Opened 11 years ago
Closed 11 years ago
#26307 closed defect (bug) (duplicate)
Link tool in basic editor should escape quotes
Reported by: | anonymized_7561207 | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 3.7.1 |
Component: | Editor | Keywords: | has-patch |
Focuses: | Cc: |
Description
When inserting links, I quite often use quotes inside the link tooltip (e.g. a tooltip like: Lookup "foo" on Wiktionary. Or Read more about "Foo" on Wikipedia.
However these always end up being inserted in the editor unescaped.
Example text <a href="https://en.wiktionary.org/wiki/whilst" title="Lookup "whilst" on Wiktionary" target="_blank">whilst</a> referring to <a href="https://en.wikipedia.org/wiki/Elementary_(TV_series)" title="Read about "Elementary (TV series)" on Wikipedia" target="_blank">Elementary</a> on Wikipedia.
The attribute values for "title" and "href" (like any attribute value, really) need escaping (especially tooltip, which is more likely contain a quote, though the URL should naturally have html special characters escaped as well).
Attachments (2)
Change History (10)
#3
@
11 years ago
Updated the patch of SergeyBiryukov because the affected lines changed in the trunk. The change in the patch is still the same, and I can confirm it fixes the bug.
#5
@
11 years ago
- Milestone changed from Awaiting Review to 3.9
Generally, a refresh is only needed when the patch no longer applies cleanly.
#6
@
11 years ago
The patch makes sense. Perhaps it should escape the other "htmlspecialchars" too, something like:
if ( attrs.title ) { var title = attrs.title.replace( /"/g, '"' ).replace( /</g, '<' ).replace( />/g, '>' ); html += ' title="' + title + '"'; }
#7
@
11 years ago
A good function to escape HTML in Javascript is the following function:
function escapeHtml(text) { return text .replace(/&/g, "&") .replace(/</g, "<") .replace(/>/g, ">") .replace(/"/g, """) .replace(/'/g, "'"); }
The easiest fix is to just inline this function and only apply it to the title attribute of the link being build. But I can imagine that the functionality for escaping HTML could be reused elsewhere in the future, so maybe there is a better location to put this function? Maybe as a function in the wp-includes/js/utils.js
file? Or maybe in a new Javascript file, for example wp-includes/js/formatting.js
?
I am new to WordPress contributing, so if someone could tell me what would be the best approach in line with the WordPress coding standards, I am happy to implement it and provide a patch.
Reproduced in Text editor.
TinyMCE turns the quotes into
"
. 26307.patch does the same for Text editor.