Make WordPress Core

Opened 18 years ago

Last modified 16 months ago

#3329 accepted defect (bug)

Need to strip % from the auto-permalink in the editor.

Reported by: heyneken's profile Heyneken Owned by: pishmishy's profile pishmishy
Milestone: Future Release Priority: normal
Severity: normal Version: 2.0
Component: Permalinks Keywords: has-patch needs-refresh needs-unit-tests 2nd-opinion
Focuses: Cc:

Description

I made an article with "x = 18,98 * y - %10" as title, and this generated http://www.example.com/blog/2006/11/03/x-1898-y-%10/ which doesn't work.

Attachments (1)

3329.patch (1.7 KB) - added by pishmishy 16 years ago.
Better handling of % in post slugs

Download all attachments as: .zip

Change History (31)

#1 @foolswisdom
18 years ago

  • Milestone set to 2.1
  • Summary changed from Url wrong generated if topic has % symbol to %postname% permalink wrong generated if title has %[digit][digit]
  • Version changed from 2.0.4 to 2.0.5

Heyneken thank you for reporting this problem! Thank you for participating in WordPress development!

ENV: WP 2.0.5 reproduced problem
Also WP trunk r4449 repro problem

The bug seems to be caused if the percentage symbol followed by two or more digits.

#2 @matt
17 years ago

  • Milestone changed from 2.1 to 2.2

#3 @foolswisdom
17 years ago

  • Milestone changed from 2.2 to 2.4

#4 @pishmishy
16 years ago

  • Owner changed from anonymous to pishmishy
  • Status changed from new to assigned

Bug still present. A page called %10 which should have something like

http://www.littledog.org.uk/trunk/2008/01/31/%2510/

as a permalink, has the_permalink() returning

/2008/01/14/x-1898-y-%10/

#5 @pishmishy
16 years ago

Looking at $rewritereplace it appears that $post->post_name is stored as x-1898-y-%10 in the database and not %10.

#6 @pishmishy
16 years ago

Problem appears to be rooted in sanitize_title()
sanitize_title("%10") == "x-1898-y-%10"

#7 @pishmishy
16 years ago

Traced to sanitize_title_with_dashes() - this is the code that causes the bug.

    // Preserve escaped octets.
    $title = preg_replace('|%([a-fA-F0-9][a-fA-F0-9])|', '---$1---', $title);
    // Remove percent signs that are not part of an octet.
    $title = str_replace('%', '', $title);
    // Restore octets.
    $title = preg_replace('|---([a-fA-F0-9][a-fA-F0-9])---|', '%$1', $title);

We could remove that code and apply urlencode($post->post_name) in get_permalink's $rewritereplace but the permalinks seems to point to an archive page instead of a post. Any ideas?

#8 @pishmishy
16 years ago

  • Status changed from assigned to new

#9 @pishmishy
16 years ago

  • Status changed from new to assigned

@pishmishy
16 years ago

Better handling of % in post slugs

#10 @pishmishy
16 years ago

  • Keywords has-patch sanitize post_name slug added

The attached patch handles % in post slugs by urlencoding them rather than manually attempting to encode them as sanitize_title_with_dashes() attempted.

#11 @Denis-de-Bernardy
15 years ago

  • Component changed from Administration to JavaScript
  • Keywords dev-feedback added; sanitize post_name slug removed
  • Summary changed from %postname% permalink wrong generated if title has %[digit][digit] to autosave breaks and %postname% permalink wrong generated if title has %[digit][digit]

still current, and creating a post with such a title will also break the javascript in trunk. It also returns an error when you seek to save the draft.

#12 @Denis-de-Bernardy
15 years ago

  • Keywords needs-review added; dev-feedback removed

#13 @hakre
15 years ago

  • Component changed from JavaScript to Editor
  • Keywords needs-review removed

I am unable to reproduce with default permalink structure (?p=stuff) which is well - actually known I guess. Switching to nicer "Month and name" setting reveals the bug still is in.

It is not possible to modify the permalink with the inplace editor.

It is not possible to fix it manually by adding a percentage sign to the permalik title in the inplace editor.

The cause of the problem is a function called sanitize_title() (called in get_sample_permalink()). Not itself but the filters it calls then:

$title = apply_filters('sanitize_title', $title, $raw_title);

With the current design of wordpress this bug will never be fixed. % is not an allowed char in a slug, it's not filtered out because of some other bug leaving this open for %[0-9]{2,} matches. the slug need propper filtering first.

This is not a javascript related issue firsthand.

The existing patch is misleading IMHO.

My Suggestion: Wontfix.

#14 @hakre
15 years ago

See #10758 (for some code improvements, docblocks this time)

#16 @ryan
14 years ago

  • Milestone changed from 2.9 to Future Release

#17 @thee17
12 years ago

Although I get a weird ? in a black box icon Using a title Test %84 the following worked for me in trunk,

1) Slug was generated.
2) Auto Draft worked.
3) Auto Draft continued to Save.
4) Post published
5) Permalink Worked.

#18 @miqrogroove
12 years ago

thee17, try %2f and then you will really have problems. ;)

#19 @thee17
12 years ago

  • Keywords needs-refresh added; has-patch removed
  • Summary changed from autosave breaks and %postname% permalink wrong generated if title has %[digit][digit] to Need to strip % from the auto-permalink in the editor.

Changing Title for better clarity.

#20 @miqrogroove
12 years ago

thee17, if you are still testing, could you also check what happens if you manually edit the slug and put a % in it? Because, if the %2f or %25 or whatever can still be injected, then it is not adequate to just strip in the slug generator, it would also be necessary to either strip or encode the manual inputs for any new slug.

#21 @thee17
12 years ago

From what I am reading is the sanitation for both cases go through the same function.

#22 @mtekk
12 years ago

  • Cc mtekkmonkey@… added

#23 @SergeyBiryukov
11 years ago

#23222 was marked as a duplicate.

#24 @SergeyBiryukov
11 years ago

  • Component changed from Editor to Permalinks

#25 @SergeyBiryukov
11 years ago

  • Keywords has-patch added

Related: #25021

#26 @chriscct7
9 years ago

  • Version changed from 2.0.5 to 2.0

#27 @SergeyBiryukov
8 years ago

#32462 was marked as a duplicate.

#28 @SergeyBiryukov
8 years ago

#36384 was marked as a duplicate.

#29 @swissspidy
7 years ago

  • Keywords needs-unit-tests added

#30 @Mte90
16 months ago

  • Keywords 2nd-opinion added

Just to recap all the discussion in those years in this ticket with also https://core.trac.wordpress.org/ticket/25021

So we have 2 issues, one is to sanitize the post title and another one do the same for the permalink.
To proceed, we need to test also the search in the database with this sanitization and probably for backwards compatibility too.

I tested on latest 6.2 alpha and everything is working, the URL is generated http://trunk.wordpress.test/x-1898-y-%10/ in Firefox and Chrome works. Probably because now there is a better support for punycode and unicode also in the URLs?

So I am not sure if this is still an issue after all those years.
Maybe adding just a test to verify if URL with %10 works can simplify everything?

Note: See TracTickets for help on using tickets.