Make WordPress Core

Opened 3 years ago

Closed 2 years ago

#24418 closed defect (bug) (invalid)

$meta['quote_source_name'] in get_the_post_format_quote() needs to be escaped

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:


HTML in $meta['quote_source_name'] should be escaped when accessed via get_the_post_format_quote(). Adding certain HTML to the source name can break the layout.

For instance:


This can be recreated by doing the following:

  1. Add a new quote post
  2. Give it a title and some text
  3. In the "Quote Source" field, add </div>

Attachments (1)

24418.patch (921 bytes) - added by tollmanz 3 years ago.

Download all attachments as: .zip

Change History (4)

3 years ago

#1 @tollmanz
3 years ago

24418.patch escapes the data with esc_html().

#2 @SergeyBiryukov
3 years ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to 3.6

#3 @ocean90
2 years ago

  • Keywords commit removed
  • Milestone 3.6 deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.