Opened 16 years ago
Closed 15 years ago
#8763 closed defect (bug) (fixed)
Unescaped CDATA in [gallery] Output
Reported by: | miqrogroove | Owned by: | azaozz |
---|---|---|---|
Milestone: | 2.8 | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Gallery | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
This is easiest to describe by example. Follow the permalink...
http://blogyul.miqrogroove.com/2008/12/mmm-mng-salesmmm-mng-salesmmm-mng-salesmmm-mng-sales/
... to a post that contains the phrase "Masculine & Feminine" in an attached image caption. The image appears twice: Once as a Full Size image, and once in the image gallery.
In the Full Size image, the "&" has been escaped to "&" in both the alt text string and the div CDATA.
In the gallery, the div CDATA are not escaped and the raw "&" appears. The alt text string is missing (#8732) but should also be escaped.
Attachments (3)
Change History (17)
#2
@
16 years ago
I think I have to give up on trying to do this by myself. I traced the caption I/O as far as media_upload_form_handler() where the value of $html is
[caption id="attachment_1337" align="aligncenter" width="300" caption="Alison Nix - Masculine & Feminine Touch"]<img src="http://blogyul.miqrogroove.com/wp-content/uploads/2008/12/mangomasculinefeminine2-300x200.jpg" alt="Alison Nix - Masculine & Feminine Touch" title="mangomasculinefeminine2" width="300" height="200" class="size-medium wp-image-1337" />[/caption]
But this doesn't even match what I see in the editor...
[caption id="attachment_1337" align="aligncenter" width="300" caption="Alison Nix - Masculine & Feminine Touch"]<img class="size-medium wp-image-1337" title="mangomasculinefeminine2" src="http://blogyul.miqrogroove.com/wp-content/uploads/2008/12/mangomasculinefeminine2-300x200.jpg" alt="Alison Nix - Masculine & Feminine Touch" width="300" height="200" />[/caption]
There may be multiple I/O inconsistencies at play here.
@
16 years ago
Patch to correct the raw output of $attachment->post_excerpt in the wp-includes/media.php file function gallery_shortcode()
#3
@
16 years ago
Okay I took it a step further by pasting the $html value directly into the visual editor. When I switched to Visual mode and back again, the value changed in the same way. I also tested entity references by writing them into the caption field and found they are not escaped in the visual editor. Despite the convoluted output path, it seems to work and there may be no need to match the flavor of "&" escaping between the editor and gallery.
On that note, I've gone ahead with the patch. Since this is my first patch here I would appreciate a thorough review.
#5
@
15 years ago
wp_specialchars($attachment->post_excerpt); should only be called after the if statement.
#8
@
15 years ago
- Keywords has-patch 2nd-opinion added; needs-patch removed
- Milestone changed from 2.7.2 to 2.8
Is this patch any better then?
Honestly, for all the encouragement on the WordPress.org site to get involved in reporting bugs, then testing and submitting patches the process for getting a patch committed really leaves a lot to be desired.
#9
@
15 years ago
- Keywords commit added; 2nd-opinion removed
Matty -- I wish there were more committers too. :-)
#12
@
15 years ago
- Resolution fixed deleted
- Status changed from closed to reopened
This has caused HTML in captions to be displayed as normal text.
I thought I would be able to patch this easily, but I am still confused by the intended outcome. If I apply wp_specialchars() to the gallery output, it does not escape entity references. Is it better to use htmlspecialchars() and potentially break existing entities in the gallery, or does the patch need to change the visual editor to also use wp_specialchars() ?