From 6e18f2fba2720085d0cb436a1548a4fced983439 Mon Sep 17 00:00:00 2001 From: John Date: Mon, 18 Mar 2019 07:49:35 +0000 Subject: [PATCH] Add greater than symbol to attribute escaping (#9963) --- packages/element/src/test/index.js | 2 +- packages/element/src/test/serialize.js | 2 +- packages/escape-html/CHANGELOG.md | 4 ++++ packages/escape-html/README.md | 20 ++++++++++++++------ packages/escape-html/package.json | 2 +- packages/escape-html/src/escape-greater.js | 15 +++++++++++++++ packages/escape-html/src/index.js | 15 ++++++++++++++- packages/escape-html/src/test/index.js | 13 +++++++++++++ 8 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 packages/escape-html/src/escape-greater.js diff --git a/packages/element/src/test/index.js b/packages/element/src/test/index.js index 5d8417859042df..ef5bd4bb87542b 100644 --- a/packages/element/src/test/index.js +++ b/packages/element/src/test/index.js @@ -53,7 +53,7 @@ describe( 'element', () => { }, '<"WordPress" & Friends>' ) ); expect( result ).toBe( - '' + + '' + '<"WordPress" & Friends>' + '' ); diff --git a/packages/element/src/test/serialize.js b/packages/element/src/test/serialize.js index d0f5d9ef32b3ac..7fe4251666decd 100644 --- a/packages/element/src/test/serialize.js +++ b/packages/element/src/test/serialize.js @@ -528,7 +528,7 @@ describe( 'renderAttributes()', () => { href: '/index.php?foo=bar&qux=<"scary">', } ); - expect( result ).toBe( ' style="background:url("foo.png")" href="/index.php?foo=bar&qux=<"scary">"' ); + expect( result ).toBe( ' style="background:url("foo.png")" href="/index.php?foo=bar&qux=<"scary">"' ); } ); it( 'should render numeric attributes', () => { diff --git a/packages/escape-html/CHANGELOG.md b/packages/escape-html/CHANGELOG.md index e780b87752277f..3d81e8ec35b7b5 100644 --- a/packages/escape-html/CHANGELOG.md +++ b/packages/escape-html/CHANGELOG.md @@ -1,3 +1,7 @@ +## 1.1.1 (Unreleased) + +- Add fix for WordPress wptexturize greater-than tokenize bug (see https://core.trac.wordpress.org/ticket/45387) + ## 1.0.1 (2018-10-19) ## 1.0.0 (2018-10-18) diff --git a/packages/escape-html/README.md b/packages/escape-html/README.md index d144be1b7de9f6..eafa8cf0673b71 100644 --- a/packages/escape-html/README.md +++ b/packages/escape-html/README.md @@ -18,7 +18,7 @@ _This package assumes that your code will run in an **ES2015+** environment. If ### escapeAmpersand -[src/index.js#L28-L30](src/index.js#L28-L30) +[src/index.js#L33-L35](src/index.js#L33-L35) Returns a string with ampersands escaped. Note that this is an imperfect implementation, where only ampersands which do not appear as a pattern of @@ -41,7 +41,7 @@ named references (i.e. ambiguous ampersand) are are still permitted. ### escapeAttribute -[src/index.js#L66-L68](src/index.js#L66-L68) +[src/index.js#L79-L81](src/index.js#L79-L81) Returns an escaped attribute value. @@ -52,6 +52,14 @@ Returns an escaped attribute value. "[...] the text cannot contain an ambiguous ampersand [...] must not contain any literal U+0022 QUOTATION MARK characters (")" +Note we also escape the greater than symbol, as this is used by wptexturize to +split HTML strings. This is a WordPress specific fix + +Note that if a resolution for Trac#45387 comes to fruition, it is no longer +necessary for `__unstableEscapeGreaterThan` to be used. + +See: + **Parameters** - **value** `string`: Attribute value. @@ -62,7 +70,7 @@ any literal U+0022 QUOTATION MARK characters (")" ### escapeHTML -[src/index.js#L82-L84](src/index.js#L82-L84) +[src/index.js#L95-L97](src/index.js#L95-L97) Returns an escaped HTML element value. @@ -83,7 +91,7 @@ ambiguous ampersand." ### escapeLessThan -[src/index.js#L50-L52](src/index.js#L50-L52) +[src/index.js#L55-L57](src/index.js#L55-L57) Returns a string with less-than sign replaced. @@ -97,7 +105,7 @@ Returns a string with less-than