Make WordPress Core

Opened 3 years ago

Last modified 3 years ago

#53683 new defect (bug)

Custom HTML Widget fails to save if ‘href’ inside

Reported by: paullee357's profile paullee357 Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.7.2
Component: Widgets Keywords: close
Focuses: Cc:

Description

My site in development has some odd permission issues. chmod and chown all look great and able to upload images and make other saves. One particular issue that I can narrow down is the custom HTML widget saves great until the moment you add href inside an anchor.
I have a [GIF here]https://keepbastropcountybeautiful.org/wp-content/uploads/href-poison.gif showing how Save works well and fast until the moment I place href=”” inside – then it freezes with spinning and it does not save. Looking at the logs, I do see a 403 returned on the admin-ajax.php . I see 403 returned in other scenarios such as post.php, but not all of the time. With the Custom HTML widget being so specific, what actions happen on save? I'm on 5.7.2 no plugins, 2021 theme https://keepbastropcountybeautiful.org/wp-content/uploads/href-poison.gif

Change History (2)

#1 @SergeyBiryukov
3 years ago

  • Component changed from General to Widgets
  • Keywords close added

Hi there, welcome to WordPress Trac! Thanks for the report.

Just noting that I could not reproduce the issue on a clean install. This sounds like an issue triggered by a plugin or some overzealous security rule on the server.

Some similar issues: #25564, #25736, #32571, #33160, #44861, #45368, #48673, #48698, #49766.

#2 @paullee357
3 years ago

Yes, the server does have a lot of restrictions for inbound and outbound traffic. That is why I'm wondering what routine is being called out while typing inside the Custom HTML widget as it appears to be auto closing brackets, quotes etc and even does error checking if a bracket is not closed. So is one of the error checks to verify that an href is correctly formed or maybe even exists? If so would that make the check an external check for which we are currently blocking.

Note: See TracTickets for help on using tickets.