Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#33732 closed defect (bug) (fixed)

Exporter fails to escape many XML elements text content

Reported by: westonruter's profile westonruter Owned by: wonderboymusic's profile wonderboymusic
Milestone: 4.4 Priority: normal
Severity: normal Version: 3.0
Component: Export Keywords: has-patch
Focuses: Cc:

Description (last modified by westonruter)

We have a plugin with a custom post type that stores a query string (e.g. year=2015&month=5) in the post_name. It is stored here for the sake of the field being indexed in MySQL. When exporting such posts via the WordPress exporter, it results in a post that contains an item with:


This results in an XML parse error because the & is not escaped/encoded as &amp;. Alternatively it could also be safely represented as:


The function that does the CDATA-ification for the exporter is wxr_cdata() and it is used elsewhere in the exporter where WordPress expects to see XML meta characters in user data. But it is not using it elsewhere in places where plugins could also introduce XML meta characters in the data being output.

I suggest that we ensure that all the data in the feed be late-escaped without assuming that it is going to be safe.

See also: #31080, #15203, #19998

Attachments (1)

33732.diff (8.7 KB) - added by westonruter 9 years ago.
Add late-escaping for data via wxr_cdata() and intval()

Download all attachments as: .zip

Change History (5)

#1 @westonruter
9 years ago

  • Description modified (diff)

9 years ago

Add late-escaping for data via wxr_cdata() and intval()

#2 @westonruter
9 years ago

  • Keywords has-patch added

#3 @wonderboymusic
9 years ago

  • Milestone changed from Awaiting Review to 4.4

#4 @wonderboymusic
9 years ago

  • Owner set to wonderboymusic
  • Resolution set to fixed
  • Status changed from new to closed

In 34333:

Export: Add late-escaping to the contents of several nodes to avoid creating invalid XML and XML parse errors.

Props westonruter.
Fixes #33732.

Note: See TracTickets for help on using tickets.