Make WordPress Core

Opened 3 years ago

Closed 3 years ago

#42988 closed defect (bug) (duplicate)

HTML Code Checking Feature (V4.9) Has Bugs

Reported by: akaim Owned by:
Milestone: Priority: normal
Severity: major Version: 4.9
Component: Widgets Keywords: reporter-feedback
Focuses: Cc:


Hi Team,

Ever since version 4.9 went live, the "code checking" feature is rendering many custom HTML snippets inoperable. There is a thread here with a few complaints which I found after having similar issues.

Our code works unless it is in a widget (which is had to be on the pages that it is on). Ever since the update, we now get an error saying we need "double quotes" (and we don't) and just for fun I added them and the code does not work with the double quotes (because it isn't meant to).

Here is the thread - https://wordpress.org/support/topic/html-check-option-in-wordpress-4-9/

Is there a way that we can disable this feature via wp-config?

I just sold my company on using WordPress now this is holding us up. The question I now have to address is "so how often will this happen as updates occur?" And know that I am a huge WP fan, so I am so frustrated to see this.

Thanks in advance.


Change History (4)

#1 @jeremyescott
3 years ago

  • Keywords needs-screenshots added

So, I'm not a "team" member, unless you count all of us as being on the team, but I follow tickets to both look for opportunities to submit patches and also keep a pulse on the community.

This ticket--and the linked forum post--are both sorely lacking in information.

For example, the initial post (and most follow-up comments) in the linked forum thread complain about things that the HTML widget isn't designed for, including PHP in the widget. It makes sense that the HTML Widget doesn't accept PHP. Keep in mind that WP Core is built to protect its users, a huge chunk of which aren't as savy as us skilled devs, and giving anyone with widget access the ability to inject potentially bad PHP code into widgets is a very bad idea. A plugin author and/or a theme developer could easily register a custom widget that allows PHP entry via a widget (if that is even safe to put PHP in the db, another discussion), but any security holes would be a consequence of that plugin/theme and not core.

Further, can you provide an example of your code that you say should work but doesn't? WordPress carefully sanitizes what it allows to put into the database in raw HTML and some things aren't allowed. Again, this may be for your safety, but you need to show an example of the code so that others can help you understand if what you're seeing is a bug that can/should be fixed or just a case of a user trying to use something that the widget isn't designed for.

#2 @kravic
3 years ago

  • Component changed from General to Widgets
  • Keywords reporter-feedback added; needs-screenshots removed
  • Severity changed from normal to major

Hi everyone,

I can confirm that Custom HTML widget has serious bug after introducing HTML check option.
After updating from 4.8 to 4.9.1 on one of many sites I manage, I lost all Custom HTML widgets.

Strange thing is that <iframe> tag works, but simple <img> and <p> portion of HTML breaks everything.

For example, I created two Custom HTML widgets, first is a Facebook page <iframe> and second simple image banner with one paragraph of text below.
When I saved second widget I had no errors, switched to Menus and switched back to Widgets, just to find out that both Custom HTML widgets disappeared.

I also tried with Text widget, Visual tab nicely displays the banner and the text, but after I saved it, that widget has gone forever.

DevTools console doesn't show any errors.

Code example for Custom HTML widget:

<img alt="banner" src="http://www.example.com/wp-content/uploads/2018/01/banner.png">
Last edited 3 years ago by kravic (previous) (diff)

This ticket was mentioned in Slack in #core-customize by westonruter. View the logs.

3 years ago

#4 @westonruter
3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version changed from 4.9.1 to 4.9

@akaim removal of the HTMLHing double quotes rule is being worked on in #42802.

You can add a plugin to remove the rule via:

add_filter( 'wp_code_editor_settings', function( $settings ) {
    $settings['htmlhint']['attr-value-double-quotes'] = false;
    return $settings;
} );
Note: See TracTickets for help on using tickets.