Opened 11 years ago
Closed 11 years ago
#24580 closed defect (bug) (duplicate)
wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.
Reported by: | AlexanderOMara | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | minor | Version: | 3.6 |
Component: | General | Keywords: | has-patch |
Focuses: | Cc: |
Description
In wp-admin/includes/media.php, the funciton edit_form_image_editor() directly prints the raw post_excerpt into the description textarea. This means that if the user inputs HTML tags, the HTML when returning to edit it is invalid or potentially broken.
This:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo $post->post_excerpt; ?></textarea>
Should be:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo esc_attr( $post->post_excerpt ); ?></textarea>
Attachments (1)
Change History (7)
#2
@
11 years ago
I believe $post->post_excerpt
is returned already escaped. It's not further escaped in the post_excerpt_meta_box()
function, either.
#3
@
11 years ago
- Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_attr() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea.
#4
@
11 years ago
- Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.
#5
@
11 years ago
Thanks toscho! This is the function I had intended to use, but somehow managed to type the wrong thing. I have replaced the diff file with the correct version and corrected the title, though a feature to correct the description eludes me.
helem, $post->post_excerpt
isn't escaped for me on a clean install of the latest trunk version. Entering </textarea><textarea>
in the description field for an attachment results in a second textarea appearing.
That should be
esc_textarea( $post->post_excerpt )
.