Opened 6 years ago
Last modified 3 months ago
#43785 new defect (bug)
wptexturize fails to skip JavaScript if code contains <
Reported by: | nextendweb | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | wptexturize needs-patch needs-unit-tests |
Focuses: | Cc: |
Description
As the documentation states: Text enclosed in the tags <pre>, <code>, <kbd>, <style>, <script>, and <tt> will be skipped
If the script tag contains < character inside, then the wptexturize functions fails and starts to encode the codes.
<?php echo wptexturize('<script type="text/javascript">window&&document</script>'); //Result: <script type="text/javascript">if(a>b)window&&document</script> // OK
wptexturize -> preg_split -> $textarr value:
Array ( [0] => <script type="text/javascript"> [1] => if(a>b)window&&document [2] => </script> )
<?php echo wptexturize('<script type="text/javascript">if(a>b)window&&document</script>'); //Result: <script type="text/javascript">window&&document</script> // OK
wptexturize -> preg_split -> $textarr value:
Array ( [0] => <script type="text/javascript"> [1] => window&&document [2] => </script> )
<?php echo wptexturize('<script type="text/javascript">if(a<b)window&&document</script>'); //Result: <script type="text/javascript">if(a<b)window&&document</script> // ERROR
wptexturize -> preg_split -> $textarr value:
Array ( [0] => <script type="text/javascript"> [1] => if(a [2] => <b)window&&document</script> )
&& characters encoded into && which breaks the JavaScript code.
This issue can happen if shortcode inserted into the editor and the editor value rendered with the wptexturize function and the shortcode contains JavaScript code.
More tests which works as expected:
<?php echo wptexturize('<script type="text/javascript">$("<div/>").length&&document</script>'); echo wptexturize('<script type="text/javascript">$("<div></div>").length&&document</script>');
Change History (4)
#4
@
3 months ago
- Keywords wptexturize needs-patch needs-unit-tests added
- Milestone changed from Awaiting Review to Future Release
This likely started in 4.4.1 because it is caused by the regex added in [36036].
The wptexturize()
function already skips HTML comments (checking for <!--
), but it does not continue if the <
is between <script
and </script>
. (That might be achievable with the HTML API.)
Unit tests should be updated to account for multiple ampersand possibilities within a script tag.
#49480 was marked as a duplicate.