Make WordPress Core

Opened 5 weeks ago

Last modified 2 weeks ago

#61796 new defect (bug)

Blank Page When $_GET['postId'] Does Not Exist in /wp-admin/site-editor.php

Reported by: benniledl's profile benniledl Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.6
Component: Editor Keywords: has-patch
Focuses: Cc:

Description

Hello,

In WordPress 6.6, there has been a change in behavior when the passed postId does not exist in /wp-admin/site-editor.php. Previously, the editor sidebar would appear as usual, while the page preview on the right would be blank. Users could simply click back in the editor sidebar and navigate to the desired content.

However, starting with version 6.6, the entire page becomes blank, which can be confusing for users. This issue might occur due to several reasons:

The content intended for editing has just been deleted.
The postId for the blog homepage, such as twentytwentyfourhome, gets modified for example by the waf due to concerns like path traversal, removing the double slash.

The editor should appear as usual even when the postId is invalid and just display an error message in the content preview.

Attachments (2)

2024-08-13_20-47.png (58.6 KB) - added by mi5t4n 4 weeks ago.
61796.patch (2.2 KB) - added by iflairwebtechnologies 3 weeks ago.

Download all attachments as: .zip

Change History (9)

#1 @mi5t4n
4 weeks ago

Hello,

WP 6.6.1
Theme: Twenty Twenty-Three

If we navigate to non-existtent postID on the site editor /wp-admin/site-editor.php?postType=page&postId=99999, the page preview page is stuck on loading, and a 404 not found is thrown on the Network Tab of the developer console.

While on,

WP 6.5
Theme: Twenty Twenty-Three

It does not get stuck and the URL /wp-admin/site-editor.php?path=%2Fpage&canvas=view is configured and shown if we travel to /wp-admin/site-editor.php?postType=page&postId=999999, non-existent postId.

This ticket was mentioned in PR #7188 on WordPress/wordpress-develop by @mi5t4n.


4 weeks ago
#2

  • Keywords has-patch added

Added validation for the postId parameter in site-editor.php to ensure that the post exists before proceeding. If the post ID is invalid or the post does not exist, the script will now terminate with an error message, preventing potential errors or unintended behavior.

Trac ticket: https://core.trac.wordpress.org/ticket/61796

@davidbaumwald commented on PR #7188:


4 weeks ago
#3

Though it's probably beyond the scope of the original ticket, I see a lot of duplication of isset( $_GET['postType'] ) and sanitize_key( $_GET['postType'] ).

Wondering if we could have something like a default $current_post_type = false|null then check and sanitize it once for reuse in the rest of the file. Same could pro be done for $_GET['postId'] and $_GET['path']?

Could probably move the early nails a bit higher in the file as well, to save some unnecessary code running when it's not needed? Just based off a brief look, unless I am missing something, I don't see anything between lines 76 and 118 that is in any way dependent on any of the code running above.

#4 @iflairwebtechnologies
3 weeks ago

@benniledl
you can review, created a new patch 61796.patch, which will also work for draft and trash post

@benniledl commented on PR #7188:


3 weeks ago
#6

would be nice to have an error message for various post statuses as in #7215

@mi5t4n commented on PR #7188:


2 weeks ago
#7

@dream-encode @peterwilsoncc Thank you for the suggestions. I have made the changes.

Note: See TracTickets for help on using tickets.