[wp-trac] [WordPress Trac] #35032: Shiny plugin updates fails if slug has special characters

Sat Dec 12 05:57:47 UTC 2015

#35032: Shiny plugin updates fails if slug has special characters
--------------------------+-----------------------------
 Reporter:  khag7         |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Plugins       |    Version:  4.4
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 The shiny plugin updates pass around the plugin slug via ajax. Here is how
 the slug is used: The esc_attr'd slug gets sent to the browser when the
 plugins page loads. The user tries to update the plugin and the slug
 (maybe with special characters, because esc_attr allows some) is sent to
 the server via ajax. wp_ajax_update_plugin will pass it through
 sanitize_key which strips out special characters. When the slug gets
 passed back to the user's browser, the javascript fails to find the right
 element to post the update message to because the slug has changed.

 The problem is, sometimes the slug is santized with esc_attr, sometimes
 with sanitize_html_class, sometimes with sanitize_key. By standardizing on
 one method of escaping/sanitizing the slug anywhere its used for shiny
 updates, failures due to slug mismatches will stop.

 I think it is necessary to continue to use sanitize_key because the
 incoming ajax parameter must be sanitized in the strictest way. The easy
 solution is to use sanitize_key instead of esc_attr and
 sanitize_html_class in the HTML. It will look odd to have sanitize_key
 used for escaping HTML attributes, so a comment is recommended to explain
 why it is being used.

 You may be wondering how a plugin slug would have special characters.
 Plugins which are not part of the wordpress plugin repo sometimes make use
 of the wordpress plugin update mechanism. The results of the api call to
 the wordpress plugin repo are stored in a site transient, and many 3rd
 party plugins inject their data into that transient. Since the
 standardization of plugin slugs is currently only really enforced on
 wordpress's plugin repo, any 3rd party plugins can have slugs with special
 characters. Those plugins can still be updated via a separate page load,
 but when done via ajax the update fails and the user experience is poor.
 Users don't blame the 3rd party plugin, they blame core wordpress.

 This should fix shiny plugin updates for all woothemes plugins/extensions,
 which has been broken for some time because woothemes uses special
 characters in its plugin slugs.

 Ticket #32465 was along the same lines, but they seemed to have trouble
 tracking down the right solution. Or maybe this is not the same problem.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35032>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform