admin post.php fails html validation due to use of "[" in name/id/for of hidden custom fields

[anmari]

Post.php is causing many many html validation errors due to hidden screen reader text for post meta fields mainly. Not a major problem, but annoying when attempting to validate admin plugin code.

eg:

<label class='screen-reader-text' for='meta[1957][key]'>Key</label><input name='meta[1957][key]' id='meta[1957][key]' tabindex='6' type='text' size='20' value='_wp_geo_latitude' />

character "[" is not allowed in the value of attribute "id"
character "[" is not allowed in the value of attribute "for"

"[" are allowed in the name attribute. So perhaps one could simply strip them out them for the 'id' and the 'for'?

Other failed validation messages that occur a lot and appear to be wp generated code:

• ID "_ajax_nonce" already defined
• reference to non-existent ID "metakeyselect"

[neoxx]

Speaking of _ajax_nonce, _ajax_nonce & _wp_nonce appear not to be unique in several other places of the Admin Menu (e.g. the template-edit pages like Categories). - Maybe we should open a separate ticket as in #13383?

[nacin]

We'd want to use something like sanitize_html_class() to properly remove invalid characters.

[cs_shadow]

So, should the "[" be removed or escaped?

[SergeyBiryukov]

Have to be careful to not reintroduce something like #21829, but 14376.patch​ appears to be working.

Confirmed that #metakeyselect only exists if there is at least one non-private meta key in the database: tags/3.8.1/src/wp-admin/includes/template.php#L582​.

Multiple _ajax_nonce fields are fixed in [14933].

[nacin]

Is this actually still a problem? In HTML5, [ and ] are allowed in IDs. The only real issue is #metakeyselect.

[nacin]

In 27776:

Proper IDs for the custom fields box.

props SergeyBiryukov.
fixes #14376.