[wp-trac] [WordPress Trac] #31190: esc_html() ate my ampersand
WordPress Trac
noreply at wordpress.org
Sat Jan 31 15:35:19 UTC 2015
#31190: esc_html() ate my ampersand
--------------------------+-----------------------------
Reporter: mdgl | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Formatting | Version: 4.1
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
While testing #28816 I noticed that `esc_html()` effectively "eats" an
explicit XML/HTML ampersand entity if this is immediately followed by what
looks like another valid XML/HTML entity. For example:
||= Input =||= Actual Output =||= Expected Output =||= Notes =||
|| A & B || A & B || A & B || Lone ampersand "corrected" ||
|| A & B || A & B || A & B || Valid HTML passed through ||
|| A – B || A – B || A – B || Valid HTML passed through
||
|| '''A – B''' || '''A – B''' || '''A – B''' ||
'''Wrong as ampersand missing''' ||
|| A &ndash B || A &ndash B || A &ndash B || Malformed entity
handled correctly ||
This happens because of the call to `wp_specialchars_decode()` within
`_wp_specialchars()`. The logic of this is very hard to fathom. If you
remove this call, the escaping appears to work correctly with the
exception that some numeric character references are not replaced by their
named equivalents which breaks one of the unit tests, even though this
could be regarded as dubious behaviour.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31190>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list