Make WordPress Core

Opened 17 years ago

Closed 17 years ago

Last modified 16 years ago

#6898 closed defect (bug) (fixed)

Bad quote escaping in media uploader?

Reported by: otto42's profile Otto42 Owned by:
Milestone: 2.6 Priority: normal
Severity: normal Version: 2.5.1
Component: General Keywords:
Focuses: Cc:

Description

Report and fix here:
http://wordpress.org/support/topic/164563/page/2?replies=50#post-737670

Other people report the same issue and that the fix works too.

Short version:
wp-admin/includes/media.php, line 57

$html = "<a href='".attribute_escape($url)."'$rel>$html</a>";

Should be this:

$html = "<a href=\"".attribute_escape($url)."\"$rel>$html</a>";

Because the single quote there can hork up some javascript code that it gets inserted into.

Change History (5)

#1 @ryan
17 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7874]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for trunk

#2 @ryan
17 years ago

(In [7875]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for 2.5

#3 @ryan
17 years ago

  • Milestone changed from 2.6 to 2.5.2

#4 @ryan
16 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

#5 @westi
16 years ago

  • Milestone changed from 2.9 to 2.6
Note: See TracTickets for help on using tickets.