Context Navigation

← Previous Ticket
Next Ticket →

#24418 closed defect (bug) (invalid)

$meta['quote_source_name'] in get_the_post_format_quote() needs to be escaped

Reported by:	tollmanz	Owned by:
Milestone:		Priority:	normal
Severity:	normal	Version:	3.6
Component:	Post Formats	Keywords:	has-patch
Focuses:		Cc:

Description

HTML in $meta['quote_source_name'] should be escaped when accessed via get_the_post_format_quote(). Adding certain HTML to the source name can break the layout.

For instance:

This can be recreated by doing the following:

Add a new quote post
Give it a title and some text
In the "Quote Source" field, add </div>

Attachments (1)

24418.patch (921 bytes) - added by tollmanz 13 years ago.

Download all attachments as: .zip

Change History (4)

@tollmanz
13 years ago

Attachment 24418.patch added

#1 @tollmanz
13 years ago

24418.patch escapes the data with esc_html().

#2 @SergeyBiryukov
13 years ago

Keywords has-patch commit added
Milestone changed from Awaiting Review to 3.6

#3 @ocean90
13 years ago

Keywords commit removed
Milestone 3.6 deleted
Resolution set to invalid
Status changed from new to closed

[24399] / #24452

Note: See TracTickets for help on using tickets.

Trac UI Preferences

Download in other formats:

Make WordPress Core