sign replaced. ### escapeQuotationMark -[src/index.js#L39-L41](src/index.js#L39-L41) +[src/index.js#L44-L46](src/index.js#L44-L46) Returns a string with quotation marks replaced. @@ -111,7 +119,7 @@ Returns a string with quotation marks replaced. ### isValidAttributeName -[src/index.js#L93-L95](src/index.js#L93-L95) +[src/index.js#L106-L108](src/index.js#L106-L108) Returns true if the given attribute name is valid, or false otherwise. diff --git a/packages/escape-html/package.json b/packages/escape-html/package.json index 909f2bd4ec1f3e..a496c52e213bc2 100644 --- a/packages/escape-html/package.json +++ b/packages/escape-html/package.json @@ -1,6 +1,6 @@ { "name": "@wordpress/escape-html", - "version": "1.1.0", + "version": "1.1.1", "description": "Escape HTML utils.", "author": "The WordPress Contributors", "license": "GPL-2.0-or-later", diff --git a/packages/escape-html/src/escape-greater.js b/packages/escape-html/src/escape-greater.js new file mode 100644 index 00000000000000..f761a81e16ae61 --- /dev/null +++ b/packages/escape-html/src/escape-greater.js @@ -0,0 +1,15 @@ +/** + * Returns a string with greater-than sign replaced. + * + * Note that if a resolution for Trac#45387 comes to fruition, it is no longer + * necessary for `__unstableEscapeGreaterThan` to exist. + * + * See: https://core.trac.wordpress.org/ticket/45387 + * + * @param {string} value Original string. + * + * @return {string} Escaped string. + */ +export default function __unstableEscapeGreaterThan( value ) { + return value.replace( />/g, '>' ); +} diff --git a/packages/escape-html/src/index.js b/packages/escape-html/src/index.js index 6b3f74e834564d..c29efb94bd2d04 100644 --- a/packages/escape-html/src/index.js +++ b/packages/escape-html/src/index.js @@ -1,3 +1,8 @@ +/** + * Internal dependencies + */ +import __unstableEscapeGreaterThan from './escape-greater'; + /** * Regular expression matching invalid attribute names. * @@ -59,12 +64,20 @@ export function escapeLessThan( value ) { * "[...] the text cannot contain an ambiguous ampersand [...] must not contain * any literal U+0022 QUOTATION MARK characters (")" * + * Note we also escape the greater than symbol, as this is used by wptexturize to + * split HTML strings. This is a WordPress specific fix + * + * Note that if a resolution for Trac#45387 comes to fruition, it is no longer + * necessary for `__unstableEscapeGreaterThan` to be used. + * + * See: https://core.trac.wordpress.org/ticket/45387 + * * @param {string} value Attribute value. * * @return {string} Escaped attribute value. */ export function escapeAttribute( value ) { - return escapeQuotationMark( escapeAmpersand( value ) ); + return __unstableEscapeGreaterThan( escapeQuotationMark( escapeAmpersand( value ) ) ); } /** diff --git a/packages/escape-html/src/test/index.js b/packages/escape-html/src/test/index.js index 65b3e09dfcfe19..9558c58c7e23ab 100644 --- a/packages/escape-html/src/test/index.js +++ b/packages/escape-html/src/test/index.js @@ -9,6 +9,14 @@ import { escapeHTML, isValidAttributeName, } from '../'; +import __unstableEscapeGreaterThan from '../escape-greater'; + +function testUnstableEscapeGreaterThan( implementation ) { + it( 'should escape greater than', () => { + const result = implementation( 'Chicken > Ribs' ); + expect( result ).toBe( 'Chicken > Ribs' ); + } ); +} function testEscapeAmpersand( implementation ) { it( 'should escape ampersand', () => { @@ -46,9 +54,14 @@ describe( 'escapeLessThan', () => { testEscapeLessThan( escapeLessThan ); } ); +describe( 'escapeGreaterThan', () => { + testUnstableEscapeGreaterThan( __unstableEscapeGreaterThan ); +} ); + describe( 'escapeAttribute', () => { testEscapeAmpersand( escapeAttribute ); testEscapeQuotationMark( escapeAttribute ); + testUnstableEscapeGreaterThan( escapeAttribute ); } ); describe( 'escapeHTML', () => {