Make WordPress Core

Opened 5 years ago

Last modified 14 months ago

#14268 new defect (bug)

Comments editor HTML tag

Reported by: pkirk Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.0
Component: Text Changes Keywords: needs-patch
Focuses: Cc:


With a vanilla (2.8.4 -> 3.0) installation, if you go and edit the comment from Mr Wordpress, you will see that in the editor you can find the HTML code of the apostrophe for "post's".

Hi, this is a comment.<br />To delete a comment, just log in and view the post&#039;s comments. There you will have the option to edit or delete them.

The problem comes with a production env with European languages where comments are full of accented letters that make the reading almost impossible.

Attachments (1)

esc_html_comment_form.php (368 bytes) - added by scribu 4 years ago.
Force esc_html() escaping

Download all attachments as: .zip

Change History (7)

comment:1 @scribu4 years ago

This would be a case for using esc_html() instead of esc_textarea(). See #15454

comment:2 @scribu4 years ago

... because esc_html() doesn't escape special characters.

@scribu4 years ago

Force esc_html() escaping

comment:3 @scribu4 years ago

  • Milestone changed from Awaiting Review to 3.1

Turns out the content is escaped twice: first in get_comment_to_edit() and then again in wp_htmledit_pre().

In esc_html_comment_form.php I had to use $wpdb directly because the cached version returned from get_comment() is the escaped one. This should definitely be fixed.

comment:4 @scribu4 years ago

Actually, the problem is that get_comment() checks $GLOBALScomment?.

comment:5 @scribu4 years ago

  • Keywords needs-patch added
  • Milestone changed from 3.1 to Future Release

No easy fix for this, unfortunately. Punting.

comment:6 @nacin14 months ago

  • Component changed from General to Text Changes

What we should actually do is remove the entity from upgrade.php, and let texturize do the work. Otherwise, what's happening when editing the comment appears to be proper, as this *is* what's in the DB.

Note: See TracTickets for help on using tickets.