Unescaped CDATA in [gallery] Output

[miqrogroove]

This is easiest to describe by example. Follow the permalink...

​http://blogyul.miqrogroove.com/2008/12/mmm-mng-salesmmm-mng-salesmmm-mng-salesmmm-mng-sales/

... to a post that contains the phrase "Masculine & Feminine" in an attached image caption. The image appears twice: Once as a Full Size image, and once in the image gallery.

In the Full Size image, the "&" has been escaped to "&" in both the alt text string and the div CDATA.

In the gallery, the div CDATA are not escaped and the raw "&" appears. The alt text string is missing (#8732) but should also be escaped.

[miqrogroove]

I thought I would be able to patch this easily, but I am still confused by the intended outcome. If I apply wp_specialchars() to the gallery output, it does not escape entity references. Is it better to use htmlspecialchars() and potentially break existing entities in the gallery, or does the patch need to change the visual editor to also use wp_specialchars() ?

[miqrogroove]

I think I have to give up on trying to do this by myself. I traced the caption I/O as far as media_upload_form_handler() where the value of $html is

[caption id="attachment_1337" align="aligncenter" width="300" caption="Alison Nix - Masculine & Feminine Touch"]<img src="http://blogyul.miqrogroove.com/wp-content/uploads/2008/12/mangomasculinefeminine2-300x200.jpg" alt="Alison Nix - Masculine &#038; Feminine Touch" title="mangomasculinefeminine2" width="300" height="200" class="size-medium wp-image-1337" />[/caption]

But this doesn't even match what I see in the editor...

[caption id="attachment_1337" align="aligncenter" width="300" caption="Alison Nix - Masculine &amp; Feminine Touch"]<img class="size-medium wp-image-1337" title="mangomasculinefeminine2" src="http://blogyul.miqrogroove.com/wp-content/uploads/2008/12/mangomasculinefeminine2-300x200.jpg" alt="Alison Nix - Masculine &amp; Feminine Touch" width="300" height="200" />[/caption]

There may be multiple I/O inconsistencies at play here.

[miqrogroove]

Patch to correct the raw output of $attachment->post_excerpt in the wp-includes/media.php file function gallery_shortcode()

[miqrogroove]

Okay I took it a step further by pasting the $html value directly into the visual editor. When I switched to Visual mode and back again, the value changed in the same way. I also tested entity references by writing them into the caption field and found they are not escaped in the visual editor. Despite the convoluted output path, it seems to work and there may be no need to match the flavor of "&" escaping between the editor and gallery.

On that note, I've gone ahead with the patch. Since this is my first patch here I would appreciate a thorough review.

[Denis-de-Bernardy]

wp_specialchars($attachment->post_excerpt); should only be called after the if statement.

[miqrogroove]

Go ahead and make the change then. I do not have time to work on style changes.

[MattyRob]

Is this patch any better then?

Honestly, for all the encouragement on the WordPress.org site to get involved in reporting bugs, then testing and submitting patches the process for getting a patch committed really leaves a lot to be desired.

[Denis-de-Bernardy]

Matty -- I wish there were more committers too. :-)

[azaozz]

(In [11200]) Escape caption in [gallery] output, props MattyRob, fixes #8763

[mtdewvirus]

This has caused HTML in captions to be displayed as normal text.

[Denis-de-Bernardy]

sorry. it had never occurred people would use any html in there.

patch with wptexturize instead is attached.

[azaozz]

(In [11336]) Escape the captions in the gallery with wptexturize() instead of wp_specialchars(), props Denis-de-Bernardy, fixes #8763