[wp-trac] [WordPress Trac] #38719: Prevent trashed customize_changeset posts from being erroneously mutated
WordPress Trac
noreply at wordpress.org
Tue Nov 8 22:52:21 UTC 2016
#38719: Prevent trashed customize_changeset posts from being erroneously mutated
--------------------------+--------------------------
Reporter: westonruter | Owner: westonruter
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 4.7
Component: Customize | Version:
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+--------------------------
Description changed by westonruter:
Old description:
> When revisions support is not added for `customize_changeset` posts, then
> when a changeset is transitioned (from `auto-draft`) to the `publish`
> status, then it will immediately be transitioned to `trash` so that it
> will be garbage collected. There are two problems with this right now in
> core:
>
> 1. If any of the JSON content has any strings containing HTML that `kses`
> doesn't like, it will get stripped when calling `wp_trash_post()` (if a
> privileged user is not logged in when published. e.g. during WP Cron).
> See #38715.
> 2. The `post_name` is mutated by appending `__trashed`. This is
> problematic when someone bookmarks a customizer session. If they return
> to the session and the changeset has been published or trashed, they
> should be shown a notice to that effect. With the suffix being added,
> this then fails for trashed changesets.
>
> See `_wp_customize_publish_changeset()` for where `wp_trash_post()` is
> called.
New description:
When revisions support is not added for `customize_changeset` posts, then
when a changeset is transitioned (from `auto-draft`) to the `publish`
status, then it will immediately be transitioned to `trash` so that it
will be garbage collected. There are two problems with this right now in
core:
1. If any of the JSON content has any strings containing HTML that `kses`
doesn't like, it will get stripped when calling `wp_trash_post()` (if a
privileged user is not logged in when published. e.g. during WP Cron). See
#38715.
2. The `post_name` is mutated by appending `__trashed`. This is
problematic when someone bookmarks a customizer session. If they return to
the session and the changeset has been published or trashed, they should
be shown a notice to that effect. With the suffix being added, this then
fails for trashed changesets.
See `_wp_customize_publish_changeset()` for where `wp_trash_post()` is
called.
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38719#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list