Media details: HTML character shown as code

[Irian]

In the media details screen, the 'uploaden by' information shows html entities encoded (Hoover & Hitch is shown as Hoover & Hitch).

[johnbillion]

Confirmed. Thanks for the report, @Irian.

[arshidkv12]

Unescaped html tag

[joemcgill]

@arshidkv12 Thanks for the patch. We should probably take a look at where the data is coming from here to make sure this doesn't introduce any concerns by not escaping in the template.

[arshidkv12]

@joemcgill
It is post type (media) author name. Coming from posts table.

[lukecavanagh]

@arshidkv12

Plugin applies cleanly and seems to work well.

[lukecavanagh]

Uploaded By

[ocean90]

Let's not open the possibility to parse HTML there, instead we should make use of html_entity_decode(). See [32822] for an example.

Looks like this needs to happen in wp_prepare_attachment_for_js().

[csloisel]

Decode entities in author name on attachment js data prep

[kirasong]

Not sure if it makes a difference, but I noticed that there's a slightly different behavior with attachments that have an author of ID 0 before and after the patch.

Before, the author shows as "false" (due to $author->display_name returning false).
After the patch is applied, the author shows as an empty string.

I noticed this due to test attachments being present on my install, something which I'm guessing is not very common in practice, but figured the behavior change was worth noting.

[kirasong]

Like with post parent, indicate author doesn't exist if it doesn't.

[kirasong]

In 39955.3.diff​ indicate if the author isn't found, rather than returning the converted string for the false bool.

I used (no author) for display to match the (no title) used when there isn't a title.

I'm not sure if this is optimal, but either way would like to make sure we're specifying an output when there isn't an author found, rather than it happening incidentally.

[joemcgill]

Tested 39955.3.diff​ and this fixes the issue. I think the extra sanity check here makes sense and the string seems sensible. It would be nice to add a unit test here.

[kirasong]

Add tests

[kirasong]

Tests included in 39955.4.diff​.

[kirasong]

In 40809:

Media: Decode HTML entities in author_name before sending to JS.

In wp_prepare_attachment_for_js():

• Normalize behavior when author does not exist by returning '(no author)' for authorName in these cases.
• Decode HTML entities in author_name.
• Add tests for both of the above.

Props arshidkv12, ocean90, sloisel, mikeschroder.
Fixes #39955.