WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
11/02/2021 06:46:36 PM (2 years ago)
Author:
johnjamesjacoby
Message:

Permalinks: Sanitize non-visible characters inside sanitize_title_with_dashes().

This change prevents non-visible characters in titles from creating encoded values in permalinks, opting instead for the following replacement strategy:

  • Non-visible non-zero-width characters are replaced with hyphens
  • Non-visible zero-width characters are removed entirely

Included with this change are 64 additional PHPUnit assertions to confirm that only the targeted non-visible characters are sanitized as intended.

Before this change, URLs would unintentionally contain encoded values where these non-visible characters were. After this change, URLs intentionally strip out or hyphenate these non-visible characters.

Props costdev, dhanendran, hellofromtonya, paaljoachim, peterwilsoncc, poena, sergeybiryukov.

Fixes #47912.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/formatting.php

    r51955 r51984  
    22892289                '%cc%84',
    22902290                '%cc%8c',
     2291                // Non-visible characters that display without a width.
     2292                '%e2%80%8b',
     2293                '%e2%80%8c',
     2294                '%e2%80%8d',
     2295                '%e2%80%8e',
     2296                '%e2%80%8f',
     2297                '%e2%80%aa',
     2298                '%e2%80%ab',
     2299                '%e2%80%ac',
     2300                '%e2%80%ad',
     2301                '%e2%80%ae',
     2302                '%ef%bb%bf',
    22912303            ),
    22922304            '',
     2305            $title
     2306        );
     2307
     2308        // Convert non-visible characters that display with a width to hyphen.
     2309        $title = str_replace(
     2310            array(
     2311                '%e2%80%80',
     2312                '%e2%80%81',
     2313                '%e2%80%82',
     2314                '%e2%80%83',
     2315                '%e2%80%84',
     2316                '%e2%80%85',
     2317                '%e2%80%86',
     2318                '%e2%80%87',
     2319                '%e2%80%88',
     2320                '%e2%80%89',
     2321                '%e2%80%8a',
     2322                '%e2%80%a8',
     2323                '%e2%80%a9',
     2324                '%e2%80%af',
     2325            ),
     2326            '-',
    22932327            $title
    22942328        );
Note: See TracChangeset for help on using the changeset viewer.