Slideshows: Fix escaping of Gallery content.

`esc_attr()` will not double-encode HTML entities, which causes all sorts of problems. `json_encode()` does not (by default) encode ampersands. If it did, we'd be coincidentally saved from `esc_attr()`'s problems. Since it doesn't, we have to work around `esc_attr()`'s problems ourselves by calling `_wp_specialchars()` directly. http://[private link] Merges r105065-wpcom.
Automattic · Oct 3, 2014 · 99fffd8 · 99fffd8
1 parent ecea00c
commit 99fffd8
Showing 1 changed file with 27 additions and 1 deletion.
diff --git a/modules/shortcodes/slideshow.php b/modules/shortcodes/slideshow.php
@@ -208,14 +208,40 @@ function slideshow_js( $attr ) {
 
 		$output = '';
 
+		if ( defined( 'JSON_HEX_AMP' ) ) {
+			// This is nice to have, but not strictly necessary since we use _wp_specialchars() below
+			$gallery = json_encode( $attr['gallery'], JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT );
+		} else {
+			$gallery = json_encode( $attr['gallery'] );
+		}
+
 		$output .= '<p class="jetpack-slideshow-noscript robots-nocontent">' . esc_html__( 'This slideshow requires JavaScript.', 'jetpack' ) . '</p>';
 		$output .= sprintf( '<div id="%s" class="slideshow-window jetpack-slideshow slideshow-%s" data-width="%s" data-height="%s" data-trans="%s" data-gallery="%s"></div>',
 			esc_attr( $attr['selector'] . '-slideshow' ),
 			esc_attr( $attr['color'] ),
 			esc_attr( $attr['width'] ),
 			esc_attr( $attr['height'] ),
 			esc_attr( $attr['trans'] ),
-			esc_attr( json_encode( $attr['gallery'] ) )
+			/*
+			 * The input to json_encode() above can contain '&quot;'.
+			 *
+			 * For calls to json_encode() lacking the JSON_HEX_AMP option,
+			 * that '&quot;' is left unaltered.  Running '&quot;' through esc_attr()
+			 * also leaves it unaltered since esc_attr() does not double-encode.
+			 *
+			 * This means we end up with an attribute like
+			 * `data-gallery="{&quot;foo&quot;:&quot;&quot;&quot;}"`,
+			 * which is interpreted by the browser as `{"foo":"""}`,
+			 * which cannot be JSON decoded.
+			 *
+			 * The preferred workaround is to include the JSON_HEX_AMP (and friends)
+			 * options, but these are not available until 5.3.0.
+			 * Alternatively, we can use _wp_specialchars( , , , true ) instead of
+			 * esc_attr(), which will double-encode.
+			 *
+			 * Since we can't rely on JSON_HEX_AMP, we do both.
+			 */
+			_wp_specialchars( wp_check_invalid_utf8( $gallery ), ENT_QUOTES, false, true )
 		);
 
 		$output .= "