WordPress.org

Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#4516 closed defect (bug) (fixed)

A bit more filtering needed on admin screens

Reported by: jhodgdon Owned by: ryan
Milestone: 2.3 Priority: normal
Severity: normal Version: 2.3
Component: Administration Keywords: admin filter has-patch
Focuses: Cc:

Description

Using 2.3 bleeding [5744], I tested today to find all the parts of the admin menu system where users of multilingual plugins (which require filtering to choose text in one language over another for post text, titles, blog title, blog description, categories, etc.) would still be seeing unfiltered text in the admin screens. Note that bugs #3595 and #4477 are also still open, and they pertain to this issue of filtering text. So, before testing, I applied the following patches for these bugs: http://trac.wordpress.org/attachment/ticket/4477/get-the-title.diff
http://trac.wordpress.org/attachment/ticket/3595/bookmark-template-php-NEW.diff

Here are the remaining items I found that were still not being filtered. Note that all of the information described is filtered elsewhere in the blog and admin screens -- these are just a couple of spots where a given bit of information is not run through the standard filters.

a) When you create a new category from the Manage / Categories page, the AJAX update that adds it to the category list above doesn't filter the category name. (When you refresh the page it gets filtered. Also note that on the Blogroll / Categories page, the AJAX add does filter the category name before adding it to the list. So it is only the AJAX for adding a category on Manage / Categories that has the problem.)

b) On the comments list page (Comments / Comments), the post names are not filtered when they are shown at the bottom right corner of the box for each comment.

c) On the blogroll categories page (Blogroll / Categories), the note about what happens when you delete a category displays an unfiltered category name for the default category. (This is not a problem on the Manage / Categories page, where the default category name is filtered.)

d) On the Options / Writing screen, the category drop-down lists have unfiltered category names (both post and link categories)

e) On the Options / Reading screen, the page drop-down lists for the static home page option are displaying unfiltered page names.

f) On the Login screen, the "Back to (blogname)" link at the bottom uses an unfiltered blog name

I'll create patches for these issues.

Attachments (7)

admin-ajax-php.diff (919 bytes) - added by jhodgdon 7 years ago.
Patch for wp-admin/admin-ajax.php
template-php.diff (748 bytes) - added by jhodgdon 7 years ago.
Fix for wp-admin/includes/template.php
options-writing-php.diff (1.1 KB) - added by jhodgdon 7 years ago.
Fix for wp-admin/options-writing.php
wp-login-php.diff (3.1 KB) - added by jhodgdon 7 years ago.
Fix for (root level of WP) wp-login.php
template-php-2-3.diff (1.0 KB) - added by jhodgdon 7 years ago.
New patch for wp-admin/includes/template.php for WP 2.3
wp-login-php-2-3.diff (3.3 KB) - added by jhodgdon 7 years ago.
New patch for wp-login.php for 2.3
general-template-php.diff (1.4 KB) - added by jhodgdon 7 years ago.
Patch for general-template.php that adds $filter arg to get_bloginfo function (and takes filtering out of bloginfo function)

Download all attachments as: .zip

Change History (21)

jhodgdon7 years ago

Patch for wp-admin/admin-ajax.php

jhodgdon7 years ago

Fix for wp-admin/includes/template.php

jhodgdon7 years ago

Fix for wp-admin/options-writing.php

jhodgdon7 years ago

Fix for (root level of WP) wp-login.php

comment:1 jhodgdon7 years ago

  • Keywords has-patch added

I've just attached patches to fix all of these issues. A few notes (referencing the description above):

a) wp-admin/admin-ajax.php patch fixes this

b) wp-admin/includes/template.php patch fixes this.

c) No patch needed -- added additional filter for 'term_name' in plugin -- this is a new filter defined by the new taxonomy scheme. Someone will need to document these new filters in the Codex (probably me).

d) wp-admin/options-writing.php patch fixes this. Note that I am not sure why options-writing.php doesn't use one of the standard dropdown category functions instead of writing its own function to list categories?

e) No patch needed -- fixed by adding filter for 'wp_dropdown_pages' in plugin that had been missing.

f) wp-login.php patch fixes this. Note that it would be cleaner to use bloginfo() rather than apply_filters( 'bloginfo', get_bloginfo()), but the current setup uses printf to print "Back to (blog title)", and bloginfo always echos its result.

comment:2 ryan7 years ago

I think some better API would help eliminate having to apply filters by hand everywhere.

