Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post author: Byline encourages HTML but it is sanitised #40600

Closed
dsas opened this issue Apr 25, 2022 · 1 comment · Fixed by #40776
Closed

Post author: Byline encourages HTML but it is sanitised #40600

dsas opened this issue Apr 25, 2022 · 1 comment · Fixed by #40776
Assignees
@andrewserong

Comments

@dsas
Copy link
Contributor

dsas commented Apr 25, 2022

Description

The post-author block allows entering a byline using a RichText component. When entering a byline I have buttons for emphasis, strong and so on.

When viewing a byline these tags are escaped.

In Gutenberg I have this mark-up:

<!-- wp:post-author {"byline":"my \u003cem\u003eawesome\u003c/em\u003e byl\u003cstrong\u003ein\u003c/strong\u003ee"} /-->

which looks like this in Gutenberg:
image

and looks like this on the front end:
image

I expect what I see on the front-end to look like what I see in Gutenberg

Step-by-step reproduction instructions

  1. Create a new post, I did it as an admin, though user level shouldn't matter
  2. Insert the Post Author block
  3. Type in a byline, using some of the formatting buttons e.g. to emphasise or bold some of the text
  4. Save the post
  5. View the post

Screenshots, screen recording, code snippet

Screen.Capture.on.2022-04-26.at.00-15-32.mp4

The data is escaped here:

gutenberg/packages/block-library/src/post-author/index.php

Line 42 in c5b9ca1

( ! empty( $byline ) ? '<p class="wp-block-post-author__byline">' . esc_html( $byline ) . '</p>' : '' ) .

Environment info

Using the Gutenberg development docker image, a0e1728bc is my current HEAD

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes
@dsas dsas mentioned this issue Apr 25, 2022
Merged
@andrewserong andrewserong mentioned this issue May 3, 2022
Merged
@github-actions github-actions bot added the [Status] In Progress Tracking issues with work in progress label May 3, 2022
@andrewserong
Copy link
Contributor

Thanks for opening up an issue for this one! It looks like the common / desired way to server-render attributes that are set via RichText components in the editor is to use wp_kses_post to sanitize output instead of escaping the HTML characters (based on earlier discussion in #38649 (review)). I've opened up a small PR in #40776 to fix this up for the Post Author block.

@priethor priethor removed the [Status] In Progress Tracking issues with work in progress label May 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewserong andrewserong

Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@dsas @andrewserong @priethor