WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#26100 closed defect (bug) (fixed)

Escape HTML in theme author name to allow for ampersands

Reported by: morganestes Owned by: dd32
Milestone: 3.8 Priority: normal
Severity: normal Version: 3.8
Component: Customize Keywords: has-patch
Focuses: Cc:

Description (last modified by SergeyBiryukov)

In wp-admin/themes.php, the template prints & to the screen if there's an ampersand in the author name (multiple theme authors using "&" instead of "and".

Tested in trunk after THX38, not sure if it was in there before. #24775 references a similar issue.

Changing from {{ data.author }} to {{{ data.author }}} fixes the issue when displaying the theme details overlay.

Attachments (6)

before.png (5.8 KB) - added by morganestes 8 years ago.
after.png (5.6 KB) - added by morganestes 8 years ago.
themes.2.diff (731 bytes) - added by morganestes 8 years ago.
themes-26100.diff (890 bytes) - added by morganestes 8 years ago.
If #26098 is applied, this is the combined patch.
26100.diff (1.1 KB) - added by morganestes 8 years ago.
26100.1.diff (1.3 KB) - added by morganestes 8 years ago.

Download all attachments as: .zip

Change History (10)

@morganestes
8 years ago

@morganestes
8 years ago

@morganestes
8 years ago

@morganestes
8 years ago

If #26098 is applied, this is the combined patch.

#1 @SergeyBiryukov
8 years ago

  • Description modified (diff)
  • Milestone changed from Awaiting Review to 3.8

#2 @morganestes
8 years ago

Two new diffs added since data.author is actually located in two places.

26100.diff is the fix just for this ticket.
26100.1.diff is the fix if #26098 is already applied, since it has some overlap that causes changes that affect where this code is.

@morganestes
8 years ago

@morganestes
8 years ago

#3 @dd32
8 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 26316:

Themes: Move the escaping of content from JS back to PHP. This allows us to take advantage of the display() WP_Theme method to translate the text properly, and to strip out any HTML tags we don't wish to display. Fixes #26100. See #25948

#4 @lancewillett
8 years ago

  • Component changed from Themes to Appearance
Note: See TracTickets for help on using tickets.