Opened 9 years ago
Closed 9 years ago
#33732 closed defect (bug) (fixed)
Exporter fails to escape many XML elements text content
Reported by: | westonruter | Owned by: | wonderboymusic |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Export | Keywords: | has-patch |
Focuses: | Cc: |
Description (last modified by )
We have a plugin with a custom post type that stores a query string (e.g. year=2015&month=5
) in the post_name
. It is stored here for the sake of the field being indexed in MySQL. When exporting such posts via the WordPress exporter, it results in a post that contains an item
with:
<wp:post_name>year=2015&month=5</wp:post_name>
This results in an XML parse error because the &
is not escaped/encoded as &
. Alternatively it could also be safely represented as:
<wp:post_name><![CDATA[year=2015&month=5]]></wp:post_name>
The function that does the CDATA-ification for the exporter is wxr_cdata()
and it is used elsewhere in the exporter where WordPress expects to see XML meta characters in user data. But it is not using it elsewhere in places where plugins could also introduce XML meta characters in the data being output.
I suggest that we ensure that all the data in the feed be late-escaped without assuming that it is going to be safe.
Add late-escaping for data via wxr_cdata() and intval()