WordPress.org

Make WordPress Core

Opened 7 months ago

Closed 4 months ago

#39955 closed defect (bug) (fixed)

Media details: HTML character shown as code

Reported by: Irian Owned by: mikeschroder
Milestone: 4.8 Priority: normal
Severity: normal Version: 4.0
Component: Media Keywords: good-first-bug has-patch
Focuses: ui, administration Cc:

Description

In the media details screen, the 'uploaden by' information shows html entities encoded (Hoover & Hitch is shown as Hoover & Hitch).

Attachments (5)

39955.1.diff (530 bytes) - added by arshidkv12 7 months ago.
Unescaped html tag
Uploaded By.png (2.5 KB) - added by lukecavanagh 6 months ago.
Uploaded By
39955.diff (555 bytes) - added by csloisel 4 months ago.
Decode entities in author name on attachment js data prep
39955.3.diff (647 bytes) - added by mikeschroder 4 months ago.
Like with post parent, indicate author doesn't exist if it doesn't.
39955.4.diff (1.6 KB) - added by mikeschroder 4 months ago.
Add tests

Download all attachments as: .zip

Change History (23)

#1 @johnbillion
7 months ago

  • Keywords needs-patch good-first-bug added
  • Milestone changed from Awaiting Review to 4.8
  • Version changed from 4.7.2 to 4.0

Confirmed. Thanks for the report, @Irian.

@arshidkv12
7 months ago

Unescaped html tag

#2 @parsmizban
7 months ago

  • Keywords has-patch added; needs-patch removed

This ticket was mentioned in Slack in #core-media by joemcgill. View the logs.


6 months ago

#4 @joemcgill
6 months ago

@arshidkv12 Thanks for the patch. We should probably take a look at where the data is coming from here to make sure this doesn't introduce any concerns by not escaping in the template.

#5 @arshidkv12
6 months ago

@joemcgill
It is post type (media) author name. Coming from posts table.

Last edited 6 months ago by arshidkv12 (previous) (diff)

#6 @lukecavanagh
6 months ago

@arshidkv12

Plugin applies cleanly and seems to work well.

@lukecavanagh
6 months ago

Uploaded By

This ticket was mentioned in Slack in #core-media by joemcgill. View the logs.


4 months ago

#8 @joemcgill
4 months ago

  • Owner set to joemcgill
  • Status changed from new to accepted

#9 @ocean90
4 months ago

  • Keywords needs-patch added; has-patch removed

Let's not open the possibility to parse HTML there, instead we should make use of html_entity_decode(). See [32822] for an example.

Looks like this needs to happen in wp_prepare_attachment_for_js().

@csloisel
4 months ago

Decode entities in author name on attachment js data prep

#10 @csloisel
4 months ago

  • Keywords has-patch needs-testing added; needs-patch removed

This ticket was mentioned in Slack in #core-media by joemcgill. View the logs.


4 months ago

#12 @mikeschroder
4 months ago

Not sure if it makes a difference, but I noticed that there's a slightly different behavior with attachments that have an author of ID 0 before and after the patch.

Before, the author shows as "false" (due to $author->display_name returning false).
After the patch is applied, the author shows as an empty string.

I noticed this due to test attachments being present on my install, something which I'm guessing is not very common in practice, but figured the behavior change was worth noting.

@mikeschroder
4 months ago

Like with post parent, indicate author doesn't exist if it doesn't.

#13 @mikeschroder
4 months ago

In 39955.3.diff indicate if the author isn't found, rather than returning the converted string for the false bool.

I used (no author) for display to match the (no title) used when there isn't a title.

I'm not sure if this is optimal, but either way would like to make sure we're specifying an output when there isn't an author found, rather than it happening incidentally.

#14 @joemcgill
4 months ago

  • Keywords needs-unit-tests added; needs-testing removed

Tested 39955.3.diff and this fixes the issue. I think the extra sanity check here makes sense and the string seems sensible. It would be nice to add a unit test here.

#15 @joemcgill
4 months ago

  • Owner changed from joemcgill to mikeschroder
  • Status changed from accepted to assigned

@mikeschroder
4 months ago

Add tests

#16 @mikeschroder
4 months ago

  • Keywords needs-unit-tests removed

Tests included in 39955.4.diff.

This ticket was mentioned in Slack in #core by mike. View the logs.


4 months ago

#18 @mikeschroder
4 months ago

  • Resolution set to fixed
  • Status changed from assigned to closed

In 40809:

Media: Decode HTML entities in author_name before sending to JS.

In wp_prepare_attachment_for_js():

  • Normalize behavior when author does not exist by returning '(no author)' for authorName in these cases.
  • Decode HTML entities in author_name.
  • Add tests for both of the above.

Props arshidkv12, ocean90, sloisel, mikeschroder.
Fixes #39955.

Note: See TracTickets for help on using tickets.