[wp-trac] [WordPress Trac] #62361: Set filter "activate_tinymce_for_media_description" to "true" is breaking meadia_descripton by running it through "htmlspecialchars()"

WordPress Trac noreply at wordpress.org
Wed Nov 13 13:28:01 UTC 2024 

#62361: Set filter "activate_tinymce_for_media_description" to "true"  is breaking
meadia_descripton by running it through "htmlspecialchars()"
--------------------------+------------------------
 Reporter:  dagobert24    |       Owner:  joedolson
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  6.8
Component:  Media         |     Version:  6.6.2
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  ui
--------------------------+------------------------

Comment (by dagobert24):

 Replying to [comment:5 yogeshbhutkar]:
 > Hi @dagobert24, thank you for raising the ticket and the PR.
 >
 > I was going through the PR and had a teeny-tiny query about the
 approach. Here, if we pass the second parameter of the `format_to_edit()`
 function `true` then it would consider the content as rich text and skip
 the usage of `esc_textarea()`. I was wondering if this could cause
 security concerns as the data might not be escaped.
 >
 > How about using `wp_kses_post()` to sanitize the content and pass it to
 `wp_editor()` directly? That way, the content will be sanitized and will
 serve the purpose as well.

 I guess running wp_kses_post() makes sense. The question is how to
 implement this in a nice and clean way. Also I am afraid to break
 something unexpected.

 We should continue to use the format_to_edit() function. Within this
 function is a hook which we would otherwise break or more precisely we
 would skip this hook if we are not using this function.

 I think we should make use of this hook ourselves like this for example
 (L3280):

 {{{
 if ( true === $editor_args['tinymce'] ) {
         $editor_args['textarea_rows'] = 20;
         add_filter('format_to_edit', function() {
                 return wp_kses_post($post->post_content);
         });
 }
 }}}

 I am not that deep into wordpress that I could be sure or assigning the
 correct priority to the hook to make sure it will run at a very high
 priority but still has "room" for someone to superseed it.

 What do you think?

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62361#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list