[wp-trac] [WordPress Trac] #38719: Prevent trashed customize_changeset posts from being erroneously mutated

WordPress Trac noreply at wordpress.org
Tue Nov 8 22:51:50 UTC 2016 

#38719: Prevent trashed customize_changeset posts from being erroneously mutated
--------------------------+--------------------------
 Reporter:  westonruter   |       Owner:  westonruter
     Type:  defect (bug)  |      Status:  accepted
 Priority:  normal        |   Milestone:  4.7
Component:  Customize     |     Version:
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+--------------------------
Changes (by westonruter):

 * owner:   => westonruter
 * status:  new => accepted


Old description:

> When revisions support is not added for `customize_changeset` posts, then
> when a changeset is transitioned (from `auto-draft`) to the `publish`
> status, then it will immediately be transitioned to `trash` so that it
> will be garbage collected. There are two problems with this right now in
> core:
>
> 1. If any of the JSON content has any strings containing HTML that `kses`
> doesn't like, it will get stripped when calling `wp_trash_post()` (if a
> privileged user is not logged in when published. e.g. during WP Cron).
> See #38715.
> 2. The `post_name` is mutated by appending `__trashed`. This is
> problematic when someone bookmarks a customizer session. If they return
> to the session and the changeset has been published or trashed, they
> should be shown a notice to that effect. With the suffix being added,
> this then fails for trashed changesets.
>
> _wp_customize_publish_changeset

New description:

 When revisions support is not added for `customize_changeset` posts, then
 when a changeset is transitioned (from `auto-draft`) to the `publish`
 status, then it will immediately be transitioned to `trash` so that it
 will be garbage collected. There are two problems with this right now in
 core:

 1. If any of the JSON content has any strings containing HTML that `kses`
 doesn't like, it will get stripped when calling `wp_trash_post()` (if a
 privileged user is not logged in when published. e.g. during WP Cron). See
 #38715.
 2. The `post_name` is mutated by appending `__trashed`. This is
 problematic when someone bookmarks a customizer session. If they return to
 the session and the changeset has been published or trashed, they should
 be shown a notice to that effect. With the suffix being added, this then
 fails for trashed changesets.

  See `_wp_customize_publish_changeset()` for where `wp_trash_post()` is
 called.

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38719#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list