Opened 16 years ago
Closed 13 days ago
#11734 closed defect (bug) (invalid)
trackback_rdf() for IDN (xn--) Domains produces invalid HTML
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 3.1 |
| Component: | Comments | Keywords: | needs-testing |
| Focuses: | Cc: |
Description
Hello
The trackback_rdf() function from wp-includes/comment-template.php wraps the "<rdf:RDF>...</rdf:RDF>" output inside "<!-- ... -->" HTML comments, probably to be safe as not all Browsers understand them.
When using Wordpress 2.9.1 on a site with an international domain name [1] that contains special characters like German "Umlauts" like äöü, this domain name is written as e.g. xn--tst-qla.de for täst.de.
Now the output of trackback_rdf() suddenly gets a "--" which is the SGML/HTML comment separator mark [2]. Firefox 3.5.6 e.g. sees this as the end of the comment and therefore shows the final "-->" as text to the user.
As the whole RDF tag is supposed to be invisible for the user, it's a bug in Wordpress :-(
Here is an real world example output:
<p class="post-tags">
</p>
<p class="post-info">
</p>
<!--
<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/">
<rdf:Description rdf:about="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/"
dc:identifier="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/"
dc:title="Wortlieblinge"
trackback:ping="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/trackback/" />
</rdf:RDF> -->
</div>
Sadly I have not yet come up with a solution. PHPs urlencode() does not escape a double dash - which is ok as its usually perfectly valid. Maybe someone with RDF experience has a good idea.
bye,
-christian-
[1] http://en.wikipedia.org/wiki/Internationalized_domain_name#Example_of_IDNA_encoding
Attachments (3)
Change History (14)
#2
@
16 years ago
What steps can I use to reproduce this?
That said, I believe the attached patch would resolve this issue.
Additionally, using the IDNA plugin http://wordpress.org/extend/plugins/idna/ (which enables the use IDN's (international domain names) in WordPress) would resolve this.
#5
@
15 years ago
- Cc codestyling added
- Keywords needs-patch dev-feedback added; has-patch removed
- Version set to 3.1
IDN handling is different related to Browsers! WebKit based browser like Safari and Chrome work with PunyCode URL's but others like IE, Firefox and Opera doesn't.
This is a problem of Cross Site Scripting detection and can be realize and tested, if the Blog is configured to an PunyCode Url.
example out of a case I did investigate:
IDN: http://с-проект.рф
PunyCode: http://xn----jtbpoegeo.xn--p1ai
If you try to call a JSON request like this example with the generated admin_url() out of WordPress, which would become the PunyCode one:
new Ajax.Request('http://xn----jtbpoegeo.xn--p1ai/wp-admin/admin-ajax.php' ?>',
{
parameters: {
action: 'get_download_section'
},
onSuccess: function(transport) {
elem.title=transport.responseJSON.title;
},
onFailure: function(transport) {
alert('JSON security bug')
}
}
);
and the answer is correct 'application/json' with correct JSON content, than this fails on all browsers except WebKit based!
If you try it with the original IDN Url like:
new Ajax.Request('http://с-проект.рф/wp-admin/admin-ajax.php' ?>',
it works now for all other browsers but fails now on WebKit based.
My suggestion will be a conditional convertion back to IDN, if browser is not WebKit based.
I did this inside my WordPress plugin "Codestyling Localization" and it works now in any case. I did use the class idna_convert from Matthias Sommerfeld for easy decode of PunyCode admin url's in such a case.
Please check it also in relation to #11734 / #10690 / #14648 because this may also affect the flash uploader feeded with PunyCode url's instead of IDN for some browser!
#6
@
14 years ago
- Keywords close added; needs-patch dev-feedback removed
The wrapping in comments was actually done by the themes that used trackback_rdf(). Seeing as those are no longer bundled in core, and the currently bundled themes don't use trackback_rdf(), this can probably be closed?
#7
@
12 years ago
- Keywords has-patch 2nd-opinion added; close removed
- Hexifies all
-- - Removes
wptexturize()(it's in the filter already).
#10
@
10 years ago
- Keywords needs-testing added; needs-refresh removed
Patch applied fine, but VVV wasn't happy with my attempting to spin up äöü.dev as it resulted in similarly broken URLs as demonstrated above. So I am going to test outside of VVV and will report back.
#11
@
13 days ago
- Resolution set to invalid
- Status changed from new to closed
Unless I made a mistake, I could find nowhere in the WordPress history where it automatically added the reported comments. Could this have come from a theme? I also didn’t see anywhere that WordPress itself calls trackback_rdf() after 2003, but it was in Kubric with the wrapping comment.
It exists wrapped in comments in multiple themes.
For now I’m going to close this as invalid because I think it’s likely a theme issue and I can’t find evidence in Core that it ever did this on its own.
For what it’s worth there seems to be some value in parts of the patches. I wouldn’t mind seeing some updates to the function, but perhaps not on this ticket.
If someone wants to escalate, see if you still have the issue and can figure out what theme is in use, then create a ticket in the appropriate place for that theme.
Nice find!
IDN Related ticket: #10690