[wp-trac] [WordPress Trac] #41596: New Text Widget recognizes HTML but does not render it in the front end
WordPress Trac
noreply at wordpress.org
Wed Aug 9 23:17:15 UTC 2017
#41596: New Text Widget recognizes HTML but does not render it in the front end
--------------------------+--------------------
Reporter: mrfoxtalbot | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.8.2
Component: Widgets | Version: 4.8
Severity: normal | Resolution:
Keywords: has-patch | Focuses: ui
--------------------------+--------------------
Changes (by westonruter):
* keywords: => has-patch
* version: 4.8.1 => 4.8
* milestone: Awaiting Review => 4.8.2
Comment:
It actually turns out to be due to `esc_attr()` and how it does not
double-encode/double-escape any entities. So if you enter `<code>`
into the editor then it will get saved in the DB as that but then the text
value will get written into the `text` hidden input as
`value="<code>"` and thus get read out as `<code>`.
@mrfoxtalbot So actually, you'll see that if you modify the widget after
that initial save and then save again, you'll then notice on the frontend
that it then renders the same as in the widget.
So I've got a proposed change that will allow `esc_attr()` to force-allow
double-escaping of entities, and that fixes the problem in my testing:
https://github.com/xwp/wordpress-develop/pull/247
Maybe it would be better to just use `htmlspecialchars()` directly instead
of `esc_attr()`.
@azaozz thoughts?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41596#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list