Opened 15 years ago
Closed 15 years ago
#9524 closed defect (bug) (fixed)
Exporter does not escape url
Reported by: | gslin | Owned by: | westi |
---|---|---|---|
Milestone: | 2.9 | Priority: | normal |
Severity: | normal | Version: | 2.8 |
Component: | Export | Keywords: | has-patch tested reporter-feedback |
Focuses: | Cc: |
Description
In wp-admin/includes/export.php, url does not escape correctly:
<wp:comment_author_url><?php echo $c->comment_author_url; ?></wp:comment_author_url>
htmlspecialchars() will escape only 4 chars when no options given (lt, gt, amp, quot), and these 4 chars are compatible to XML, so we can use htmlspecialchars() to fix the bug:
<wp:comment_author_url><?php echo htmlspecialchars($c->comment_author_url); ?></wp:comment_author_url>
Attachments (2)
Change History (13)
#1
@
15 years ago
- Keywords needs-patch added
- Milestone changed from Unassigned to 2.8
- Version set to 2.8
#5
@
15 years ago
- Keywords reporter-feedback added; commit removed
- Owner set to westi
- Status changed from new to accepted
clean_url looks like a better solution here.
However, it would be good to have an example of the actual url that was causing an issue to make sure that we have fixed the problem.
Removing commit for now while we get reporter feedback
#6
@
15 years ago
I can only imagine it's a url from an old blog, that didn't go through the sanitizer when it was inserted. The clean_url() won't hurt either way.
Note: See
TracTickets for help on using
tickets.
Made patch implementing gslin's suggestion.