Make WordPress Core

Opened 11 years ago

Closed 8 years ago

#22135 closed defect (bug) (fixed)

Special characters in caption lead to failure of inserting images

Reported by: tobiasbg's profile TobiasBg Owned by: chriscct7's profile chriscct7
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.4.2
Component: Media Keywords: has-patch
Focuses: javascript, administration Cc:

Description

Found this when double-checking #22132:

  1. Go to add a new post.
  2. Click "Upload/Insert" (the "old" media upload).
  3. Upload an image, or go to choose one from the media library.
  4. Insert Title"<script>alert('Title');</script> in the "Caption" field.
  5. Click "Insert into Post".

Instead of the image (or Shortcode) being added to the editor (with a somehow escaped caption field), the media upload iframe just gets a new content:

[/caption]'); /* ]]> */

Reproduced in 3.4.2 and trunk.

Attachments (3)

caption-error.png (19.5 KB) - added by MikeHansenMe 11 years ago.
screenshot of the error
22135.patch (487 bytes) - added by TobiasBg 10 years ago.
Use json_encode instead of addslashes
22135.2.diff (481 bytes) - added by TobiasBg 8 years ago.

Download all attachments as: .zip

Change History (14)

@MikeHansenMe
11 years ago

screenshot of the error

#1 @MikeHansenMe
11 years ago

I was able to reproduce the error. It also allowed the alert on the front end. I am not sure if this will need to be addressed once the new media update is fully implemented.

#2 @MikeHansenMe
11 years ago

  • Cc mdhansen@… added

#3 @MikeHansenMe
11 years ago

  • Keywords 2nd-opinion added

@TobiasBg
10 years ago

Use json_encode instead of addslashes

#4 @TobiasBg
10 years ago

  • Keywords has-patch added

I investigated this some more, and the problem is the argument that is passed to the JS send_to_editor function via PHP, in this line of wp-admin/includes/media.php.
Basically, addslashes() is not enough to protect against an input of

foo</script>bar

(in the Caption field in the old media uploader) prematurely ending the JS. This results in a script error, so that the remaining output is printed in the frame (as in the screenshot above).
Compare this generated HTML/JS (some attributes from the <img> and [caption] stripped):

/* <![CDATA[ */
var win = window.dialogArguments || opener || parent || top;
win.send_to_editor('[caption]<img src=\"http://example.com/img.jpg\" /> foo</script>bar[/caption]');
/* ]]> */

addslashes() only escaped the ' and " but leaves / untouched. This is then a problem for any input that contains </script>, as that ends the <script> block early. For other closing HTML tags (like </em>) this is no problem however.

Now, the old media uploader is no longer used by Core, but it's still being used in several plugins. And although this an edge case that can only be triggered with </script>, the fix is very easy: Let's use json_encode() instead of addslashes(), as that also escapes all /.
The attached patch 22135.patch does that.

#5 @TobiasBg
10 years ago

  • Focuses javascript administration added
  • Milestone changed from Awaiting Review to 3.9

#6 @nacin
10 years ago

  • Keywords needs-testing added
  • Milestone changed from 3.9 to Future Release
  • Priority changed from normal to lowest

Talked to gcorne about this; we both have a hunch there are some edge cases here. Since this is very low priority (it's the old modal) and not easy to trigger, I'm going to punt on this.

#7 @chriscct7
8 years ago

  • Keywords 2nd-opinion needs-testing removed
  • Milestone changed from Future Release to 4.4
  • Owner set to chriscct7
  • Priority changed from lowest to normal
  • Status changed from new to accepted

The alert isn't an issue when the image is inserted by an admin level users, since unfiltered_html will allow for that. Verified it does not alert when done by an author level account.

While it's an edgecase, it's a relatively easy bug to simply fix given its one line.

This ticket was mentioned in Slack in #core by chriscct7. View the logs.


8 years ago

#9 @wonderboymusic
8 years ago

  • Keywords needs-refresh added

patch is exploding

@TobiasBg
8 years ago

#10 @TobiasBg
8 years ago

  • Keywords needs-refresh removed

22135.2.diff is a refreshed patch that also uses wp_json_encode() for some extra sanity checks instead of the basic json_encode().

#11 @wonderboymusic
8 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 35677:

Media: in media_send_to_editor(), use wp_json_encode() instead of addslashes().

Props TobiasBg.
Fixes #22135.

Note: See TracTickets for help on using tickets.