Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#10111 closed defect (bug) (wontfix)

output of function checked resp. __checked_selected_helper has single quotation marks which can produce JS error

Reported by: ntm Owned by: westi
Milestone: Priority: normal
Severity: normal Version: 2.8
Component: General Keywords: has-patch reporter-feedback
Focuses: Cc:


the function checked until WP 2.7 returns checked="checked" (with double quotation marks) and now with single quotation marks.

If this new behavior is intentionally then I want to suggest to give the opportunity for passing another parameter to this function which specifies the type of the quotation marks.

write simply $result = ' '.$type.'="'.$type.'"'; instead of $result = " $type='$type'"; now.

in file /wp-admin/includes/template.php (line 419) of WP 2.8

Attachments (1)

10111.diff (437 bytes) - added by Denis-de-Bernardy 12 years ago.

Download all attachments as: .zip

Change History (7)

#1 @Denis-de-Bernardy
12 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.8.1 to 2.9
  • Type changed from defect (bug) to enhancement

#2 @Denis-de-Bernardy
12 years ago

  • Component changed from Administration to General
  • Keywords has-patch commit added; needs-patch removed
  • Milestone changed from 2.9 to 2.8.1
  • Type changed from enhancement to defect (bug)

#3 @westi
12 years ago

  • Keywords reporter-feedback added; commit checked quotation marks removed
  • Owner set to westi
  • Status changed from new to accepted

Please could the reporter share example code that they were using which no longer works correctly.

#4 @Denis-de-Bernardy
12 years ago

it's almost certainly something along the lines of writing js without escaping the html.

#5 @ryan
12 years ago

  • Milestone 2.8.1 deleted
  • Resolution set to wontfix
  • Status changed from accepted to closed

We'll call it a security audit feature. :-) esc_js() should really be used, if that is the scenario here. Reopen if esc_js() is not appropriate for your context.

#6 @ntm
12 years ago

Thank you for your regard. ryan you are right. esc_js() or js_escape() solves my problem, too.

I have written a plugin which adds a third comment_status.
With this plugins (and some additions to the theme) Authors can allow commenting for all, for registered visitors only or for no one.
For the plugin manipulates e.g. the appearance of the /wp_admin/post-new.php and /wp-admin/post.php pages via Javascript property innerHTML.

Note: See TracTickets for help on using tickets.