Context Navigation

← Previous Ticket
Next Ticket →

#16611 closed defect (bug) (fixed)

Too few arguments to sprintf in WP_List_Table::comments_bubble()

Reported by:	nacin	Owned by:
Milestone:	3.1	Priority:	high
Severity:	normal	Version:	3.1
Component:	General	Keywords:	has-patch commit
Focuses:		Cc:

Description

Not really sure where the bug is, but looks legit:

http://wordpress.org/support/topic/warning-sprintf-functionsprintf-too-few-arguments?replies=1

Attachments (5)

16611.patch (1.3 KB) - added by SergeyBiryukov 4 years ago.
16611.diff (1.4 KB) - added by nacin 4 years ago.
16611.2.diff (1.1 KB) - added by nacin 4 years ago.
16611.2.patch (948 bytes) - added by SergeyBiryukov 4 years ago.
16611.3.patch (921 bytes) - added by SergeyBiryukov 4 years ago.

Download all attachments as: .zip

Change History (22)

comment:1 @SergeyBiryukov — 4 years ago

Can reproduce with non-English characters in siteurl. The link becomes something like this:

<a href='...%d1%82%d0%b5%d1%81%d1%82/wp-admin/edit-comments.php?p=4' title='0 pending' class='post-com-count'><span class='comment-count'>%s</span></a>

@SergeyBiryukov — 4 years ago

Attachment 16611.patch added

comment:2 @SergeyBiryukov — 4 years ago

Keywords has-patch added

comment:3 @scribu — 4 years ago

Keywords commit added
Version set to 3.1

Ah, right, because sprintf() thinks those encoded chars are placeholders. Makes sense now.

comment:4 @nacin — 4 years ago

Priority changed from normal to high

$pending_phrase also needs to be escaped.

@nacin — 4 years ago

Attachment 16611.diff added

comment:5 @nacin — 4 years ago

Keywords commit removed

The URL should also be escaped.

Regardless, patch leaves an issue, due to the nature of comments_number(). If comments > 1, then comments_number() will do an str_replace() on the %. This borks the URL.

comment:6 @nacin — 4 years ago

Proper function here is get_comments_number(), wrapped with number_format_i18n(). Anything else is extra we don't need or leverage, due to the arguments we pass comments_number().

@nacin — 4 years ago

Attachment 16611.2.diff added

comment:7 @nacin — 4 years ago

New patch.

comment:8 @nacin — 4 years ago

Keywords commit added

I was wondering why we were using comments_number() like this.

In 3.0, we had code that looked like the red in r15504 -- basically, massive strings going into comments_number(). We also didn't wrap the link in admin_url(), thus we had no extra percentages to screw things up. sprintf() plus admin_url(), two pretty innocuous changes, caused the regression.

The smarter structuring in r15504 in turn revealed that get_comments_number() is a better approach.

comment:9 @ryan — 4 years ago

Looks good, tests good. Ship it.

comment:10 @nacin — 4 years ago

Resolution set to fixed
Status changed from new to closed

(In [17475]) Use get_comments_number() in comments_bubble() method. Removes chance of sprintf arguments error due to percent encoding in URLs and kills unnecessary translations. Escape translations into attributes. esc_url on admin_url. fixes #16611 for trunk.

comment:11 @nacin — 4 years ago

(In [17476]) Use get_comments_number() in comments_bubble() method. Removes chance of sprintf arguments error due to percent encoding in URLs and kills unnecessary translations. Escape translations into attributes. esc_url on admin_url. fixes #16611 for the 3.1 branch.