Make WordPress Core

Opened 4 months ago

Last modified 2 months ago

#60191 new defect (bug)

Ampersand in non-entities such as &a; is not escaped

Reported by: superpoincare's profile superpoincare Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Formatting Keywords:
Focuses: Cc:

Description

Wordpress escapes ampersand as & in many places.

It checks if the ampersand is part of any entity before conversion, as the ampersand in an entity shouldn't be escaped. However the regex also passes things such as &a; which is not an entity, and wrongly doesn't convert the ampersand there.

To correct that it has to be checked if the pattern matched is really an entity. Which can be done by using something like html_entity_decode and the decode for an entity would be different from the original string.

The block editor somehow right checks and prevents strings such as &a; to pass but older posts and something inserted by plugins will have this bug.

Change History (1)

#1 @swissspidy
2 months ago

  • Version trunk deleted
Note: See TracTickets for help on using tickets.