Opened 15 years ago
Closed 15 years ago
#13383 closed task (blessed) (fixed)
Validate the HTML in the admin area
Reported by: | nacin | Owned by: | |
---|---|---|---|
Milestone: | 3.0 | Priority: | normal |
Severity: | normal | Version: | 3.0 |
Component: | Administration | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Per the dev chat today: Check for and correct invalid HTML in the admin area.
We're not concerned about ARIA or autocomplete -- we're concerned about invalid HTML that reveals improper markup (such as unclosed or improperly nested tags), as that usually leads to larger display issues when rendering the page under some or all conditions.
Small patches from anyone willing to join in. (Stick to small patches that way multiple contributors don't duplicate efforts.) One of us will commit as soon as we see them. Be sure to post a comment in addition to the patch to trigger a notification.
Don't forget about multisite. :-)
Attachments (24)
Change History (67)
#2
@
15 years ago
- Cc justin.shreve@… added
I'm going to jump in on this as much as I can (it's finals week). I found a missing tr in custom-background.php that the above patch fixes.
#3
follow-up:
↓ 6
@
15 years ago
Sorry for the multiple patches - doing this in between other things.
The last one was causing an error under circumstances because a </td></tr> set was being echoed instead of added to the output string for get_media_item.
#6
in reply to:
↑ 3
@
15 years ago
Replying to jshreve:
Sorry for the multiple patches - doing this in between other things.
Nothing wrong with multiple patches. See original ticket description. :)
#7
@
15 years ago
Also, mark off files you've tested if you can, and mention whether or not you tested it on multisite. Just so we don't duplicate efforts.
#8
@
15 years ago
I am falling asleep. theme-editor.php is throwing <div class='highlight'> inside of an anchor. Line 184 I think.
I will get to it in the next day or two unless someone knocks it out.
#15
in reply to:
↑ 14
@
15 years ago
(In [14628]) Ensure validation.
To avoid the second function call in line 160, we could optimize the code to something like
if ( $bg_color = get_background_color() ) $background_styles .= "background-color: #{$bg_color};";
instead.
@
15 years ago
Standardize FORM id for upload to use lowercase with hyphen. See media.php: <?php echo $type; ?>-form
#17
follow-up:
↓ 18
@
15 years ago
- Cc ocean90@… added
Please pay attention if you change class/id names. You should fix it in the stylesheets too.
Validation erros for custom-header are handled in #13231.
#18
in reply to:
↑ 17
@
15 years ago
Replying to ocean90:
Please pay attention if you change class/id names. You should fix it in the stylesheets too.
If you're referring to my patch 13383-use-lowercase.diff, uploadForm is not specified in stylesheet. So changing to upload-form doesn't affect anything.
#19
@
15 years ago
I found two missing esc_url calls so far. one on the media buttons (causing errors on dashboard and post screen) and on the set featured image link (errors on post screen). I'm sure that there may be some more.
#22
@
15 years ago
press-this.php has a good number of issues, all tied to unescaped JavaScript it seems. A CDATA might help, but I don't if it wouldn't break something else entirely.
#23
follow-up:
↓ 24
@
15 years ago
I don't have a problem with 13383-no_duplicate_function_call.patch, but it's hardly the only repetitive function call there. We call get_theme_mod alot.
I'd almost rather keep it. Or, introducing a slew of new variables at the start of the script and then using them is really the only option that will allow us to not make it too spaghetti-like throughout.
Those options are autoloaded, so it's rather trivial.
Re CDATA, see also #11939. Haven't looked at press-this though to see exactly what's going on.
#25
@
15 years ago
A few multisite-related ones. I'm surprised by some, as the files seem to already have gone through proof-validating in this ticket...
wp-admin/network.php:
Line 127, Column 20: required attribute "action" not specified <form method="post">
Note that here, the network was already activated, so there might not even be a need for a form in the first place...
wp-admin/ms-sites.php
Line 234, Column 30: ID "_wpnonce" already defined <input type="hidden" id="_wpnonce" name="_wpnonce" value="9983aaea9e" /><in… Info Line 165, Column 29: ID "_wpnonce" first defined here <input type="hidden" id="_wpnonce" name="_wpnonce" value="f3ed217f78" /><inp…
wp-admin/ms-sites.php?action=editblog&id=1: cases of duplicated IDs, cases of non-existent IDs
wp-admin/ms-users.php: ID "_wpnonce" already defined
wp-admin/ms-options.php: a dozen of errors, including a seemingly broken table.
#29
@
15 years ago
wp-admin/network.php
Fixing.
wp-admin/ms-sites.php
wp-admin/ms-users.php
In order to fix multiple uses of _wpnonce, we need to make check to see we either only need one of them, or give each one their own name (and change the check_admin_referer checks to reflect that).
wp-admin/ms-sites.php?action=editblog&id=1
Patch welcome. I can imagine that editblog is a mess.
wp-admin/ms-options.php
Fixed in patch by Utkarsh.
#33
@
15 years ago
nacin,
any reason why you skipped 13383-dont-wrap-div-with-p-tags.diff, and 13383-escape-preview.diff? Both patch tested. 13383-use-lowercase.diff tested but need review and feedback.
#36
@
15 years ago
I didn't see anyone else attempt the nonce stuff. To fix some errors on ms-users and ms-sites I gave the nonces their own names and edited the checks to reflect it (per nacin's comment).
msnonce.diff
#39
@
15 years ago
Added also a patch for new post page. There are also 3 '_ajax_nonce' IDs, should be fixed too. I couldn't find the right nonce checks.
#40
@
15 years ago
We should hide the Flash box if Javascript is deactivated.
Before: http://grab.by/4xsu | After: http://grab.by/4xsr
end tag for "tr" omitted in custom-background.php