WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#10111 closed defect (bug) (wontfix)

output of function checked resp. __checked_selected_helper has single quotation marks which can produce JS error

Reported by: ntm Owned by: westi
Milestone: Priority: normal
Severity: normal Version: 2.8
Component: General Keywords: has-patch reporter-feedback
Focuses: Cc:

Description

the function checked until WP 2.7 returns checked="checked" (with double quotation marks) and now with single quotation marks.

If this new behavior is intentionally then I want to suggest to give the opportunity for passing another parameter to this function which specifies the type of the quotation marks.

or
write simply $result = ' '.$type.'="'.$type.'"'; instead of $result = " $type='$type'"; now.

in file /wp-admin/includes/template.php (line 419) of WP 2.8

Attachments (1)

10111.diff (437 bytes) - added by Denis-de-Bernardy 5 years ago.

Download all attachments as: .zip

Change History (7)

comment:1 Denis-de-Bernardy5 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.8.1 to 2.9
  • Type changed from defect (bug) to enhancement

Denis-de-Bernardy5 years ago

comment:2 Denis-de-Bernardy5 years ago

  • Component changed from Administration to General
  • Keywords has-patch commit added; needs-patch removed
  • Milestone changed from 2.9 to 2.8.1
  • Type changed from enhancement to defect (bug)

comment:3 westi5 years ago

  • Keywords reporter-feedback added; commit checked quotation marks removed
  • Owner set to westi
  • Status changed from new to accepted

Please could the reporter share example code that they were using which no longer works correctly.

comment:4 Denis-de-Bernardy5 years ago

it's almost certainly something along the lines of writing js without escaping the html.

comment:5 ryan5 years ago

  • Milestone 2.8.1 deleted
  • Resolution set to wontfix
  • Status changed from accepted to closed

We'll call it a security audit feature. :-) esc_js() should really be used, if that is the scenario here. Reopen if esc_js() is not appropriate for your context.

comment:6 ntm5 years ago

Thank you for your regard. ryan you are right. esc_js() or js_escape() solves my problem, too.

I have written a plugin which adds a third comment_status.
http://undeuxoutrois.de/bilder/ecapsm/write_01.png
With this plugins (and some additions to the theme) Authors can allow commenting for all, for registered visitors only or for no one.
For the plugin manipulates e.g. the appearance of the /wp_admin/post-new.php and /wp-admin/post.php pages via Javascript property innerHTML.

Note: See TracTickets for help on using tickets.