Attributes not escaped (notably title attribute)
-
The attributes for the markup that are inserted by the DOM/parser library are not escaped. This causes issues with other plugins like the
wp-typographyplugin.
Notably$titlefromget_the_title()can contain markup.
The markup is used unescaped (and the DOM/parser libraries don’t seem to escape either), resulting in broken gallery markup.https://plugins.trac.www.ads-software.com/browser/gallery-custom-links/trunk/mgcl_linker.php#L13
All values to be used for attributes must be escaped, e.g.
$potentialLinkNode->{'title'} = esc_attr( $title ); [...] $potentialLinkNode->attr( 'title', esc_attr( $title ) ); [...] [...] no-lightbox" title="' . esc_attr( $title ) . '" [...]And for ensuring that the title contains the pure text, use <code>wp_strip_all_tags</code> on the title, e.g. <pre><code>$title = wp_strip_all_tags( get_the_title( $mediaId ) );
`
Newlines are in title attribute value should be allowed and supported now, hence the second argument forwp_strip_all_tagsto also strip the newlines staid the default (false)-
Viewing 4 replies - 1 through 4 (of 4 total)
Viewing 4 replies - 1 through 4 (of 4 total)
- The topic ‘Attributes not escaped (notably title attribute)’ is closed to new replies.
