Permit use of HTML in attributes by encoding them them #496
Conversation
Adds html escaping in textareas
# Conflicts: # js/build/field-attachment.js # js/build/field-color.js # js/build/shortcode-ui.js # js/src/views/edit-shortcode-form.js
| @@ -58,7 +59,7 @@ var Shortcode = require('../../js/src/models/shortcode'); | |||
| var InnerContent = require('../../js/src/models/inner-content'); | |||
| var ShortcodeAttribute = require('../../js/src/models/shortcode-attribute'); | |||
| var ShortcodeAttributes = require('../../js/src/collections/shortcode-attributes'); | |||
| var $ = (typeof window !== "undefined" ? window['jQuery'] : typeof global !== "undefined" ? global['jQuery'] : null); | |||
| var $ = (typeof window !== "undefined" ? window.jQuery : typeof global !== "undefined" ? global.jQuery : null); | |||
There was a problem hiding this comment.
Can you update your node modules and recompile?
|
Updated
|
danielbachhuber
changed the title
danielbachhuber
changed the title
Yes please.
For consistency and simplicity, can we just disable it by default for all arguments? I'm concerned with leaving it magically on, as it will always require developer intervention. |
|
Updated - no longer sets any defaults. |
| * @param [type] $atts [description] | ||
| * @return [type] [description] | ||
| */ | ||
| function filter_shotcode_atts_decode_encoded( $out, $pairs, $atts ) { |
There was a problem hiding this comment.
filter_shotcode_atts_decode_encoded should be filter_shortcode_atts_decode_encoded
Also, can we mark it explicitly as public ?
There was a problem hiding this comment.
And, should we add tests for this method?
|
@goldenapples #reviewmerge |
|
Oh. Should it be |
|
I think I ran into a bug. |
If I add |
You're right - should probably be |
Hmm. It's quite possible for field content which was legitimate before to break on urldecoding / re-encoding. Seems like there needs to be a migration path for this case. I don't know what to suggest that doesn't seem hacky and ugly, but allowing a developer changing a setting to corrupt all the existing data is a pretty big issue. Could we somehow have a magical attribute which flags which fields have encoded data, that is set on formatting the shortcode? That way rendering the shortcode could read from that value when determining whether to urldecode content? |
|
If you have unencoded data and want to enable encod, this will mostly just work OK. Except if you have added HTML that contains the following characters Pretty sure there is nothing we can do here as its most likely broken the PHP shortcode parsing too. Actually - side note - perhaps we should 'escape for shortcode attribute' and strip these characters? At least things won't break. I'll create a separate ticket. If you have encoded data and want to disable, this will cause you to see encoded data and break things. You will need to run some kind of script. HOWEVER - note that your unencoded string will probably break the shortcode parsing. I've had a quick go at writing a CLI command to handle this - however I'm wary that it appears more useful than it really is. |
Permit use of HTML in attributes by encoding them them
A couple of field types were saved in separate files when this brnach was started, and are no longer. Deleted them and re-browserified the js/build files.
Rebuild `js/build` files after #496
Since Shortcake added support for URL-encoding attribute values (wp-shortcake/shortcake#496), we can remove the unfriendly admonitions to avoid using quote marks, branckets, or HTML in the alt and caption fields here.
I picked up #322 - synced up with master, and made a few small changes.
The main change is that only the default value of 'escape' for a single attribute is taken from
shortcodeUIFieldData[ type ]- this allows you to override on a single attribute basis. EG allowing HTML in a text field - not just textareas. Only textarea is true by default - and doesn't apply if this relates to 'inner_content'Also added tests.
One question - Should we replace all use of the term 'escape' with 'encode' as we're not really escaping.
One hitch - Rob orignally wrote some clever code that uses the filter
shortcode_atts_{$shortcode_tag}to unencode the value automatically. However this relies on a closure and hence is PHP 5.3+ only - and causes tests to fail. This isn't really avoidable - as the shortcode tag isn't available in the callback. I'm thinking of opening a ticket for this - but for now we need to either remove or allow breakage on PHP 5.2.