WordPress.org

Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#9524 closed defect (bug) (fixed)

Exporter does not escape url

Reported by: gslin Owned by: westi
Milestone: 2.9 Priority: normal
Severity: normal Version: 2.8
Component: Export Keywords: has-patch tested reporter-feedback
Focuses: Cc:

Description

In wp-admin/includes/export.php, url does not escape correctly:

<wp:comment_author_url><?php echo $c->comment_author_url; ?></wp:comment_author_url>

htmlspecialchars() will escape only 4 chars when no options given (lt, gt, amp, quot), and these 4 chars are compatible to XML, so we can use htmlspecialchars() to fix the bug:

<wp:comment_author_url><?php echo htmlspecialchars($c->comment_author_url); ?></wp:comment_author_url>

Attachments (2)

#9524_export.php.diff (833 bytes) - added by mtekk 11 years ago.
9524.diff (875 bytes) - added by Denis-de-Bernardy 11 years ago.
use clean_url() instead

Download all attachments as: .zip

Change History (13)

#1 @Denis-de-Bernardy
11 years ago

  • Keywords needs-patch added
  • Milestone changed from Unassigned to 2.8
  • Version set to 2.8

#2 @mtekk
11 years ago

  • Keywords has-patch added; needs-patch removed

Made patch implementing gslin's suggestion.

#3 @Denis-de-Bernardy
11 years ago

  • Keywords tested added

#4 @Denis-de-Bernardy
11 years ago

  • Keywords commit added

@Denis-de-Bernardy
11 years ago

use clean_url() instead

#5 @westi
11 years ago

  • Keywords reporter-feedback added; commit removed
  • Owner set to westi
  • Status changed from new to accepted

clean_url looks like a better solution here.

However, it would be good to have an example of the actual url that was causing an issue to make sure that we have fixed the problem.

Removing commit for now while we get reporter feedback

#6 @Denis-de-Bernardy
11 years ago

I can only imagine it's a url from an old blog, that didn't go through the sanitizer when it was inserted. The clean_url() won't hurt either way.

#7 @ryan
11 years ago

clean_url() will escape ampersands by default. I don't think the importer handles that.

#8 @Denis-de-Bernardy
11 years ago

  • Milestone changed from 2.8 to 2.9

Punting per IRC discussion.

#10 @markjaquith
11 years ago

esc_url_raw() is what you want — sanitizes without ampersand-entity-encoding.

#11 @markjaquith
11 years ago

  • Resolution set to fixed
  • Status changed from accepted to closed

(In [12359]) Use esc_url_raw() on wp:comment_author_url in exports. fixes #9524

Note: See TracTickets for help on using tickets.