Make WordPress Core

Opened 4 years ago

Closed 3 years ago

#18445 closed defect (bug) (fixed)

Unifiltered text can be inserted via Link Image To field when side-loading media

Reported by: DrewAPicture Owned by: azaozz
Milestone: 3.3 Priority: normal
Severity: normal Version: 3.2.1
Component: Formatting Keywords: has-patch dev-feedback
Focuses: Cc:


It looks like the replace methods were left out for f.url.value in wp-admin/includes/media.php. Thus, unfiltered text including complete javascript strings can be passed through the 'Link Image To' field when side-loading media via the 'From URL' tab. The unfiltered text is dropped untouched into the media's link tag and has potential to wreak havoc.


In posting page-> Add media > Goto 'From URL' tab > Input a url to a valid remote image > Input special characters into the 'Link Image To' field > Insert into post.

Attachments (1)

18445.diff (737 bytes) - added by DrewAPicture 4 years ago.
Remade patch root-relative at 18759

Download all attachments as: .zip

Change History (7)

comment:1 @DrewAPicture4 years ago

  • Keywords has-patch added; needs-patch removed

comment:2 @SergeyBiryukov4 years ago

  • Milestone changed from Awaiting Review to 3.3

comment:3 @DrewAPicture4 years ago

  • Component changed from Validation to Formatting

Tested on trunk and inserted media URLs are now filtered as expected.

Version 0, edited 4 years ago by DrewAPicture (next)

comment:4 @DrewAPicture4 years ago

  • Keywords dev-feedback added

@DrewAPicture4 years ago

Remade patch root-relative at 18759

comment:5 @nacin3 years ago

  • Owner set to azaozz
  • Status changed from new to assigned

comment:6 @azaozz3 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In [19275]:

Filter the link href when inserting external image in the editor, props DrewAPicture, fixes #18445

Note: See TracTickets for help on using tickets.