp_texturize() that turns the remaining double quotes into curly quotes on display.

#5 in reply to: ↑ 2 @bi0xid
8 years ago

Replying to mfields:

This bug does not seem to be present in WordPress 3.1.3.

Replying to mfields:

This bug does not seem to be present in WordPress 3.1.3.

It was reported as 3.2, and it's really I didn't test it in 3.1.3. With my 3.1.3 tests, as in mfields', the bug is not present.

#6 follow-up: @azaozz
8 years ago

  • Milestone changed from 3.2 to Future Release
  • Priority changed from normal to low
  • Severity changed from normal to minor

In any case this will probably be fixed in updated version of TinyMCE.

#7 in reply to: ↑ 6 @bi0xid
8 years ago

Replying to azaozz:

In any case this will probably be fixed in updated version of TinyMCE.

In any case, it is not exploitable, so we can wait for sure.

#8 @SergeyBiryukov
8 years ago

  • Milestone changed from Future Release to 3.3
  • Resolution set to fixed
  • Status changed from new to closed

Can't reproduce in trunk using the steps described by @mfields. Seems to be fixed in [18660].

Note: See TracTickets for help on using tickets.