[wp-trac] [WordPress Trac] #34698: HTML-Embed code JavaScript error.
WordPress Trac
noreply at wordpress.org
Sun Nov 22 23:06:11 UTC 2015
#34698: HTML-Embed code JavaScript error.
--------------------------+--------------------------
Reporter: nendeb55 | Owner: miqrogroove
Type: defect (bug) | Status: assigned
Priority: normal | Milestone: 4.4
Component: Embeds | Version: trunk
Severity: normal | Resolution:
Keywords: dev-feedback | Focuses:
--------------------------+--------------------------
Changes (by pento):
* keywords: has-patch dev-feedback needs-unit-tests => dev-feedback
* owner: swissspidy => miqrogroove
* status: reopened => assigned
Comment:
It's a defect because it breaks `&`s inside a `<script>` tag.
There are a few scenarios I considered before committing this change:
* A user without `unfiltered_html` posts content with an `&` in it. In an
HTML attribute, it will be converted to `&` by KSES, in a text node
it, it will be converted to `�` by texturize, or if it's inside a
`<script>` tag, the tag is going to be removed.
* A user with `unfiltered_html` posts content with an `&` in it. In an
HTML attribute, KSES didn't touch it, as it shouldn't. Texturize will no
longer convert it to `�`, which in the case of an `href` attribute,
[https://jsfiddle.net/hef6895d/1/ was incorrect, anyway]. In a text node,
it will still be correctly converted to `�` by texturize.
* The HTML came from an embed. In a text node, it will still be converted
to `�`. In a `<script>` tag, it will now no longer be converted.
I'm happy to make tweaks if there are other scenarios you think should be
considered, but the change to `<script>` and `href` behaviour should stay.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34698#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list