Opened 11 years ago
Closed 10 years ago
#24328 closed defect (bug) (duplicate)
blogname and blogdescription strip content between angle brackets
Reported by: | aniketpant | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Administration | Keywords: | has-patch |
Focuses: | Cc: |
Description
I was trying to set my Site Title to <?= test ?>. On saving the settings, the field returned empty. The same problem occurred with the Tagline.
After looking into wp-admin/options.php
, I noticed that there was no provision made for escaping the fields.
Attachments (1)
Change History (8)
#2
follow-up:
↓ 5
@
11 years ago
Input should be sanitised, output should be escaped. We should escape this coming out, not going in.
#3
follow-up:
↓ 4
@
11 years ago
Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.
#4
in reply to:
↑ 3
@
11 years ago
Replying to nacin:
Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.
Yes. sanitize_option() is definitely making that happen. But what if I really want my website name to have <
and >
. I do not wish to enter them as <
and >
. If we think from an average user's point of view, and that person might want to include a symbol or tag of this sort, his value will not be accepted (which was the case for me). Further, after sanitization it sets it to null
and stores it. The original value is lost without any error message or notification.
If WordPress will not allow for storing of these strings, then it should be explicitly mentioned as help text and also, the old value should not be lost.
#5
in reply to:
↑ 2
@
11 years ago
Replying to johnbillion:
Input should be sanitised, output should be escaped. We should escape this coming out, not going in.
Yes. It should be sanitized, but there is no help text that says that a value of this sort will not be accepted. Furthermore, the new value is saves as null
and no error message or warning is displayed.
I think we should think more on these lines.
Escapes blogname and blogdescription on update