[wp-trac] [WordPress Trac] #61833: Post titles in Bulk Edit should show decoded HTML

WordPress Trac noreply at wordpress.org
Tue Sep 17 16:35:39 UTC 2024 

#61833: Post titles in Bulk Edit should show decoded HTML
-----------------------------+---------------------
 Reporter:  dmsnell          |       Owner:  (none)
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  6.7
Component:  Quick/Bulk Edit  |     Version:
 Severity:  normal           |  Resolution:
 Keywords:  has-patch        |     Focuses:
-----------------------------+---------------------

Comment (by dmsnell):

 @peterwilsoncc I've updated the PR to re-encode the title on save. it
 feels too easy, but I'm not convinced it's wrong either. in fact, in the
 patch I added a comment with the hope that we can uncover other post
 properties that are getting incorrectly encoded and decoded and then fix
 them.

 Your feedback was really helpful, especially the example you gave. I tried
 to reimagine this patch in other ways, but another fix has remained
 elusive. It's good for us to consider this case because I think that cases
 //like this// saturate Core.

 Relevant to my update:
  - the jQuery code submitting the Quick Edit form appears to send UTF-8
 without any escaping. it will send "the raw string."
  - if that string contains character references, those references get
 saved and then displayed again on the quick edit form. this string is an
 //encoded// string, instead of a raw one, but the jQuery doesn't know
 that.
  - in my patch, by decoding the HTML on output to the form, jQuery is
 taking //raw// input and returning //raw// output.
  - by encoding into `$post['post_title']` we end up serializing into the
 data base in //encoded// form again.
  - this balances encoding and decoding.

 What I'm not sure is that else this breaks, but I'm not sure it will or
 does, because the status quo is that the database has been storing the
 encoded form of the title, simply because it's uninterested in whether a
 string is raw or encoded.

 What I think will change with this patch is that //now//, if a title
 contains `<`, `>`, `'`, `"`, or `&`, those will be escaped in the
 database. Whereas before the could be a mix of `a < b < c` - now, that
 post title will update to `a < b < c`

 Curious on your thoughts on this.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61833#comment:11>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list