Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 4 years ago

#24300 closed defect (bug) (fixed)

Escaping of "_format_image" textarea

Reported by: tollmanz's profile tollmanz Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 3.6 Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:

Description

I am seeing an issue with the escaping of the "_format_image" textarea in wp-admin/includes/post-formats.php on line 56 as of r24227. esc_html should be used instead of esc_html_e, which is meant for translatable strings.

Attachments (2)

24300.diff (919 bytes) - added by tollmanz 12 years ago.
24300.2.diff (2.0 KB) - added by SergeyBiryukov 12 years ago.

Download all attachments as: .zip

Change History (9)

@tollmanz
12 years ago

#1 @SergeyBiryukov
12 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.6
  • Version set to trunk

Introduced in [23843] for audio and video, in [24006] for image.

#2 @SergeyBiryukov
12 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 24228:

Use correct escaping function. props tollmanz. fixes #24300.

#3 follow-up: @johnbillion
12 years ago

Shouldn't this be esc_textarea()?

#4 in reply to: ↑ 3 @SergeyBiryukov
12 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Replying to johnbillion:

Shouldn't this be esc_textarea()?

Good call, thanks.

#5 @SergeyBiryukov
12 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 24230:

Use esc_textarea(), not esc_html(), for escaping textarea content. props johnbillion. fixes #24300.

#6 @tollmanz
12 years ago

Nice catch @johnbillion! I was so focused on the e that I missed the bigger picture.

This ticket was mentioned in Slack in #core-editor by mcsf. View the logs.


4 years ago

Note: See TracTickets for help on using tickets.