WordPress.org

Make WordPress Core

Opened 11 years ago

Last modified 13 months ago

#3329 accepted defect (bug)

Need to strip % from the auto-permalink in the editor.

Reported by: Heyneken Owned by: pishmishy
Milestone: Future Release Priority: normal
Severity: normal Version: 2.0
Component: Permalinks Keywords: has-patch needs-refresh needs-unit-tests
Focuses: Cc:

Description

I made an article with "x = 18,98 * y - %10" as title, and this generated http://www.example.com/blog/2006/11/03/x-1898-y-%10/ which doesn't work.

Attachments (1)

3329.patch (1.7 KB) - added by pishmishy 10 years ago.
Better handling of % in post slugs

Download all attachments as: .zip

Change History (30)

#1 @foolswisdom
11 years ago

  • Milestone set to 2.1
  • Summary changed from Url wrong generated if topic has % symbol to %postname% permalink wrong generated if title has %[digit][digit]
  • Version changed from 2.0.4 to 2.0.5

Heyneken thank you for reporting this problem! Thank you for participating in WordPress development!

ENV: WP 2.0.5 reproduced problem
Also WP trunk r4449 repro problem

The bug seems to be caused if the percentage symbol followed by two or more digits.

#2 @matt
11 years ago

  • Milestone changed from 2.1 to 2.2

#3 @foolswisdom
11 years ago

  • Milestone changed from 2.2 to 2.4

#4 @pishmishy
10 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

Bug still present. A page called %10 which should have something like

http://www.littledog.org.uk/trunk/2008/01/31/%2510/

as a permalink, has the_permalink() returning

/2008/01/14/x-1898-y-%10/

#5 @pishmishy
10 years ago

Looking at $rewritereplace it appears that $post->post_name is stored as x-1898-y-%10 in the database and not %10.

#6 @pishmishy
10 years ago

Problem appears to be rooted in sanitize_title()
sanitize_title("%10") == "x-1898-y-%10"

#7 @pishmishy
10 years ago

Traced to sanitize_title_with_dashes() - this is the code that causes the bug.

    // Preserve escaped octets.
    $title = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '---$1---', $title);
    // Remove percent signs that are not part of an octet.
    $title = str_replace('%', '', $title);
    // Restore octets.
    $title = preg_replace('|---([a-fA-F0-9][a-fA-F0-9])---|', '%$1', $title);

We could remove that code and apply urlencode($post->post_name) in get_permalink's $rewritereplace but the permalinks seems to point to an archive page instead of a post. Any ideas?

#8 @pishmishy
10 years ago

  • Status changed from assigned to new

#9 @pishmishy
10 years ago

  • Status changed from new to assigned

@pishmishy
10 years ago

Better handling of % in post slugs

#10 @pishmishy
10 years ago

  • Keywords has-patch sanitize post_name slug added

The attached patch handles % in post slugs by urlencoding them rather than manually attempting to encode them as sanitize_title_with_dashes() attempted.

#11 @Denis-de-Bernardy
9 years ago

  • Component changed from Administration to JavaScript
  • Keywords dev-feedback added; sanitize post_name slug removed
  • Summary changed from %postname% permalink wrong generated if title has %[digit][digit] to autosave breaks and %postname% permalink wrong generated if title has %[digit][digit]

still current, and creating a post with such a title will also break the javascript in trunk. It also returns an error when you seek to save the draft.

#12 @Denis-de-Bernardy
9 years ago

  • Keywords needs-review added; dev-feedback removed

#13 @hakre
8 years ago

  • Component changed from JavaScript to Editor
  • Keywords needs-review removed

I am unable to reproduce with default permalink structure (?p=stuff) which is well - actually known I guess. Switching to nicer "Month and name" setting reveals the bug still is in.

It is not possible to modify the permalink with the inplace editor.

It is not possible to fix it manually by adding a percentage sign to the permalik title in the inplace editor.

The cause of the problem is a function called sanitize_title() (called in get_sample_permalink()). Not itself but the filters it calls then:

$title = apply_filters('sanitize_title', $title, $raw_title);

With the current design of wordpress this bug will never be fixed. % is not an allowed char in a slug, it's not filtered out because of some other bug leaving this open for %[0-9]{2,} matches. the slug need propper filtering first.

This is not a javascript related issue firsthand.

The existing patch is misleading IMHO.

My Suggestion: Wontfix.

#14 @hakre
8 years ago

See #10758 (for some code improvements, docblocks this time)

#16 @ryan
8 years ago

  • Milestone changed from 2.9 to Future Release

#17 @thee17
6 years ago

Although I get a weird ? in a black box icon Using a title Test %84 the following worked for me in trunk,

1) Slug was generated.
2) Auto Draft worked.
3) Auto Draft continued to Save.
4) Post published
5) Permalink Worked.

#18 @miqrogroove
6 years ago

thee17, try %2f and then you will really have problems. ;)

#19 @thee17
6 years ago

  • Keywords needs-refresh added; has-patch removed
  • Summary changed from autosave breaks and %postname% permalink wrong generated if title has %[digit][digit] to Need to strip % from the auto-permalink in the editor.

Changing Title for better clarity.

#20 @miqrogroove
6 years ago

thee17, if you are still testing, could you also check what happens if you manually edit the slug and put a % in it? Because, if the %2f or %25 or whatever can still be injected, then it is not adequate to just strip in the slug generator, it would also be necessary to either strip or encode the manual inputs for any new slug.

#21 @thee17
6 years ago

From what I am reading is the sanitation for both cases go through the same function.

#22 @mtekk
6 years ago

  • Cc mtekkmonkey@… added

#23 @SergeyBiryukov
5 years ago

#23222 was marked as a duplicate.

#24 @SergeyBiryukov
5 years ago

  • Component changed from Editor to Permalinks

#25 @SergeyBiryukov
5 years ago

  • Keywords has-patch added

Related: #25021

#26 @chriscct7
2 years ago

  • Version changed from 2.0.5 to 2.0

#27 @SergeyBiryukov
23 months ago

#32462 was marked as a duplicate.

#28 @SergeyBiryukov
23 months ago

#36384 was marked as a duplicate.

#29 @swissspidy
13 months ago

  • Keywords needs-unit-tests added
Note: See TracTickets for help on using tickets.