[wp-trac] [WordPress Trac] #55399: esc_xml() removes valid XML input ( input that is empty() )

WordPress Trac noreply at wordpress.org
Wed Mar 16 10:58:31 UTC 2022

#55399: esc_xml() removes valid XML input ( input that is empty() )
 Reporter:  rumpel2116    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  5.5
 Severity:  normal        |   Keywords:  needs-patch
  Focuses:                |
 The with #50117 introduced function `esc_xml()` escapes/deletes some valid
 input: Input that results true if passed to `empty()`.
 `esc_xml('0')` and similar returns an empty string instead of returning
 `'0'` while `'0'` is perfectly XML-safe.

 There are two issues checking for empty regex groups that use PHPs
 $safe_text = (string) preg_replace_callback(
         static function( $matches ) {
                 if ( ! $matches[0] ) {
                         return '';

                 if ( ! empty( $matches['non_cdata'] ) ) {
                         // escape HTML entities in the non-CDATA Section.
                         return _wp_specialchars( $matches['non_cdata'],
 ENT_XML1 );

                 // Return the CDATA Section unchanged, escape HTML
 entities in the rest.
                 return _wp_specialchars(
 $matches['non_cdata_followed_by_cdata'], ENT_XML1 ) . $matches['cdata'];

 The first check is to skip further processing of empty strings I believe.
 Can easily be replaced by `! isset( $matches[0] )` as the group is not set
 if empty.

 The second check validates if there is no `non_cdata` (without any cdata),
 but uses `! empty()` explicitly. Same solution, using `! isset(
 $matches['non_cdata'] )` covers the case, if no `non_cdata` is captured,
 the regex-group is not set.

Ticket URL: <https://core.trac.wordpress.org/ticket/55399>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list