Opened 15 years ago
Last modified 6 years ago
#11734 new defect (bug)
trackback_rdf() for IDN (xn--) Domains produces invalid HTML
Reported by: | lathspell | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | 3.1 |
Component: | Comments | Keywords: | needs-testing |
Focuses: | Cc: |
Description
Hello
The trackback_rdf() function from wp-includes/comment-template.php wraps the "<rdf:RDF>...</rdf:RDF>" output inside "<!-- ... -->" HTML comments, probably to be safe as not all Browsers understand them.
When using Wordpress 2.9.1 on a site with an international domain name [1] that contains special characters like German "Umlauts" like äöü, this domain name is written as e.g. xn--tst-qla.de for täst.de.
Now the output of trackback_rdf() suddenly gets a "--" which is the SGML/HTML comment separator mark [2]. Firefox 3.5.6 e.g. sees this as the end of the comment and therefore shows the final "-->" as text to the user.
As the whole RDF tag is supposed to be invisible for the user, it's a bug in Wordpress :-(
Here is an real world example output:
<p class="post-tags"> </p> <p class="post-info"> </p> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/" dc:identifier="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/" dc:title="Wortlieblinge" trackback:ping="http://xn--bcher-entdecken-zvb.de/wordpress/index.php/wortlieblinge/trackback/" /> </rdf:RDF> --> </div>
Sadly I have not yet come up with a solution. PHPs urlencode() does not escape a double dash - which is ok as its usually perfectly valid. Maybe someone with RDF experience has a good idea.
bye,
-christian-
[1] http://en.wikipedia.org/wiki/Internationalized_domain_name#Example_of_IDNA_encoding
Attachments (3)
Change History (13)
#2
@
15 years ago
What steps can I use to reproduce this?
That said, I believe the attached patch would resolve this issue.
Additionally, using the IDNA plugin http://wordpress.org/extend/plugins/idna/ (which enables the use IDN's (international domain names) in WordPress) would resolve this.
#5
@
14 years ago
- Cc codestyling added
- Keywords needs-patch dev-feedback added; has-patch removed
- Version set to 3.1
IDN handling is different related to Browsers! WebKit based browser like Safari and Chrome work with PunyCode URL's but others like IE, Firefox and Opera doesn't.
This is a problem of Cross Site Scripting detection and can be realize and tested, if the Blog is configured to an PunyCode Url.
example out of a case I did investigate:
IDN: http://с-проект.рф
PunyCode: http://xn----jtbpoegeo.xn--p1ai
If you try to call a JSON request like this example with the generated admin_url() out of WordPress, which would become the PunyCode one:
new Ajax.Request('http://xn----jtbpoegeo.xn--p1ai/wp-admin/admin-ajax.php' ?>', { parameters: { action: 'get_download_section' }, onSuccess: function(transport) { elem.title=transport.responseJSON.title; }, onFailure: function(transport) { alert('JSON security bug') } } );
and the answer is correct 'application/json' with correct JSON content, than this fails on all browsers except WebKit based!
If you try it with the original IDN Url like:
new Ajax.Request('http://с-проект.рф/wp-admin/admin-ajax.php' ?>',
it works now for all other browsers but fails now on WebKit based.
My suggestion will be a conditional convertion back to IDN, if browser is not WebKit based.
I did this inside my WordPress plugin "Codestyling Localization" and it works now in any case. I did use the class idna_convert from Matthias Sommerfeld for easy decode of PunyCode admin url's in such a case.
Please check it also in relation to #11734 / #10690 / #14648 because this may also affect the flash uploader feeded with PunyCode url's instead of IDN for some browser!
#6
@
13 years ago
- Keywords close added; needs-patch dev-feedback removed
The wrapping in comments was actually done by the themes that used trackback_rdf()
. Seeing as those are no longer bundled in core, and the currently bundled themes don't use trackback_rdf()
, this can probably be closed?
Nice find!
IDN Related ticket: #10690