WordPress.org

Make WordPress Core

#24580 closed defect (bug) (duplicate)

wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.

Reported by: AlexanderOMara Owned by:
Milestone: Priority: normal
Severity: minor Version: 3.6
Component: General Keywords: has-patch
Focuses: Cc:

Description

In wp-admin/includes/media.php, the funciton edit_form_image_editor() directly prints the raw post_excerpt into the description textarea. This means that if the user inputs HTML tags, the HTML when returning to edit it is invalid or potentially broken.

This:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo $post->post_excerpt; ?></textarea>

Should be:
<textarea class="widefat" name="excerpt" id="attachment_caption"><?php echo esc_attr( $post->post_excerpt ); ?></textarea>

Attachments (1)

media_patch.diff (649 bytes) - added by AlexanderOMara 22 months ago.
media.php diff

Download all attachments as: .zip

Change History (7)

comment:1 @toscho22 months ago

  • Cc info@… added

That should be esc_textarea( $post->post_excerpt ).

comment:2 @helen22 months ago

I believe $post->post_excerpt is returned already escaped. It's not further escaped in the post_excerpt_meta_box() function, either.

@AlexanderOMara22 months ago

media.php diff

comment:3 @AlexanderOMara22 months ago

  • Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_attr() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea.

comment:4 @AlexanderOMara22 months ago

  • Summary changed from wp-admin/includes/media.php: edit_form_image_editor() missing esc_textare() on Caption textarea. to wp-admin/includes/media.php: edit_form_image_editor() missing esc_textarea() on Caption textarea.

comment:5 @AlexanderOMara22 months ago

Thanks toscho! This is the function I had intended to use, but somehow managed to type the wrong thing. I have replaced the diff file with the correct version and corrected the title, though a feature to correct the description eludes me.

helem,

$post->post_excerpt

isn't escaped for me on a clean install of the latest trunk version. Entering {{{
</textarea><textarea>
}}} in the description field for an attachment results in a second textarea appearing.

Version 0, edited 22 months ago by AlexanderOMara (next)

comment:6 @nacin20 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

Fixed via #24611.

Note: See TracTickets for help on using tickets.