Make WordPress Core

Opened 10 years ago

Closed 10 years ago

#30682 closed defect (bug) (fixed)

Some Customizer control description HTML is being escaped

Reported by: coreymckrill4ttf's profile coreymckrill4ttf Owned by: ocean90's profile ocean90
Milestone: 4.1 Priority: normal
Severity: normal Version: 4.1
Component: Customize Keywords: has-patch commit fixed-major
Focuses: ui Cc:

Description

In #27981 the esc_html was removed from control description output since they are set programatically, not via user input. However, in 4.1-RC1 I am seeing escaped HTML in the descriptions of image upload controls. My best guess is that this is due to uploader controls now being rendered via JS template.

Attachments (2)

30682.patch (760 bytes) - added by ocean90 10 years ago.
30682.2.patch (601 bytes) - added by ocean90 10 years ago.
Just the description field

Download all attachments as: .zip

Change History (9)

#1 @celloexpressions
10 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to 4.1

Don't have time to test right now, but that's likely the issue. The double braces should be replaced with triple braces in the control template {{ data.label/description }} to {{{ data.label/description }}}. Related: #29572, #21483.

@ocean90
10 years ago

#2 @ocean90
10 years ago

  • Keywords has-patch commit added; needs-patch removed

@ocean90
10 years ago

Just the description field

#3 @ocean90
10 years ago

  • Owner set to ocean90
  • Resolution set to fixed
  • Status changed from new to closed

In 30847:

Customizer: Don't escape control descriptions in JavaScript templates.

fixes #30682 for trunk.

#4 @ocean90
10 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#5 @celloexpressions
10 years ago

Labels are unescaped for the color control now, so we should probably do the same here.

#6 @nacin
10 years ago

  • Keywords fixed-major added

#7 @johnbillion
10 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 30863:

Customizer: Don't escape control descriptions in JavaScript templates.

Merges [30847] to the 4.1 branch.

Fixes #30682.

Note: See TracTickets for help on using tickets.