Make WordPress Core

Opened 9 years ago

Closed 9 years ago

#30682 closed defect (bug) (fixed)

Some Customizer control description HTML is being escaped

Reported by: coreymckrill4ttf's profile coreymckrill4ttf Owned by: ocean90's profile ocean90
Milestone: 4.1 Priority: normal
Severity: normal Version: 4.1
Component: Customize Keywords: has-patch commit fixed-major
Focuses: ui Cc:

Description

In #27981 the esc_html was removed from control description output since they are set programatically, not via user input. However, in 4.1-RC1 I am seeing escaped HTML in the descriptions of image upload controls. My best guess is that this is due to uploader controls now being rendered via JS template.

Attachments (2)

30682.patch (760 bytes) - added by ocean90 9 years ago.
30682.2.patch (601 bytes) - added by ocean90 9 years ago.
Just the description field

Download all attachments as: .zip

Change History (9)

#1 @celloexpressions
9 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.1

Don't have time to test right now, but that's likely the issue. The double braces should be replaced with triple braces in the control template {{ data.label/description }} to {{{ data.label/description }}}. Related: #29572, #21483.

@ocean90
9 years ago

#2 @ocean90
9 years ago

  • Keywords has-patch commit added; needs-patch removed

@ocean90
9 years ago

Just the description field

#3 @ocean90
9 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 30847:

Customizer: Don't escape control descriptions in JavaScript templates.

fixes #30682 for trunk.

#4 @ocean90
9 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#5 @celloexpressions
9 years ago

Labels are unescaped for the color control now, so we should probably do the same here.

#6 @nacin
9 years ago

  • Keywords fixed-major added

#7 @johnbillion
9 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 30863:

Customizer: Don't escape control descriptions in JavaScript templates.

Merges [30847] to the 4.1 branch.

Fixes #30682.

Note: See TracTickets for help on using tickets.