WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 23 months ago

#24418 closed defect (bug) (invalid)

$meta['quote_source_name'] in get_the_post_format_quote() needs to be escaped

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords: has-patch
Focuses: Cc:

Description

HTML in $meta['quote_source_name'] should be escaped when accessed via get_the_post_format_quote(). Adding certain HTML to the source name can break the layout.

For instance:

http://f.cl.ly/items/401H1G3m1a0T2h3t1S0g/Screen%20Shot%202013-05-24%20at%209.31.23%20PM.png

This can be recreated by doing the following:

  1. Add a new quote post
  2. Give it a title and some text
  3. In the "Quote Source" field, add </div>

Attachments (1)

24418.patch (921 bytes) - added by tollmanz 2 years ago.

Download all attachments as: .zip

Change History (4)

@tollmanz2 years ago

comment:1 @tollmanz2 years ago

24418.patch escapes the data with esc_html().

comment:2 @SergeyBiryukov2 years ago

  • Keywords has-patch commit added
  • Milestone changed from Awaiting Review to 3.6

comment:3 @ocean9023 months ago

  • Keywords commit removed
  • Milestone 3.6 deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.