Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serialized code block is only half escaped #9908

Closed
wants to merge 1 commit into from
Closed

Serialized code block is only half escaped #9908

wants to merge 1 commit into from

Conversation

notnownikki
Copy link
Member

Description

While fixing errors related to kses stripping out attributes and tags for non-admin users, I found that the seralized HTML fixture for the code block contains characters that should be htmlentities, but aren't "Fixing" the fixture makes the test fail. Unfortunately, kses does the right thing and converts to entities, so the saved version of the block doesn't match the version the serializer produces.

This branch should pass, shouldn't it?

@notnownikki notnownikki requested review from aduth and mcsf September 14, 2018 11:49
@notnownikki notnownikki added [Status] In Progress Tracking issues with work in progress [Type] Help Request Help with setup, implementation, or "How do I?" questions. labels Sep 14, 2018
@mcsf
Copy link
Contributor

mcsf commented Sep 14, 2018

This should be intentional per work on our element serializer: #5897

@mcsf
Copy link
Contributor

mcsf commented Sep 14, 2018

To be a bit more precise: IIRC the serializer aims to strictly follow the spec

the text must not contain the character U+003C LESS-THAN SIGN (<) or an ambiguous ampersand.

gutenberg/element/serialize.js

Lines 238 to 253 in f496200

/**
* Returns an escaped HTML element value.
*
* @link https://w3c.github.io/html/syntax.html#writing-html-documents-elements
* @link https://w3c.github.io/html/syntax.html#ambiguous-ampersand
*
* "the text must not contain the character U+003C LESS-THAN SIGN (<) or an
* ambiguous ampersand."
*
* @param {string} value Element value.
*
* @return {string} Escaped HTML element value.
*/
function escapeHTML( value ) {
return value.replace( /&/g, '&amp;' ).replace( /</g, '&lt;' );
}

@notnownikki
Copy link
Member Author

Ah, gotcha. So when a non-admin user saves a code block, it ends up fully escaped because kses does escaping. It doesn't seem to matter when loading the block back... I guess we're ok with that behaviour?

If so, we'll need to exclude the code block fixtures from the kses test, because we know they're going to be different.

@aduth
Copy link
Member

aduth commented Sep 14, 2018
edited
Loading

Is there a practical impact from the difference here? Considering that the block validation treats them equivalent:

wp.blocks.isEquivalentHTML(
	'return &lt;Button&gt;Click Me!&lt;/Button&gt;;',
	'return &lt;Button>Click Me!&lt;/Button>;'
);
// true

(Exposing isEquivalentHTML requires some hackery)

@notnownikki
Copy link
Member Author

There's no difference in actual use. Saving a loading a code block as an author works, so the only real impact here is that a test that makes sure that kses isn't altering things will have to skip the code block, or do something slightly different for the code block.

@aduth
Copy link
Member

aduth commented Sep 14, 2018

Previously: #9875

@notnownikki notnownikki mentioned this pull request Sep 14, 2018
Closed
@mcsf
Copy link
Contributor

mcsf commented Sep 17, 2018

It seems, from the discussion, that this pull request can be safely closed. Correct?

@notnownikki
Copy link
Member Author

Yes, seems so!

@notnownikki notnownikki deleted the try/why-do-things-not-remain-escaped branch September 17, 2018 15:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aduth aduth Awaiting requested review from aduth

@mcsf mcsf Awaiting requested review from mcsf

Assignees
No one assigned
Labels
[Status] In Progress Tracking issues with work in progress [Type] Help Request Help with setup, implementation, or "How do I?" questions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@notnownikki @mcsf @aduth