WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 14 months ago

#24328 new defect (bug)

blogname and blogdescription strip content between angle brackets

Reported by: aniketpant Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

I was trying to set my Site Title to <?= test ?>. On saving the settings, the field returned empty. The same problem occurred with the Tagline.

After looking into wp-admin/options.php, I noticed that there was no provision made for escaping the fields.

Attachments (1)

24328.patch (610 bytes) - added by aniketpant 14 months ago.
Escapes blogname and blogdescription on update

Download all attachments as: .zip

Change History (7)

aniketpant14 months ago

Escapes blogname and blogdescription on update

comment:1 aniketpant14 months ago

  • Keywords has-patch added

comment:2 follow-up: johnbillion14 months ago

Input should be sanitised, output should be escaped. We should escape this coming out, not going in.

comment:3 follow-up: nacin14 months ago

Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.

comment:4 in reply to: ↑ 3 aniketpant14 months ago

Replying to nacin:

Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.

Yes. sanitize_option() is definitely making that happen. But what if I really want my website name to have < and >. I do not wish to enter them as &lt; and &gt;. If we think from an average user's point of view, and that person might want to include a symbol or tag of this sort, his value will not be accepted (which was the case for me). Further, after sanitization it sets it to null and stores it. The original value is lost without any error message or notification.

If WordPress will not allow for storing of these strings, then it should be explicitly mentioned as help text and also, the old value should not be lost.

comment:5 in reply to: ↑ 2 aniketpant14 months ago

Replying to johnbillion:

Input should be sanitised, output should be escaped. We should escape this coming out, not going in.

Yes. It should be sanitized, but there is no help text that says that a value of this sort will not be accepted. Furthermore, the new value is saves as null and no error message or warning is displayed.

I think we should think more on these lines.

comment:6 SergeyBiryukov14 months ago

  • Summary changed from blogname and blogdescription are not escaped to blogname and blogdescription strip content between angle brackets

Related: #7559

Note: See TracTickets for help on using tickets.