Make WordPress Core

Opened 12 years ago

Closed 12 years ago

#18726 closed defect (bug) (fixed)

Automatic excerpt shows javascript source

Reported by: evansolomon's profile evansolomon Owned by: duck_'s profile duck_
Milestone: 3.3 Priority: normal
Severity: normal Version: 1.2
Component: General Keywords: easy-fix has-patch
Focuses: Cc:

Description

If a post contains a Javascript embed, the_excerpt removes the iframe and the <script> tags but returns the Javascript source.

As more web services are using Javascript to make their embeds HTML5/mobile-compatible, this will probably become a more common problem.

To reproduce:

  1. Publish a post with this content:

<iframe class="scribd_iframe_embed" src="http://www.scribd.com/embeds/65703182/content?start_page=1&view_mode=slideshow&access_key=key-1w596jxtzrcyu6cv72h7" data-auto-height="true" data-aspect-ratio="1.33333333333333" scrolling="no" id="doc_67442" width="100%" height="600" frameborder="0"></iframe><script type="text/javascript">(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();</script>

  1. View the post's automatic excerpt, such as in a search
  1. The post's body will be:

(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();

Attachments (2)

18726.diff (404 bytes) - added by evansolomon 12 years ago.
18726.2.diff (533 bytes) - added by evansolomon 12 years ago.

Download all attachments as: .zip

Change History (11)

#1 follow-up: @nacin
12 years ago

Confirmed that strip_tags() won't remove <script> content.

We could strip out script and style tags via preg_replace in the new wp_trim_words() function ([18732]) before running strip_tags().

#2 @dd32
12 years ago

we have wp_strip_all_tags() which is supposed to strip the contents of script and style tags, which is also used by wp_html_excerpt()

#3 in reply to: ↑ 1 @duck_
12 years ago

Replying to nacin:

Confirmed that strip_tags() won't remove <script> content.

We could strip out script and style tags via preg_replace in the new wp_trim_words() function ([18732]) before running strip_tags().

wp_stip_all_tags()?

#4 @nacin
12 years ago

Ah, there we go. Easy fix then. s/strip_tags/wp_strip_all_tags/

#5 @SergeyBiryukov
12 years ago

  • Keywords easy-fix added

Probably a good example to introduce "easy-fix" tag for new contributors, as suggested by Jane.

@evansolomon
12 years ago

#6 follow-up: @evansolomon
12 years ago

  • Keywords has-patch added; needs-patch removed

Confirmed wp_strip_all_tags removes the script source, example in 18726.diff.

#7 in reply to: ↑ 6 @nacin
12 years ago

Replying to evansolomon:

Confirmed wp_strip_all_tags removes the script source, example in 18726.diff.

Instead, let's go into wp_trim_words() and change the strip_tags() call to wp_strip_all_tags().

@evansolomon
12 years ago

#8 @duck_
12 years ago

  • Milestone changed from Awaiting Review to 3.3
  • Version set to 1.2

Tests: [UT442]

#9 @duck_
12 years ago

  • Owner set to duck_
  • Resolution set to fixed
  • Status changed from new to closed

In [18742]:

wp_strip_all_tags() in wp_trim_words() to remove CSS and JS within tags. Props evansolomon. Fixes #18726.

Note: See TracTickets for help on using tickets.