WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 6 years ago

Last modified 6 years ago

#18056 closed defect (bug) (fixed)

dc:creator needs to be escaped in RSS feed

Reported by: Nettsentrisk Owned by: wonderboymusic
Milestone: 3.7 Priority: normal
Severity: major Version: 3.2
Component: Feeds Keywords: has-patch needs-testing
Focuses: Cc:
PR Number:

Description (last modified by SergeyBiryukov)

If the author name contains any special characters, they might end up in the RSS feed unescaped, causing failed feed validation and thus causing problems for many readers.

The code now is:

<dc:creator><?php the_author() ?></dc:creator>

Shouldn't this be:

<dc:creator><![CDATA[<?php the_author() ?>]]></dc:creator>

Or:

<dc:creator><?php htmlspecialchars(the_author()) ?></dc:creator>

This might be a result of a custom author plugin not escaping these characters on the way into the database, but Wordpress should handle this more robustly to prevent plugin authors from messing things up like this.

Attachments (2)

18056.diff (2.2 KB) - added by pathawks 6 years ago.
18056.2.diff (2.6 KB) - added by wonderboymusic 6 years ago.

Download all attachments as: .zip

Change History (9)

#1 @SergeyBiryukov
6 years ago

  • Description modified (diff)

Related: #17767

#2 @westi
6 years ago

  • Keywords needs-patch added; has-patch removed
  • Milestone changed from Awaiting Review to 3.7

@pathawks
6 years ago

#3 @pathawks
6 years ago

  • Keywords has-patch needs-testing added; needs-patch removed

#4 @wonderboymusic
6 years ago

the default filters send the_author() through ent2ncr() which is consistent with other fields, the CDATA-wrapping was not consistent though - my new patch reflects that

#5 @wonderboymusic
6 years ago

  • Owner set to wonderboymusic
  • Resolution set to fixed
  • Status changed from new to closed

In 25315:

Consistently wrap author and excerpt nodes with CDATA in feeds.

Fixes #18056.

#6 @Latz
6 years ago

#20888 was marked as a duplicate.

This ticket was mentioned in IRC in #wordpress-dev by ocean90. View the logs.


6 years ago

Note: See TracTickets for help on using tickets.