First, let's move the bloginfo filter into get_bloginfo.

Add a 'the' context to sanitize_term() and sanitize_term_field(). 'the' will trigger the_term_$field and the_$taxonomy_$field filters in addition to the existing term_$field and $taxonomy_$field filters. We'll need to map the_$taxonomy_name to the_$taxonomy for back compat.

Add a filter argument to get_term(). If filter is specified, get_term() will use it to sanitize_term. The cache should store only unfiltered terms, so filtering should be done after the cache add.

Add a filter option to get_terms(). If a filter is specified, get_terms() will run sanitize_term() against each fetched term object.

Do the same for posts and other objects. Create sanitize_post() and sanitize_post_field() and add a filter argument to get_post().

In those places where we have to filter a field by hand, use sanitize_term_field(), sanitize_post_field(), etc. to trigger the filters instead of calling apply_filters directly.

Thoughts?

comment:3 jhodgdon7 years ago

If I am not mistaken, get_bloginfo is used to get the option data for some of the option screens; if that is the case, it cannot be filtered, because you need the raw information there. But I might be wrong about that.

As far as your other proposal, something like that is a good idea. There is a new filter for term_name, but it's not applied universally -- fixing that would be a good first step. The problem is that the new term taxonomy functions have been substituted for old ones in some places but not all. Consistency in always using the new taxonomy functions (which filter appropriately anyway) would go a long way.

So I opted for a band-aid...

comment:4 ryan7 years ago

I bumped the bigger issue into its own bug: #4546

As for bloginfo, having get_bloginfo and bloginfo return different things is confusing. If someone really needs to raw option, get_option is probably better. I'll look and see what impact if any there would be on applying filters to get_bloginfo.

comment:5 jhodgdon7 years ago

Testing [5974] to see which of these issues still applies.

a) fixed.

b) (STILL BROKEN) On the comments list page (Comments / Comments), the post names are not filtered when they are shown at the bottom right corner of the box for each comment.

c) Fixed. However there is a new blogroll problem: on the main Blogroll management page, the Link names are unfiltered in the list. This is a reversion of an earlier bug, which I'll track down and either reopen or file again.

d) (STILL BROKEN) On the Options / Writing screen, the category drop-down lists have unfiltered category names (both post and link categories)

e) fixed

f) (STILL BROKEN) On the Login screen, the "Back to (blogname)" link at the bottom uses an unfiltered blog name

comment:6 jhodgdon7 years ago

Note on (c): new blogroll issue is fixed now for me, after applying patch for #3595 (or it could have been the new add_filter I put into the plugin I am using for testing)

So that leaves (b), (d), and (f). I'll work on some patches for these.

jhodgdon7 years ago

New patch for wp-admin/includes/template.php for WP 2.3

comment:7 jhodgdon7 years ago

I just added a new patch for template.php that fixes (b) (post names were unfiltered in comment list on Manage Comments screen in admin menus).

comment:8 jhodgdon7 years ago

I think the existing patch for options-writing.php should be used. There doesn't seem to be an obvious sanitize method for get_categories. ??

comment:9 jhodgdon7 years ago

As suggested by rboren, I revised the patches for the login system. Basically, I added a $filter argument to get_bloginfo (took the filtering logic out of bloginfo), and used it to filter the blog name displayed on the login page.

So there is a different patch for wp-login.php, and a new patch to general-template.php, both of which I'll attach in a sec.

jhodgdon7 years ago

New patch for wp-login.php for 2.3

jhodgdon7 years ago

Patch for general-template.php that adds $filter arg to get_bloginfo function (and takes filtering out of bloginfo function)

comment:10 jhodgdon7 years ago

So, to summarize, I suggest applying the following patches, which will fix all the above issues:

wp-login-php-2-3.diff

general-template-php.diff

template-php-2-3.diff

options-writing-php.diff

comment:11 ryan7 years ago

  • Owner changed from anonymous to ryan

comment:12 ryan7 years ago

(In [5998]) Add some filtering. Props jhodgdon. see #4516

comment:13 ryan7 years ago

I changed the patch a bit. options-writing.php sanitizes using sanitize_category(). This will apply term_name and category_name for categories and term_name, and link_category_name for link categories. These differ a bit from the old filters. We might need to add some back compat for those filters to the sanitizer.

comment:14 jhodgdon7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Tested today in [6002]. Everything is working now, so I will mark this as fixed. Thanks for committing the improved patches, Ryan!

Note: See TracTickets for help on using tickets.