[wp-trac] [WordPress Trac] #46863: site title doesn't properly escape '{{ }}'
WordPress Trac
noreply at wordpress.org
Fri Aug 16 09:00:04 UTC 2019
#46863: site title doesn't properly escape '{{ }}'
---------------------------+------------------------------
Reporter: OddenCreative | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 5.1
Severity: major | Resolution:
Keywords: needs-patch | Focuses:
---------------------------+------------------------------
Comment (by donmhico):
The issue in your case is specifically in this line of code.
{{{
<span class="browser-title" aria-hidden="true"><?php bloginfo( 'name' );
?></span>
}}}
See https://core.trac.wordpress.org/browser/trunk/src/wp-
includes/customize/class-wp-customize-site-icon-control.php#L67
Since that line is inside an underscore template, `{{ }}` is treated as
special characters. So basically setting your site name as `{{ [ anything
] }}` will make the underscore script treat is as data to be compiled /
rendered.
I haven't made any patch as I'm not sure how to proceed here. I can think
of a few solution.
1.] Change the interpolate from `{{ }}` to other style / character.
2.] Since the usage is inside of the line above is for aria. Maybe it's
plausible to strip `{{ }}` in the `bloginfo( 'name' );`.
3.] Make underscore treat `<?php bloginfo( 'name' ); ?>` as string literal
and prevent it from being processed. This might be the best solution but I
tried to research and read the underscore's docs but I can't seem to find
a way to do this. Maybe i'm missing something.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/46863#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list