WordPress.org

Make WordPress Core

Opened 14 months ago

Closed 14 months ago

Last modified 14 months ago

#24300 closed defect (bug) (fixed)

Escaping of "_format_image" textarea

Reported by: tollmanz Owned by: SergeyBiryukov
Milestone: 3.6 Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:

Description

I am seeing an issue with the escaping of the "_format_image" textarea in wp-admin/includes/post-formats.php on line 56 as of r24227. esc_html should be used instead of esc_html_e, which is meant for translatable strings.

Attachments (2)

24300.diff (919 bytes) - added by tollmanz 14 months ago.
24300.2.diff (2.0 KB) - added by SergeyBiryukov 14 months ago.

Download all attachments as: .zip

Change History (8)

tollmanz14 months ago

SergeyBiryukov14 months ago

comment:1 SergeyBiryukov14 months ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.6
  • Version set to trunk

Introduced in [23843] for audio and video, in [24006] for image.

comment:2 SergeyBiryukov14 months ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 24228:

Use correct escaping function. props tollmanz. fixes #24300.

comment:3 follow-up: johnbillion14 months ago

Shouldn't this be esc_textarea()?

comment:4 in reply to: ↑ 3 SergeyBiryukov14 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to johnbillion:

Shouldn't this be esc_textarea()?

Good call, thanks.

comment:5 SergeyBiryukov14 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 24230:

Use esc_textarea(), not esc_html(), for escaping textarea content. props johnbillion. fixes #24300.

comment:6 tollmanz14 months ago

Nice catch @johnbillion! I was so focused on the e that I missed the bigger picture.

Note: See TracTickets for help on using tickets.