Make WordPress Core

Opened 6 years ago

Closed 5 years ago

#46863 closed defect (bug) (fixed)

site title doesn't properly escape '{{ }}'

Reported by: oddencreative's profile OddenCreative Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 5.3 Priority: normal
Severity: major Version: 5.1
Component: Customize Keywords: has-patch
Focuses: Cc:

Description

I put in {{ do | io }} for a site title and after publishing and leaving the customizer, came back to it. All of the functionality aside from the widgets was missing. After sometime I realized I probably created the issue with the site title, removed {{ }} from {{ do | io }} and all the customizer actions returned.

Attachments (3)

print-site-name.patch (1.0 KB) - added by pierlo 5 years ago.
print-site-name.2.patch (1.0 KB) - added by pierlo 5 years ago.
Formatting
46863.diff (1.7 KB) - added by donmhico 5 years ago.
Fix formatting and apply the change on another area.

Download all attachments as: .zip

Change History (15)

#1 follow-up: @OddenCreative
6 years ago

I am going to try to find time to fix this, though I have just started a new job.

#2 in reply to: ↑ 1 @mcmwebsol
6 years ago

I'm able to replicate this on WP 5.2
Replying to OddenCreative:

I am going to try to find time to fix this, though I have just started a new job.

#3 @donmhico
5 years ago

The issue in your case is specifically in this line of code.

<span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' ); ?></span>

See https://core.trac.wordpress.org/browser/trunk/src/wp-includes/customize/class-wp-customize-site-icon-control.php#L67

Since that line is inside an underscore template, {{ }} is treated as special characters. So basically setting your site name as {{ [ anything ] }} will make the underscore script treat is as data to be compiled / rendered.

I haven't made any patch as I'm not sure how to proceed here. I can think of a few solution.

1.] Change the interpolate from {{ }} to other style / character.
2.] Since the usage of the line above is for aria. Maybe it's plausible to strip {{ }} in the bloginfo( 'name' );?
3.] Make underscore treat <?php bloginfo( 'name' ); ?> as string literal and prevent it from being processed. This might be the best solution but I tried to research and read the underscore's docs but I can't seem to find a way to do this. Maybe i'm missing something.

Last edited 5 years ago by donmhico (previous) (diff)

This ticket was mentioned in Slack in #core by donmhico. View the logs.


5 years ago

#5 @pierlo
5 years ago

You can use print to escape the site name.

@pierlo
5 years ago

Formatting

#6 @pierlo
5 years ago

  • Keywords has-patch added; needs-patch removed

@donmhico
5 years ago

Fix formatting and apply the change on another area.

#7 @donmhico
5 years ago

Patch print-site-name.2.patch of @pierlo works, thanks man.

In my new patch, 46863.diff, I removed the the trailing space inside print() and I also applied the same fix on wp_print_media_templates().

#8 @pierlo
5 years ago

Awesome!

This ticket was mentioned in Slack in #core by pierlo. View the logs.


5 years ago

#10 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 5.3
  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

This ticket was mentioned in Slack in #core by pierlo. View the logs.


5 years ago

#12 @ocean90
5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 46389:

Customize: Prevent breaking the customizer when site title contains templating syntax.

When the site title is inside an underscore template, syntax defined in wp.template like {{ }} is treated as special characters and will make Underscore treat it as data to be compiled/rendered.

Props pierlo, donmhico.
Fixes #46863.

Note: See TracTickets for help on using tickets.