WordPress.org

Make WordPress Core

#24418 closed defect (bug) (invalid)

$meta['quote_source_name'] in get_the_post_format_quote() needs to be escaped

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:

Description

HTML in $meta['quote_source_name'] should be escaped when accessed via get_the_post_format_quote(). Adding certain HTML to the source name can break the layout.

For instance:

http://f.cl.ly/items/401H1G3m1a0T2h3t1S0g/Screen%20Shot%202013-05-24%20at%209.31.23%20PM.png

This can be recreated by doing the following:

  1. Add a new quote post
  2. Give it a title and some text
  3. In the "Quote Source" field, add </div>

Attachments (1)

24418.patch (921 bytes) - added by tollmanz 11 months ago.

Download all attachments as: .zip

Change History (4)

tollmanz11 months ago

comment:1 tollmanz11 months ago

24418.patch escapes the data with esc_html().

comment:2 SergeyBiryukov11 months ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to 3.6

comment:3 ocean9011 months ago

  • Keywords commit removed
  • Milestone 3.6 deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.