Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#24420 closed defect (bug) (invalid)

Message in the_post_format_chat() should be escaped

Reported by: tollmanz Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.6
Component: Post Formats Keywords:
Focuses: Cc:


Looks like this was mentioned by lancewillet in #23625, but never addressed.

When the chat message is printed, it needs to be run through esc_html(). As lancewillet indicated, it was removed in r23876 because the links in the content were made to be clickable and escaping the data would nullify these efforts. While clickable links are great, I think escaping the data in much more important. I think that this issue should not be overlooked and this data should be properly escaped.

I think that one way of handling the issue would be to remove make_clickable() from get_content_chat(). There probably are a number of worthy use cases for getting that data in its rawest form anyway (e.g., some chat apps won't make links clickable). If we remove the make_clickable() call, we can easily call esc_html() on the content without concern. Functions calling the_post_format_chat() can then decide whether or not to make the links clickable (or we could even add an optional parameter to the function).

Change History (1)

#1 @SergeyBiryukov
5 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.