Opened 8 years ago
Closed 8 years ago
#39125 closed defect (bug) (fixed)
Customize: Video Header YouTube field has issues when whitespace is inserted at beginning or end of URL
Reported by: | davidakennedy | Owned by: | westonruter |
---|---|---|---|
Milestone: | 4.7.1 | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | Customize | Keywords: | has-patch has-unit-tests commit fixed-major |
Focuses: | Cc: |
Description
If the YouTube text field for video headers has white space at the beginning or end of the string, it causes issues. To reproduce:
- Go to Header Media in the Customizer with Twenty Seventeen activated.
- Insert a YouTube URL, with a space at the beginning of the string.
- In the preview, a refresh happens, but the video isn't there. No errors are output as to why that might be.
- Save & Publish.
- On the front end, nothing is output.
The reverse:
- Go to Header Media in the Customizer with Twenty Seventeen activated.
- Insert a YouTube URL, with a space at the end of the string.
- In the preview, a refresh happens, and a YouTube iframe is there, but the video errors out.
- Save & Publish.
- On the front end, a YouTube iframe is there, but the video errors out.
We should handle errors better in the Customizer for this type of thing, and potentially trim whitespace if it's not too aggressive.
Attachments (2)
Change History (12)
#2
@
8 years ago
- Keywords has-patch added
The current sanitization is using esc_url_raw()
, which converts the spaces to %20
.
The diff I've attached introduces a new sanitization callback for the external_header_video
theme mod value. That callback will first trim()
the value, before escaping it with esc_url_raw()
.
#3
@
8 years ago
- Version set to 4.7
39125.diff makes sense to me. It would be nice if we could trim all inputs before sanitizing them, but that could potentially cause a lot of unexpected behavior. This targeted fix probably makes the most sense for 4.7.1.
#4
@
8 years ago
- Keywords needs-unit-tests added
+1 for the approach in 39125.diff. Adding a small unit test will ensure we don't reintroduce this bug later.
#5
@
8 years ago
- Keywords has-unit-tests added; needs-unit-tests removed
I've uploaded an updated patch - 39125.2.diff includes a unit test which assures sanitization will also trim any whitespace characters.
We should be able to add trim to the sanitization or validation callbacks. I think it's using
esc_url
now, which I'm surprised doesn't already do that. Moving to 4.7.1 for investigation since it's new in 4.7.