WordPress.org
Get WordPress

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#40635 closed enhancement (fixed)

Move JavaScript `sanitizeText` and `stripTags` functions from press-this to core

Reported by: adamsilverstein's profile adamsilverstein Owned by: adamsilverstein's profile adamsilverstein
Milestone: 4.9 Priority: normal
Severity: normal Version:
Component: Security Keywords: has-patch needs-unit-tests 2nd-opinion
Focuses: javascript Cc:

Description

The file press-this.js includes two generally useful helper functions:

  • stripTags strips HTML tags from a string using a series of regex replace calls.
  • sanitizeText strips HTML tags and converts HTML entities in a string. It leverages a textarea's content to encode HTML and returns a string that is safe to evaluate.

These functions would be generally useful in core and for plugin and theme developers and could be added to the wp namespace, eg wp.utils.stripTags and wp.utils.sanitizeText

Attachments (4)

40635.diff (3.6 KB) - added by adamsilverstein 8 years ago.
40635.2.diff (4.3 KB) - added by adamsilverstein 8 years ago.
40635.3.diff (4.4 KB) - added by adamsilverstein 8 years ago.
40635.4.diff (455 bytes) - added by adamsilverstein 7 years ago.

Download all attachments as: .zip

Change History (15)

@adamsilverstein
8 years ago

#1 @adamsilverstein
8 years ago

  • Keywords has-patch needs-unit-tests added; needs-patch removed

40635.diff moves the sanitizeText and stripTags functions from wp-admin/js/press-this.js to wp-includes/js/utils.js and namespaces them as wp.utils.sanitizeText and wp.utils.stripTags.

Some unit tests for these helpers would be a great addition, if we have them I couldn't find them.

#2 @afercia
8 years ago

+1 for wp.utils.

This ticket was mentioned in Slack in #core by adamsilverstein. View the logs.
8 years ago

@adamsilverstein
8 years ago

#4 @adamsilverstein
8 years ago

in 40635.2.diff

  • separate out functionality into its own file, wp-sanitize.js
  • use a separate namespace as suggested in chat - wp.sanitize

@adamsilverstein
8 years ago

#5 @adamsilverstein
8 years ago

  • Owner set to adamsilverstein
  • Resolution set to fixed
  • Status changed from new to closed

In 41061:

Move sanitizeText and stripTags from press this to wp.sanitize.

Introduce the wp.sanitize namespace and add two helpers for text sanitization. stripTags strips HTML tags from a string using regex.

Fixes #40635.

#6 @adamsilverstein
8 years ago

  • Milestone changed from Awaiting Review to 4.9

#7 follow-up: @ocean90
7 years ago

  • Component changed from General to Security
  • Keywords 2nd-opinion added
  • Resolution fixed deleted
  • Status changed from closed to reopened

wp.sanitize.sanitizeText() looks weird since it's repetitive. What about wp.sanitize.text()?

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
7 years ago

#9 in reply to: ↑ 7 @adamsilverstein
7 years ago

Replying to ocean90:

wp.sanitize.sanitizeText() looks weird since it's repetitive. What about wp.sanitize.text()?

@ocean90 What do you think of something more descriptive here like wp.sanitize.stripTagsAndEncode? This function strips tags from a string and also encodes any HTML entities.

cc: @kraftbj if we change the function name, the Press This plugin will need an update.

This ticket was mentioned in Slack in #core by jeffpaul. View the logs.
7 years ago

@adamsilverstein
7 years ago

#11 @adamsilverstein
7 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 41745:

Security: Rename new wp.sanitize.sanitizeText to stripTagsAndEncodeText.'

Improve function naming: this function strips tags from a string and also encodes any HTML entities.

Props ocean90.

Fixes #40635.

Note: See TracTickets for help on using tickets.