Opened 12 years ago
Closed 9 years ago
#22135 closed defect (bug) (fixed)
Special characters in caption lead to failure of inserting images
Reported by: | TobiasBg | Owned by: | chriscct7 |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.4.2 |
Component: | Media | Keywords: | has-patch |
Focuses: | javascript, administration | Cc: |
Description
Found this when double-checking #22132:
- Go to add a new post.
- Click "Upload/Insert" (the "old" media upload).
- Upload an image, or go to choose one from the media library.
- Insert
Title"<script>alert('Title');</script>
in the "Caption" field. - Click "Insert into Post".
Instead of the image (or Shortcode) being added to the editor (with a somehow escaped caption field), the media upload iframe just gets a new content:
[/caption]'); /* ]]> */
Reproduced in 3.4.2 and trunk.
Attachments (3)
Change History (14)
#1
@
12 years ago
I was able to reproduce the error. It also allowed the alert on the front end. I am not sure if this will need to be addressed once the new media update is fully implemented.
#4
@
11 years ago
- Keywords has-patch added
I investigated this some more, and the problem is the argument that is passed to the JS send_to_editor
function via PHP, in this line of wp-admin/includes/media.php
.
Basically, addslashes()
is not enough to protect against an input of
foo</script>bar
(in the Caption field in the old media uploader) prematurely ending the JS. This results in a script error, so that the remaining output is printed in the frame (as in the screenshot above).
Compare this generated HTML/JS (some attributes from the <img>
and [caption]
stripped):
/* <![CDATA[ */ var win = window.dialogArguments || opener || parent || top; win.send_to_editor('[caption]<img src=\"http://example.com/img.jpg\" /> foo</script>bar[/caption]'); /* ]]> */
addslashes()
only escaped the '
and "
but leaves /
untouched. This is then a problem for any input that contains </script>
, as that ends the <script>
block early. For other closing HTML tags (like </em>
) this is no problem however.
Now, the old media uploader is no longer used by Core, but it's still being used in several plugins. And although this an edge case that can only be triggered with </script>
, the fix is very easy: Let's use json_encode()
instead of addslashes()
, as that also escapes all /
.
The attached patch 22135.patch does that.
#5
@
11 years ago
- Focuses javascript administration added
- Milestone changed from Awaiting Review to 3.9
#6
@
11 years ago
- Keywords needs-testing added
- Milestone changed from 3.9 to Future Release
- Priority changed from normal to lowest
Talked to gcorne about this; we both have a hunch there are some edge cases here. Since this is very low priority (it's the old modal) and not easy to trigger, I'm going to punt on this.
#7
@
9 years ago
- Keywords 2nd-opinion needs-testing removed
- Milestone changed from Future Release to 4.4
- Owner set to chriscct7
- Priority changed from lowest to normal
- Status changed from new to accepted
The alert isn't an issue when the image is inserted by an admin level users, since unfiltered_html will allow for that. Verified it does not alert when done by an author level account.
While it's an edgecase, it's a relatively easy bug to simply fix given its one line.
This ticket was mentioned in Slack in #core by chriscct7. View the logs.
9 years ago
#10
@
9 years ago
- Keywords needs-refresh removed
22135.2.diff is a refreshed patch that also uses wp_json_encode()
for some extra sanity checks instead of the basic json_encode()
.
screenshot of the error