WordPress.org

Make WordPress Core

Opened 4 weeks ago

Last modified 3 weeks ago

#46316 new defect (bug)

wp_targeted_link_rel corrupts JSON content

Reported by: TobiasBg Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.1
Component: Formatting Keywords: dev-feedback
Focuses: Cc:

Description

In [43732], via #43187, a wp_targeted_link_rel callback was added to filter content before it's saved to the database.

This has broken and corrupted JSON data in the TablePress plugin. (TablePress uses a CPT in which it stores a JSON-encoded two-dimensional array.)

If a cell of that array contains a link with a target attribute, like
<a href="https://example.com/" target="_blank">link</a>,
this gets converted and saved as
<a href=\"https://example.com/\" target=\"_blank\" rel="noopener noreferrer">link</a>
with the rel="noopener noreferrer" attribute being added but without espacing of ". This results in the JSON being invalid when read again.

This already caused problems for core, in #45292, with the result of the filter being removed temporarily via [44714].

I could apply the same "fix" around the saving process in TablePress, however the issue also appears to native core screens of the CPT. Also, as this feature is somewhat security-related, and turning it off would not be the favorable choice.

I strongly assume that this also affects other places where stored JSON code (with HTML code for a link inside) is handled by wp_targeted_link_rel.

Change History (3)

This ticket was mentioned in Slack in #forums by tobiasbg. View the logs.


4 weeks ago

#2 @TobiasBg
4 weeks ago

Related: #46321

#3 @TobiasBg
3 weeks ago

  • Keywords dev-feedback added

Could the regex that searches for target attributes be changed to only find those with " but not \" (JSON encoded) quotation marks around the attribute value?

Note: See TracTickets for help on using tickets.