#22944 closed defect (bug) (fixed)
Scheduled posts trigger the non-unfiltered_html filters (regression)
Reported by: | Otto42 | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.5.1 | Priority: | high |
Severity: | critical | Version: | 3.5 |
Component: | General | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
To reproduce:
- Create a post
- Put some iframe or embed or whatever code in it, like a youtube iframe:
<iframe width="420" height="315" src="http://www.youtube.com/embed/oHg5SJYRHA0?rel=0" frameborder="0" allowfullscreen></iframe>
- Schedule the post for the future. One minute in the future will do.
When the post publishes, the iframe will be gone.
Something about the future-post triggers the kses filters. Since the user making the post (wp-cron) is unauthenticated, the unfiltered_html cap is not applied, and the filters engage, cleaning the post before it publishes.
Problem found in 3.5. Have not checked 3.4.2 yet to see if this is a regression.
Attachments (4)
Change History (24)
#1
@
12 years ago
- Priority changed from normal to high
- Severity changed from normal to major
- Summary changed from Scheduled posts trigger the non-unfiltered_html filters to Scheduled posts trigger the non-unfiltered_html filters (regression)
#4
follow-up:
↓ 7
@
12 years ago
Note that the act of publishing by the cron job also appears to create a revision with a post_author of zero. This also didn't happen in 3.4.2.
#5
@
12 years ago
This is wp_publish_post(). We should restore it to a straight DB call.
It's a shame. wp_insert_post() is our lowest level API, but it just has too much crap in it. We need something lower.
#6
@
12 years ago
- Cc esmi@… added
If WP 3.5.1 isn't going to be out for a few weeks, is there any chance of a fix being dropped into the Hotfix plugin? This hitting more than iframe markup. I'm seeing support post complaining that it's hitting script and even div tags (although that's one I haven't confirmed yet).
#7
in reply to:
↑ 4
@
12 years ago
- Keywords has-patch added
Related: [21942], ticket:11399:20, ticket:11399:22
#8
follow-up:
↓ 12
@
12 years ago
- Keywords needs-unit-tests added
Unit tests should cover two situations:
- A future-dated post should be forcibly moved to publish with wp_publish_post().
- A post should not get its content touched by kses when wp_publish_post() is called.
#10
@
12 years ago
- Keywords needs-docs added
The PHPDoc was changed in [21942] -- after the patch it no longer @uses wp_update_post()
#12
in reply to:
↑ 8
;
follow-up:
↓ 14
@
12 years ago
22944.test.patch is an attempt at the unit test.
Replying to nacin:
A future-dated post should be forcibly moved to publish with wp_publish_post().
This currently doesn't happen due to the check in wp_insert_post()
:
http://core.trac.wordpress.org/browser/tags/3.5/wp-includes/post.php#L2817
22944.2.patch fixes that, however it turned out that clean_post_cache()
is also needed for the test to pass. Added in 22944.3.patch. Not sure if the test should call it or wp_publish_post()
itself.
#14
in reply to:
↑ 12
@
12 years ago
Replying to SergeyBiryukov:
22944.2.patch fixes that, however it turned out that
clean_post_cache()
is also needed for the test to pass. Added in 22944.3.patch. Not sure if the test should call it orwp_publish_post()
itself.
wp_publish_post() needs to call clean_post_cache() on its own. It did it implicitly in 3.5 via the save_post hook, but that meant we were calling it twice on wp_insert_post(), and that made no sense.
#15
@
12 years ago
In 1174/tests:
Confirmed this as a regression, problem does not exist in 3.4.2.