Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#29613 closed defect (bug) (wontfix)

Arbitrary Customizer control input type support can cause unexpected output in custom controls

Reported by: celloexpressions Owned by: celloexpressions
Milestone: Priority: low
Severity: trivial Version: 4.0
Component: Customize Keywords: has-patch
Focuses: Cc:


I just realized that we might run into potentially significant issues with the fact that the base render_content() function in WP_Customize_Control now outputs stuff for any given type if a custom control subclass doesn't override the render_content() function.

This is likely to be the case for some custom controls that do all of their rendering in JS. But there may not be a great solution. My best idea is to create a whitelist of valid html5 input types to allow.

If we want to fix this it would be a 4.0.1 thing, otherwise we can wontfix I think.

The workaround is just to add:
public function render_content() {}
to the custom control class.

Attachments (1)

29613.diff (1.5 KB) - added by celloexpressions 7 years ago.

Download all attachments as: .zip

Change History (7)

This ticket was mentioned in IRC in #wordpress-dev by nacin. View the logs.

7 years ago

#2 @nacin
7 years ago

  • Priority changed from normal to low
  • Severity changed from normal to trivial

Not overriding a parent method to avoid rendering (if that's what you want) does seem like doing it wrong. I wouldn't mind seeing a patch here but if there's no real world breakage, I'm inclined to let this slide.

#3 @nacin
7 years ago

  • Owner set to celloexpressions
  • Status changed from new to assigned

#4 @celloexpressions
7 years ago

  • Keywords has-patch added; needs-patch removed

29613.diff implements a whitelist of allowed types for the <input> element, to avoid rendering stuff in unexpected situations. It's way less elegant, but since there was a change in behavior here, something we should consider. I'm surprised WordPress.com didn't run into this, given some of the custom controls they have. The whitelist is based on the type attribute values listed here: http://www.w3.org/TR/html51/forms.html#the-input-element.

I don't know that I would want to change this after 4.0.1, as devs will start expecting/relying on the current way it works, especially in the context of potential future improvements like #29572.

This ticket was mentioned in IRC in #wordpress-dev by nacin1. View the logs.

7 years ago

#6 @celloexpressions
7 years ago

  • Milestone 4.0.1 deleted
  • Resolution set to wontfix
  • Status changed from assigned to closed

Still no reports of issues with this, so we should be fine without making any changes here. You need to override render_content() in subclasses, even if the function is empty and you're rendering in JS.

Note: See TracTickets for help on using tickets.