Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#24328 closed defect (bug) (duplicate)

blogname and blogdescription strip content between angle brackets

Reported by: aniketpant's profile aniketpant Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch
Focuses: Cc:

Description

I was trying to set my Site Title to <?= test ?>. On saving the settings, the field returned empty. The same problem occurred with the Tagline.

After looking into wp-admin/options.php, I noticed that there was no provision made for escaping the fields.

Attachments (1)

24328.patch (610 bytes) - added by aniketpant 11 years ago.
Escapes blogname and blogdescription on update

Download all attachments as: .zip

Change History (8)

@aniketpant
11 years ago

Escapes blogname and blogdescription on update

#1 @aniketpant
11 years ago

  • Keywords has-patch added

#2 follow-up: @johnbillion
11 years ago

Input should be sanitised, output should be escaped. We should escape this coming out, not going in.

#3 follow-up: @nacin
11 years ago

Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.

#4 in reply to: ↑ 3 @aniketpant
11 years ago

Replying to nacin:

Check out sanitize_option(). The input is being sanitized, which is why it is coming back empty. The issue is likely < and > causing strip_tags() to be overzealous.

Yes. sanitize_option() is definitely making that happen. But what if I really want my website name to have < and >. I do not wish to enter them as &lt; and &gt;. If we think from an average user's point of view, and that person might want to include a symbol or tag of this sort, his value will not be accepted (which was the case for me). Further, after sanitization it sets it to null and stores it. The original value is lost without any error message or notification.

If WordPress will not allow for storing of these strings, then it should be explicitly mentioned as help text and also, the old value should not be lost.

#5 in reply to: ↑ 2 @aniketpant
11 years ago

Replying to johnbillion:

Input should be sanitised, output should be escaped. We should escape this coming out, not going in.

Yes. It should be sanitized, but there is no help text that says that a value of this sort will not be accepted. Furthermore, the new value is saves as null and no error message or warning is displayed.

I think we should think more on these lines.

#6 @SergeyBiryukov
11 years ago

  • Summary changed from blogname and blogdescription are not escaped to blogname and blogdescription strip content between angle brackets

Related: #7559

#7 @SergeyBiryukov
10 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

#27942 has a patch for sanitize_option().

Note: See TracTickets for help on using tickets.