[wp-trac] [WordPress Trac] #62361: Set filter "activate_tinymce_for_media_description" to "true" is breaking meadia_descripton by running it through "htmlspecialchars()"
WordPress Trac
noreply at wordpress.org
Wed Nov 13 09:42:45 UTC 2024
#62361: Set filter "activate_tinymce_for_media_description" to "true" is breaking
meadia_descripton by running it through "htmlspecialchars()"
--------------------------+------------------------
Reporter: dagobert24 | Owner: joedolson
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.8
Component: Media | Version: 6.6.2
Severity: normal | Resolution:
Keywords: has-patch | Focuses: ui
--------------------------+------------------------
Comment (by yogeshbhutkar):
Hi @dagobert24, thank you for raising the ticket and the PR.
I was going through the PR and had a teeny-tiny query about the approach.
Here, if we pass the second parameter of the `format_to_edit()` function
`true` then it would consider the content as rich text and skip the usage
of `esc_textarea()`. I was wondering if this could cause security concerns
as the data might not be escaped.
How about using `wp_kses_post()` to sanitize the content and pass it to
wp_editor directly? That way, the content will be sanitized and will serve
the purpose as well.
Would love to hear your thoughts on this.
Thank You.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62361#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list