WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 4 weeks ago

Last modified 3 weeks ago

#46316 closed defect (bug) (fixed)

wp_targeted_link_rel corrupts JSON content

Reported by: TobiasBg Owned by: SergeyBiryukov
Milestone: 5.2.1 Priority: normal
Severity: normal Version: 5.1
Component: Formatting Keywords: dev-feedback has-patch has-unit-tests
Focuses: Cc:

Description

In [43732], via #43187, a wp_targeted_link_rel callback was added to filter content before it's saved to the database.

This has broken and corrupted JSON data in the TablePress plugin. (TablePress uses a CPT in which it stores a JSON-encoded two-dimensional array.)

If a cell of that array contains a link with a target attribute, like
<a href="https://example.com/" target="_blank">link</a>,
this gets converted and saved as
<a href=\"https://example.com/\" target=\"_blank\" rel="noopener noreferrer">link</a>
with the rel="noopener noreferrer" attribute being added but without espacing of ". This results in the JSON being invalid when read again.

This already caused problems for core, in #45292, with the result of the filter being removed temporarily via [44714].

I could apply the same "fix" around the saving process in TablePress, however the issue also appears to native core screens of the CPT. Also, as this feature is somewhat security-related, and turning it off would not be the favorable choice.

I strongly assume that this also affects other places where stored JSON code (with HTML code for a link inside) is handled by wp_targeted_link_rel.

Attachments (1)

46316.diff (1.4 KB) - added by birgire 5 weeks ago.

Download all attachments as: .zip

Change History (10)

This ticket was mentioned in Slack in #forums by tobiasbg. View the logs.


4 months ago

#3 @TobiasBg
4 months ago

  • Keywords dev-feedback added

Could the regex that searches for target attributes be changed to only find those with " but not \" (JSON encoded) quotation marks around the attribute value?

@birgire
5 weeks ago

#4 @birgire
5 weeks ago

  • Keywords has-patch has-unit-tests added

What about using the same delimiter for the injected rel attribute, as for the existing target attribute, i.e. if we have target=\"_blank\" then add rel=\"noopener noreferrer\", else rel="noopener noreferrer"?

This is the approach in 46316.diff.

#5 @SergeyBiryukov
5 weeks ago

  • Milestone changed from Awaiting Review to 5.3

Related: #47244

#6 @SergeyBiryukov
4 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 45348:

Formatting: Adjust wp_targeted_link_rel() to ensure JSON format is preserved and correct quotes are used when adding the missing rel attribute.

Props birgire, TobiasBg, fierevere, audrasjb, SergeyBiryukov.
Fixes #46316, #47244.

#7 @SergeyBiryukov
4 weeks ago

In 45349:

Formatting: Adjust wp_targeted_link_rel() to ensure JSON format is preserved and correct quotes are used when adding the missing rel attribute.

Props birgire, TobiasBg, fierevere, audrasjb, SergeyBiryukov.
Merges [45348] to the 5.2 branch.
Fixes #46316, #47244.

#8 @SergeyBiryukov
4 weeks ago

  • Milestone changed from 5.3 to 5.2.1

This ticket was mentioned in Slack in #core by desrosj. View the logs.


3 weeks ago

Note: See TracTickets for help on using tickets.