WordPress.org

Make WordPress Core

Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#6898 closed defect (bug) (fixed)

Bad quote escaping in media uploader?

Reported by: Otto42 Owned by:
Milestone: 2.6 Priority: normal
Severity: normal Version: 2.5.1
Component: General Keywords:
Focuses: Cc:

Description

Report and fix here:
http://wordpress.org/support/topic/164563/page/2?replies=50#post-737670

Other people report the same issue and that the fix works too.

Short version:
wp-admin/includes/media.php, line 57

$html = "<a href='".attribute_escape($url)."'$rel>$html</a>";

Should be this:

$html = "<a href=\"".attribute_escape($url)."\"$rel>$html</a>";

Because the single quote there can hork up some javascript code that it gets inserted into.

Change History (5)

comment:1 ryan6 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [7874]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for trunk

comment:2 ryan6 years ago

(In [7875]) Fix send_to_editor escaping. Props Glotzfisch. fixes #6898 for 2.5

comment:3 ryan6 years ago

  • Milestone changed from 2.6 to 2.5.2

comment:4 ryan6 years ago

  • Milestone changed from 2.5.2 to 2.9

Milestone 2.5.2 deleted

comment:5 westi6 years ago

  • Milestone changed from 2.9 to 2.6
Note: See TracTickets for help on using tickets.