Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#24580 closed defect (bug) (duplicate)

wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.

Reported by: alexanderomara's profile AlexanderOMara Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.6
Component: General Keywords: has-patch
Focuses: Cc:

Description

In wp-admin/includes/media.php, the funciton edit_form_image_editor() directly prints the raw post_excerpt into the description textarea. This means that if the user inputs HTML tags, the HTML when returning to edit it is invalid or potentially broken.

This:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo $post->post_excerpt; ?></textarea>

Should be:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo esc_attr( $post->post_excerpt ); ?></textarea>

Attachments (1)

media_patch.diff (649 bytes) - added by AlexanderOMara 11 years ago.
media.php diff

Download all attachments as: .zip

Change History (7)

#1 @toscho
11 years ago

  • Cc info@… added

That should be esc_textarea( $post->post_excerpt ).

#2 @helen
11 years ago

I believe $post->post_excerpt is returned already escaped. It's not further escaped in the post_excerpt_meta_box() function, either.

@AlexanderOMara
11 years ago

media.php diff

#3 @AlexanderOMara
11 years ago

  • Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_attr() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea.

#4 @AlexanderOMara
11 years ago

  • Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.

#5 @AlexanderOMara
11 years ago

Thanks toscho! This is the function I had intended to use, but somehow managed to type the wrong thing. I have replaced the diff file with the correct version and corrected the title, though a feature to correct the description eludes me.

helem, $post->post_excerpt isn't escaped for me on a clean install of the latest trunk version. Entering </textarea><textarea> in the description field for an attachment results in a second textarea appearing.

Last edited 11 years ago by AlexanderOMara (previous) (diff)

#6 @nacin
11 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Fixed via #24611.

Note: See TracTickets for help on using tickets.