WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#9524 closed defect (bug) (fixed)

Exporter does not escape url

Reported by: gslin Owned by: westi
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.8
Component: Export Keywords: has-patch tested reporter-feedback
Focuses: Cc:

Description

In wp-admin/includes/export.php, url does not escape correctly:

<wp:comment_author_url><?php echo $c->comment_author_url; ?></wp:comment_author_url>

htmlspecialchars() will escape only 4 chars when no options given (lt, gt, amp, quot), and these 4 chars are compatible to XML, so we can use htmlspecialchars() to fix the bug:

<wp:comment_author_url><?php echo htmlspecialchars($c->comment_author_url); ?></wp:comment_author_url>

Attachments (2)

#9524_export.php.diff (833 bytes) - added by mtekk 5 years ago.
9524.diff (875 bytes) - added by Denis-de-Bernardy 5 years ago.
use clean_url() instead

Download all attachments as: .zip

Change History (13)

comment:1 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.8
  • Version set to 2.8

mtekk5 years ago

comment:2 mtekk5 years ago

  • Keywords has-patch added; needs-patch removed

Made patch implementing gslin's suggestion.

comment:3 Denis-de-Bernardy5 years ago

  • Keywords tested added

comment:4 Denis-de-Bernardy5 years ago

  • Keywords commit added

Denis-de-Bernardy5 years ago

use clean_url() instead

comment:5 westi5 years ago

  • Keywords reporter-feedback added; commit removed
  • Owner set to westi
  • Status changed from new to accepted

clean_url looks like a better solution here.

However, it would be good to have an example of the actual url that was causing an issue to make sure that we have fixed the problem.

Removing commit for now while we get reporter feedback

comment:6 Denis-de-Bernardy5 years ago

I can only imagine it's a url from an old blog, that didn't go through the sanitizer when it was inserted. The clean_url() won't hurt either way.

comment:7 ryan5 years ago

clean_url() will escape ampersands by default. I don't think the importer handles that.

comment:8 Denis-de-Bernardy5 years ago

  • Milestone changed from 2.8 to 2.9

Punting per IRC discussion.

comment:10 markjaquith4 years ago

esc_url_raw() is what you want — sanitizes without ampersand-entity-encoding.

comment:11 markjaquith4 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [12359]) Use esc_url_raw() on wp:comment_author_url in exports. fixes #9524

Note: See TracTickets for help on using tickets.