Make WordPress Core

Opened 11 years ago

Closed 11 months ago

#17636 closed defect (bug) (fixed)

Search subtitles are handled inconsistently across admin

Reported by: kawauso's profile kawauso Owned by: johnjamesjacoby's profile johnjamesjacoby
Milestone: 5.9 Priority: normal
Severity: normal Version: 3.2
Component: Comments Keywords: has-patch commit has-screenshots
Focuses: administration Cc:

Description

Try the following strings in the Comments admin screen and any other:

\'"\fs"\\\"

imareallylongstringlookatmegoandgoandgoandgoandgoandgoandgoandgoandgoandgoandgoandgoandgoandgo

The Comments screen uses strip_slashes() and wp_html_excerpt() to limit search strings to 50 characters, while other screens do not.

Attachments (5)

17636.patch (670 bytes) - added by jakub.tyrcha 11 years ago.
17636.2.diff (536 bytes) - added by lukecavanagh 6 years ago.
Patch Refreshed
17636.3.diff (550 bytes) - added by sabernhardt 14 months ago.
refreshed patch
17636.png (89.1 KB) - added by Hareesh Pillai 13 months ago.
17636.4.diff (416 bytes) - added by johnjamesjacoby 11 months ago.

Download all attachments as: .zip

Change History (17)

@jakub.tyrcha
11 years ago

#1 @jakub.tyrcha
11 years ago

  • Keywords has-patch added

All we need is wp_strip_all_tags (well I'm not sure if we need even this one, but the excerpt is certainly not needed). Besides, only the display is stripped - not the search string itself (tested).

Last edited 11 years ago by jakub.tyrcha (previous) (diff)

#2 @chriscct7
8 years ago

  • Keywords needs-refresh added; has-patch removed

#3 @chriscct7
7 years ago

  • Owner set to chriscct7
  • Status changed from new to assigned

@lukecavanagh
6 years ago

Patch Refreshed

#4 @lukecavanagh
6 years ago

  • Keywords has-patch added; needs-refresh removed

@sabernhardt
14 months ago

refreshed patch

#5 @sabernhardt
14 months ago

  • Milestone set to 5.9

I don't mind the truncation, but it makes little sense to have it only on the Comments screen. So the patch is refreshed, and I'm moving it to 5.9 consideration.

The search text wraps to the next line even when it is one long word, too.

#6 @sabernhardt
14 months ago

wp_html_excerpt was added in [10082]

#7 @Hareesh Pillai
13 months ago

Attached patch works fine.

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


12 months ago

#9 @audrasjb
12 months ago

  • Keywords commit has-screenshots added

Reviewed during today's bug scrub.

The patch still applies cleanly against trunk and works fine on my side.

Marking for commit action.

#10 @johnjamesjacoby
11 months ago

Looking at 17636.3.diff, this nested combination of functions will not produce the desired results.

  • esc_html() is going to convert all HTML into entities
  • wp_strip_all_tags() won't have any tags to strip, as they've just been converted
  • Bonus: stripslashes( $_REQUEST['s'] ) is wp_unslash( $_REQUEST['s'] ) elsewhere

To make this even more fun:

  • Some screens do esc_html( wp_unslash( $_REQUEST['s'] ) )
  • Some screens use $s as a global, encoding/decoding it
  • Some methods use wp_unslash( trim( $_REQUEST['s'] ) ) when later passing into query arguments
  • get_search_query() and _admin_search_query() exist as esc_attr() alternatives

Let's do esc_html( wp_unslash( $_REQUEST['s'] ) ) here like is done on every other screen. This way it's consistent, and if future clean-up happens or the approach changes it can more easily happen everywhere.

Updated patch and commit imminent.

#11 @johnjamesjacoby
11 months ago

  • Component changed from Administration to Comments
  • Focuses administration added
  • Owner changed from chriscct7 to johnjamesjacoby

#12 @johnjamesjacoby
11 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 51975:

Admin/Comments: remove bespoke truncation from search string HTML.

This change removes a call to wp_html_excerpt() used on the HTML output of the search string, supplied by the current user in the previous page request via the named s input in the search-box UI.

If the search string is extremely long, it wraps around the available empty space in a way that is not visually displeasing, confirming that truncation is not a requirement here.

This also addresses a small accessibility concern as the non-truncated string was not alternatively presented, and helps normalize the output of $_REQUEST['s'] for more broad improvements in the future.

Props hareesh-pillai, jakubtyrcha, johnjamesjacoby, lukecavanagh, sabernhardt.

Fixes #17636.

Note: See TracTickets for help on using tickets.