[wp-trac] [WordPress Trac] #17401: Problems sanitizing image titles
WordPress Trac
wp-trac at lists.automattic.com
Tue Jun 21 14:08:47 UTC 2011
#17401: Problems sanitizing image titles
--------------------------+------------------------------
Reporter: bi0xid | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: TinyMCE | Version: 3.2
Severity: normal | Resolution:
Keywords: needs-patch |
--------------------------+------------------------------
Changes (by mfields):
* cc: michael@… (added)
* component: Media => TinyMCE
Comment:
I was able to reproduce this bug in the latest nightly. Note: this applies
only to the visual editor. Here is what I did:
1. Edit a published post.
2. Ensure the the Visual tab is active in the editor.
3. Click on a media icon and upload a new image.
4. Set the title to: ">title< <title>" or similar.
5. Click the "Insert int Post" button.
The image should be sent to the editor and display correctly, however when
you switch to the HTML tab, you will notice that the html looks something
like this:
{{{
title=">title< <title>"
}}}
instead of this:
{{{
title="> title < <title>"
}}}
I inspected many of the php functions used during and "Insert into Post"
request and they all appear to be escaping the title through esc_attr(). I
believe that this is bug is being caused by the html being processed by
one of the TinyMCE libraries.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17401#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list