[wp-trac] [WordPress Trac] #41596: New Text Widget recognizes HTML but does not render it in the front end

WordPress Trac noreply at wordpress.org
Wed Aug 9 23:17:15 UTC 2017


#41596: New Text Widget recognizes HTML but does not render it in the front end
--------------------------+--------------------
 Reporter:  mrfoxtalbot   |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  4.8.2
Component:  Widgets       |     Version:  4.8
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:  ui
--------------------------+--------------------
Changes (by westonruter):

 * keywords:   => has-patch
 * version:  4.8.1 => 4.8
 * milestone:  Awaiting Review => 4.8.2


Comment:

 It actually turns out to be due to `esc_attr()` and how it does not
 double-encode/double-escape any entities. So if you enter `<code>`
 into the editor then it will get saved in the DB as that but then the text
 value will get written into the `text` hidden input as
 `value="<code>"` and thus get read out as `<code>`.

 @mrfoxtalbot So actually, you'll see that if you modify the widget after
 that initial save and then save again, you'll then notice on the frontend
 that it then renders the same as in the widget.

 So I've got a proposed change that will allow `esc_attr()` to force-allow
 double-escaping of entities, and that fixes the problem in my testing:
 https://github.com/xwp/wordpress-develop/pull/247

 Maybe it would be better to just use `htmlspecialchars()` directly instead
 of `esc_attr()`.

 @azaozz thoughts?

--
Ticket URL: <https://core.trac.wordpress.org/ticket/41596#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list