Automatic excerpt shows javascript source

[evansolomon]

If a post contains a Javascript embed, the_excerpt removes the iframe and the <script> tags but returns the Javascript source.

As more web services are using Javascript to make their embeds HTML5/mobile-compatible, this will probably become a more common problem.

To reproduce:

1. Publish a post with this content:

<iframe class="scribd_iframe_embed" src="http://www.scribd.com/embeds/65703182/content?start_page=1&view_mode=slideshow&access_key=key-1w596jxtzrcyu6cv72h7" data-auto-height="true" data-aspect-ratio="1.33333333333333" scrolling="no" id="doc_67442" width="100%" height="600" frameborder="0"></iframe><script type="text/javascript">(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();</script>

2. View the post's automatic excerpt, such as in a search

3. The post's body will be:

(function() { var scribd = document.createElement("script"); scribd.type = "text/javascript"; scribd.async = true; scribd.src = "http://www.scribd.com/javascripts/embed_code/inject.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(scribd, s); })();

[nacin]

Confirmed that strip_tags() won't remove <script> content.

We could strip out script and style tags via preg_replace in the new wp_trim_words() function ([18732]) before running strip_tags().

[dd32]

we have wp_strip_all_tags() which is supposed to strip the contents of script and style tags, which is also used by wp_html_excerpt()

[duck_]

Replying to nacin:

Confirmed that strip_tags() won't remove <script> content.

We could strip out script and style tags via preg_replace in the new wp_trim_words() function ([18732]) before running strip_tags().

wp_stip_all_tags()?

[nacin]

Ah, there we go. Easy fix then. s/strip_tags/wp_strip_all_tags/

[SergeyBiryukov]

Probably a good example to introduce "easy-fix" tag for new contributors, as ​suggested by Jane.

[evansolomon]

Confirmed wp_strip_all_tags removes the script source, example in 18726.diff.

[nacin]

Replying to evansolomon:

Confirmed wp_strip_all_tags removes the script source, example in 18726.diff.

Instead, let's go into wp_trim_words() and change the strip_tags() call to wp_strip_all_tags().

[duck_]

Tests: ​[UT442]

[duck_]

In [18742]:

wp_strip_all_tags() in wp_trim_words() to remove CSS and JS within tags. Props evansolomon. Fixes #18726.