Make WordPress Core

Opened 10 years ago

Closed 7 years ago

#14376 closed defect (bug) (fixed)

admin post.php fails html validation due to use of "[" in name/id/for of hidden custom fields

Reported by: anmari Owned by: nacin
Milestone: 3.9 Priority: lowest
Severity: normal Version: 3.0
Component: Posts, Post Types Keywords: has-patch
Focuses: accessibility, administration Cc:

Description (last modified by SergeyBiryukov)

Post.php is causing many many html validation errors due to hidden screen reader text for post meta fields mainly. Not a major problem, but annoying when attempting to validate admin plugin code.


<label class='screen-reader-text' for='meta[1957][key]'>Key</label><input name='meta[1957][key]' id='meta[1957][key]' tabindex='6' type='text' size='20' value='_wp_geo_latitude' />

character "[" is not allowed in the value of attribute "id"
character "[" is not allowed in the value of attribute "for"

"[" are allowed in the name attribute. So perhaps one could simply strip them out them for the 'id' and the 'for'?

Other failed validation messages that occur a lot and appear to be wp generated code:

  • ID "_ajax_nonce" already defined
  • reference to non-existent ID "metakeyselect"

Attachments (1)

14376.patch (2.4 KB) - added by SergeyBiryukov 7 years ago.

Download all attachments as: .zip

Change History (10)

#1 @neoxx
10 years ago

  • Severity changed from trivial to normal

Speaking of _ajax_nonce, _ajax_nonce & _wp_nonce appear not to be unique in several other places of the Admin Menu (e.g. the template-edit pages like Categories). - Maybe we should open a separate ticket as in #13383?

#2 @nacin
10 years ago

  • Keywords needs-patch added; validation meta customfields removed
  • Milestone changed from Awaiting Review to Future Release
  • Priority changed from normal to lowest

We'd want to use something like sanitize_html_class() to properly remove invalid characters.

#3 @SergeyBiryukov
8 years ago

  • Description modified (diff)

#4 @nacin
7 years ago

  • Component changed from Validation to Administration
  • Focuses accessibility added

#5 @nacin
7 years ago

  • Component changed from Administration to Posts, Post Types
  • Focuses administration added

#6 @cs_shadow
7 years ago

So, should the "[" be removed or escaped?

#7 @SergeyBiryukov
7 years ago

  • Keywords has-patch added; needs-patch removed
  • Milestone changed from Future Release to 3.9

Have to be careful to not reintroduce something like #21829, but 14376.patch appears to be working.

Confirmed that #metakeyselect only exists if there is at least one non-private meta key in the database: tags/3.8.1/src/wp-admin/includes/template.php#L582.

Multiple _ajax_nonce fields are fixed in [14933].

#8 @nacin
7 years ago

Is this actually still a problem? In HTML5, [ and ] are allowed in IDs. The only real issue is #metakeyselect.

#9 @nacin
7 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27776:

Proper IDs for the custom fields box.

props SergeyBiryukov.
fixes #14376.

Note: See TracTickets for help on using tickets.