-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proper output escaping #4
Comments
Addressed here: 6eed651 |
Looking good |
Because of this change 6eed651#diff-510c3663aa41187468817522a3a7c765R123 - when markup is in the content or body of a post, it is escaped in the duplicate posts resulting in this: Is there a reason the escaping is necessary here or is this a bug? |
Hi @modelm - Thanks for the ticket. It looks like a bug; I'd noted in that changeset that content should not be output-escaped on the way into the database, but it looks like it was never rolled out. See https://github.com/cuny-academic-commons/bp-multiple-forum-post/blob/master/bp-multiple-forum-post.php#L142 @rjbaniel Could you have a look? Be sure to test with rich-text content. |
OK - I have already removed the esc_attr() for title & content in our fork, so if that's the only required change and you want a PR just let me know. |
Yup, I'm pretty sure that's all that's required.
…On 12/30/2016 01:30 PM, Ryan Williams wrote:
OK - I have already removed the esc_attr() for title & content in our
fork, so if that's the only required change and you want a PR just let
me know.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#4 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAPDYyQvqMOh3f7j6J3k73Rt6BgdSgUqks5rNVvLgaJpZM4HfMDQ>.
|
I noticed a number of places where user-generated content - like group names - is displayed on the front end, without being escaped. Let's fix this. Rules of thumb:
esc_html()
for text that's echoed in such a way that it's displayed as the content of a HTML element (eg:<h2><?php echo esc_html( $group->name ); ?></h2>
)esc_attr()
for text that needs to be sanitized for use in element attributes (eg<input name="foo" value="<?php echo esc_attr( $group->slug ); ?>">
)esc_url()
for URLs, pretty much whenever they need to be echoed to the screen (there are exceptions where it's better to useesc_url_raw()
- see https://kovshenin.com/2012/esc_url-vs-esc_url_raw/)The text was updated successfully, but these errors were encountered: