Make WordPress Core

Changeset 33271


Ignore:
Timestamp:
07/14/2015 05:55:07 PM (9 years ago)
Author:
wonderboymusic
Message:

After [33148]:
Don't nest esc_attr() and htmlspecialchars() when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.

Location:
trunk
Files:
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/edit-form-advanced.php

    r33067 r33271  
    495495    ?>
    496496    <label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo $title_placeholder; ?></label>
    497     <input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" spellcheck="true" autocomplete="off" />
     497    <input type="text" name="post_title" size="30" value="<?php echo esc_attr( $post->post_title ); ?>" id="title" spellcheck="true" autocomplete="off" />
    498498</div>
    499499<?php
  • trunk/src/wp-includes/formatting.php

    r33225 r33271  
    753753    }
    754754
    755     // Handle double encoding ourselves
    756     if ( $double_encode ) {
    757         $string = @htmlspecialchars( $string, $quote_style, $charset );
    758     } else {
    759         // Decode &amp; into &
    760         $string = wp_specialchars_decode( $string, $_quote_style );
    761 
    762         // Guarantee every &entity; is valid or re-encode the &
     755    if ( ! $double_encode ) {
     756        // Guarantee every &entity; is valid, convert &garbage; into &amp;garbage;
     757        // This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
    763758        $string = wp_kses_normalize_entities( $string );
    764 
    765         // Now re-encode everything except &entity;
    766         $string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
    767 
    768         for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
    769             $string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
    770         }
    771         $string = implode( '', $string );
    772     }
     759    }
     760
     761    $string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
    773762
    774763    // Backwards compatibility
  • trunk/tests/phpunit/tests/formatting/EscAttr.php

    r33148 r33271  
    2727
    2828    function test_esc_attr_amp() {
    29         $out = esc_attr( 'foo & bar &baz; &apos;' );
    30         $this->assertEquals( "foo &amp; bar &amp;baz; &apos;", $out );
     29        $out = esc_attr( 'foo & bar &baz; &nbsp;' );
     30        $this->assertEquals( "foo &amp; bar &amp;baz; &nbsp;", $out );
    3131    }
    3232}
  • trunk/tests/phpunit/tests/formatting/EscHtml.php

    r33148 r33271  
    3535    function test_ignores_existing_entities() {
    3636        $source = '&#038; &#x00A3; &#x22; &amp;';
    37         $res = '&amp; &#xA3; &quot; &amp;';
     37        $res = '&#038; &#xA3; &#x22; &amp;';
    3838        $this->assertEquals( $res, esc_html($source) );
    3939    }
  • trunk/tests/phpunit/tests/formatting/JSEscape.php

    r33148 r33271  
    2424
    2525    function test_js_escape_amp() {
    26         $out = esc_js('foo & bar &baz; &apos;');
    27         $this->assertEquals("foo &amp; bar &amp;baz; &apos;", $out);
     26        $out = esc_js('foo & bar &baz; &nbsp;');
     27        $this->assertEquals("foo &amp; bar &amp;baz; &nbsp;", $out);
    2828    }
    2929
    3030    function test_js_escape_quote_entity() {
    3131        $out = esc_js('foo &#x27; bar &#39; baz &#x26;');
    32         $this->assertEquals("foo \\' bar \\' baz &amp;", $out);
     32        $this->assertEquals("foo \\' bar \\' baz &#x26;", $out);
    3333    }
    3434
  • trunk/tests/phpunit/tests/formatting/WPSpecialchars.php

    r33148 r33271  
    1818        // Allowed entities should be unchanged
    1919        foreach ( $allowedentitynames as $ent ) {
     20            if ( 'apos' == $ent ) {
     21                // But for some reason, PHP doesn't allow &apos;
     22                continue;
     23            }
    2024            $ent = '&' . $ent . ';';
    2125            $this->assertEquals( $ent, _wp_specialchars( $ent ) );
     
    4044        $this->assertEquals( $source, _wp_specialchars($source) );
    4145    }
     46
     47    /**
     48     * Check some of the double-encoding features for entity references.
     49     *
     50     * @ticket 17780
     51     * @dataProvider data_double_encoding
     52     */
     53    function test_double_encoding( $input, $output ) {
     54        return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) );
     55    }
     56
     57    function data_double_encoding() {
     58        return array(
     59            array(
     60                'This & that, this &amp; that, &#8212; &quot; &QUOT; &Uacute; &nbsp; &#34; &#034; &#0034; &#x00022; &#x22; &dollar; &times;',
     61                'This &amp; that, this &amp;amp; that, &amp;#8212; &amp;quot; &amp;QUOT; &amp;Uacute; &amp;nbsp; &amp;#34; &amp;#034; &amp;#0034; &amp;#x00022; &amp;#x22; &amp;dollar; &amp;times;',
     62            ),
     63            array(
     64                '&& &&amp; &amp;&amp; &amp;;',
     65                '&amp;&amp; &amp;&amp;amp; &amp;amp;&amp;amp; &amp;amp;;',
     66            ),
     67            array(
     68                '&garbage; &***; &aaaa; &0000; &####; &;;',
     69                '&amp;garbage; &amp;***; &amp;aaaa; &amp;0000; &amp;####; &amp;;;',
     70            ),
     71        );
     72    }
     73
     74    /**
     75     * Check some of the double-encoding features for entity references.
     76     *
     77     * @ticket 17780
     78     * @dataProvider data_no_double_encoding
     79     */
     80    function test_no_double_encoding( $input, $output ) {
     81        return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) );
     82    }
     83
     84    function data_no_double_encoding() {
     85        return array(
     86            array(
     87                'This & that, this &amp; that, &#8212; &quot; &QUOT; &Uacute; &nbsp; &#34; &#034; &#0034; &#x00022; &#x22; &dollar; &times;',
     88                'This &amp; that, this &amp; that, &#8212; &quot; &amp;QUOT; &Uacute; &nbsp; &#034; &#034; &#034; &#x22; &#x22; &amp;dollar; &times;',
     89            ),
     90            array(
     91                '&& &&amp; &amp;&amp; &amp;;',
     92                '&amp;&amp; &amp;&amp; &amp;&amp; &amp;;',
     93            ),
     94            array(
     95                '&garbage; &***; &aaaa; &0000; &####; &;;',
     96                '&amp;garbage; &amp;***; &amp;aaaa; &amp;0000; &amp;####; &amp;;;',
     97            ),
     98        );
     99    }
    42100}
Note: See TracChangeset for help on using the changeset viewer.