Changeset 33271

Timestamp:

07/14/2015 05:55:07 PM (10 years ago)

Author:

wonderboymusic

Message:

After [33148]:
Don't nest esc_attr() and htmlspecialchars() when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.

Location:

trunk

Files:

• src/wp-admin/edit-form-advanced.php (modified) (1 diff)
• src/wp-includes/formatting.php (modified) (1 diff)
• tests/phpunit/tests/formatting/EscAttr.php (modified) (1 diff)
• tests/phpunit/tests/formatting/EscHtml.php (modified) (1 diff)
• tests/phpunit/tests/formatting/JSEscape.php (modified) (1 diff)
• tests/phpunit/tests/formatting/WPSpecialchars.php (modified) (2 diffs)

trunk/src/wp-admin/edit-form-advanced.php

@@ -495 +495 @@
     ?>
     <label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo $title_placeholder; ?></label>
-    <input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" spellcheck="true" autocomplete="off" />
+    <input type="text" name="post_title" size="30" value="<?php echo esc_attr( $post->post_title ); ?>" id="title" spellcheck="true" autocomplete="off" />
 </div>
 <?php

trunk/src/wp-includes/formatting.php

@@ -753 +753 @@
     }
 
-    // Handle double encoding ourselves
-    if ( $double_encode ) {
-        $string = @htmlspecialchars( $string, $quote_style, $charset );
-    } else {
-        // Decode & into &
-        $string = wp_specialchars_decode( $string, $_quote_style );
-
-        // Guarantee every &entity; is valid or re-encode the &
+    if ( ! $double_encode ) {
+        // Guarantee every &entity; is valid, convert &garbage; into &garbage;
+        // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
         $string = wp_kses_normalize_entities( $string );
-
-        // Now re-encode everything except &entity;
-        $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
-
-        for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
-            $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
-        }
-        $string = implode( '', $string );
-    }
+    }
+
+    $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
 
     // Backwards compatibility

trunk/tests/phpunit/tests/formatting/EscAttr.php

@@ -27 +27 @@
 
     function test_esc_attr_amp() {
-        $out = esc_attr( 'foo & bar &baz; '' );
-        $this->assertEquals( "foo & bar &baz; '", $out );
+        $out = esc_attr( 'foo & bar &baz;  ' );
+        $this->assertEquals( "foo & bar &baz;  ", $out );
     }
 }

trunk/tests/phpunit/tests/formatting/EscHtml.php

@@ -35 +35 @@
     function test_ignores_existing_entities() {
         $source = '& £ " &';
-        $res = '& £ " &';
+        $res = '& £ " &';
         $this->assertEquals( $res, esc_html($source) );
     }

trunk/tests/phpunit/tests/formatting/JSEscape.php

@@ -24 +24 @@
 
     function test_js_escape_amp() {
-        $out = esc_js('foo & bar &baz; '');
-        $this->assertEquals("foo & bar &baz; '", $out);
+        $out = esc_js('foo & bar &baz;  ');
+        $this->assertEquals("foo & bar &baz;  ", $out);
     }
 
     function test_js_escape_quote_entity() {
         $out = esc_js('foo ' bar ' baz &');
-        $this->assertEquals("foo \\' bar \\' baz &", $out);
+        $this->assertEquals("foo \\' bar \\' baz &", $out);
     }
 

trunk/tests/phpunit/tests/formatting/WPSpecialchars.php

@@ -18 +18 @@
         // Allowed entities should be unchanged
         foreach ( $allowedentitynames as $ent ) {
+            if ( 'apos' == $ent ) {
+                // But for some reason, PHP doesn't allow '
+                continue;
+            }
             $ent = '&' . $ent . ';';
             $this->assertEquals( $ent, _wp_specialchars( $ent ) );
@@ -40 +44 @@
         $this->assertEquals( $source, _wp_specialchars($source) );
     }
+
+    /**
+     * Check some of the double-encoding features for entity references.
+     *
+     * @ticket 17780
+     * @dataProvider data_double_encoding
+     */
+    function test_double_encoding( $input, $output ) {
+        return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) );
+    }
+
+    function data_double_encoding() {
+        return array(
+            array(
+                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                'This & that, this & that, — " " Ú   " " " " " $ ×',
+            ),
+            array(
+                '&& && && &;',
+                '&& && && &;',
+            ),
+            array(
+                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                '&garbage; &***; &aaaa; &0000; &####; &;;',
+            ),
+        );
+    }
+
+    /**
+     * Check some of the double-encoding features for entity references.
+     *
+     * @ticket 17780
+     * @dataProvider data_no_double_encoding
+     */
+    function test_no_double_encoding( $input, $output ) {
+        return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) );
+    }
+
+    function data_no_double_encoding() {
+        return array(
+            array(
+                'This & that, this & that, — " " Ú   " " " " " $ ×',
+                'This & that, this & that, — " " Ú   " " " " " $ ×',
+            ),
+            array(
+                '&& && && &;',
+                '&& && && &;',
+            ),
+            array(
+                '&garbage; &***; &aaaa; &0000; &####; &;;',
+                '&garbage; &***; &aaaa; &0000; &####; &;;',
+            ),
+        );
+    }
 }