Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent sprintf errors by escaping % in post_title #1485

Closed
wants to merge 2 commits into from
Closed

Prevent sprintf errors by escaping % in post_title #1485

wants to merge 2 commits into from

Conversation

krokodok
Copy link

Fixes #1443.

Straightforward escaping of % in $post->post_title with %% prevents the error.

Checklist

  • Project documentation has been updated to reflect the changes in this pull request, if applicable.
  • I have tested the changes in the local development environment (see contributing.md).
  • I have added phpunit tests.

Release Changelog

  • Fix: Describe a bug fix included in this release.

Release Checklist

  • This pull request is to the master branch.
  • Release version follows semantic versioning. Does it include breaking changes?
  • Update changelog in readme.txt.
  • Bump version in stream.php.
  • Bump Stable tag in readme.txt.
  • Bump version in classes/class-plugin.php.
  • Draft a release on GitHub.

Change [ ] to [x] to mark the items as done.

kasparsd
kasparsd suggested changes Jun 17, 2024
View reviewed changes
Copy link
Contributor

@kasparsd kasparsd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@krokodok Can you please confirm the intent of this change? To me it seems like the value elements don't need any escaping for % characters:

$string = 'with %percent sign'; // note the unescaped `%` character.
echo sprintf( 'This %s is string.', $string );

prints out:

This with %percent sign is string.

@kasparsd kasparsd mentioned this pull request Jun 17, 2024
Closed
10 tasks
kasparsd
kasparsd reviewed Jun 17, 2024
View reviewed changes
connectors/class-connector-wordpress-seo.php
@@ -420,7 +420,7 @@ private function meta( $object_id, $meta_key, $meta_value ) {
/* translators: %1$s: a meta field title, %2$s: a post title, %3$s: a post type (e.g. "Description", "Hello World", "Post") */
__( 'Updated "%1$s" of "%2$s" %3$s', 'stream' ),
$field['title'],
$post->post_title,
str_replace( '%', '%%', $post->post_title ),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, got it -- the log() method requires the variable placeholders to match the amount of arguments passed to it so we need to escape all percent characters.

Should we escape all dynamic values then? Also $field['title'] and $post_type_label?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for looking into this again. You found it out quicker, than I could explain it.

Yes, we should do this. In fact, we should go through all the connectors, since I found a lot of them not escaping the values. See my other issue, which stems from the Gravity Forms connector, not Yoast SEO.

Copy link
Contributor

@kasparsd kasparsd Jun 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The usage of (string) vsprintf( $message, $args ) replacement logic in the main log() appears to be very hidden and in most several instances the $args are actually set to be stored in $stream_meta instead of being the replacement values. Sounds like this requires a larger change to make the behaviour consistent.

Some examples:

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, there is no real consistency in these connectors. But preventing fatal errors seems still necessary with some hot fixes, so that users won't get fatal errors.

@krokodok
Copy link
Author

@kasparsd To bring this PR forward, I escaped all other user input values for this connector.

@krokodok krokodok requested a review from kasparsd June 24, 2024 17:04
@krokodok krokodok mentioned this pull request Jul 16, 2024
Closed
@krokodok
Copy link
Author

Superseeded by #1508.

@krokodok krokodok closed this Jul 22, 2024
@krokodok krokodok deleted the fix/yoast-connector-escape-titles branch July 31, 2024 11:15
@krokodok krokodok restored the fix/yoast-connector-escape-titles branch July 31, 2024 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kasparsd kasparsd Awaiting requested review from kasparsd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PHP Fatal error: Uncaught ValueError w/ Yosat SEO
2 participants
@krokodok @kasparsd