Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address an issue where <script> tags aren't stripped. #892

Merged
merged 7 commits into from
Jan 24, 2018
Merged

Address an issue where <script> tags aren't stripped. #892

merged 7 commits into from
Jan 24, 2018

Conversation

kienstra
Copy link
Contributor

@kienstra kienstra commented Jan 23, 2018
edited
Loading

Request For Code Review

Hi @ThierryA,
Could you please review this pull request? The target branch is now 0.6, but I don't know if that's right.

This addresses the issue that @westonruter raised. Before, when you added this to the post content:

Hello <script>document.write('world');</script>

It produced:

<p>Hello <script><![CDATA[document.write('world');]]></script></p>

The expected output is:

<p>Hello </p>

This looks to be related to how process_node() gets the $attr_spec_list. In some cases, all of the specs will have an equal 'score,' as indicated in $spec_ids_sorted.

And sometimes, all of them will be missing a mandatory attribute. In that case, $attr_spec_list will be empty.

If it is, this uses the first spec list in $rule_spec_list_to_validate. This will need regression testing.

Address an issue where <script> tags weren't stripped.
e2f7d2e 
As Weston mentioned, adding this to the post content:
Hello <script>document.write('world');</script>
Produced:
This looks to be related to how process_node() gets the $attr_spec_list.
In some cases, all will have an equal 'score,'
As indicated in $spec_ids_sorted.
And sometimes, all of them will be missing a mandatory attribute.
In that case, $attr_spec_list will be empty.
If it is, use the first spec list in:
$rule_spec_list_to_validate.
This will need regression testing.
@kienstra kienstra changed the title Address an issue where <script> tags weren't stripped. Address an issue where <script> tags aren't stripped. Jan 23, 2018
@kienstra kienstra changed the base branch from develop to 0.6 January 23, 2018 21:05
Address a Travis issue by storing the result of empty() in a variable.
c5f5168 
There was an error on the Travis build:
Can't use function return value in write context.
So store the result of reset() in $first_spec_list.
Test that <script> is removed, as it is missing an attribute.
335d9ce 
This has a mandatory attribute.
And per the previous commits,
It should fail validation.
@westonruter westonruter added this to the v0.6 milestone Jan 23, 2018
@westonruter
Copy link
Member

Note that the CDATA section will be eliminated with #891.

ThierryA
ThierryA approved these changes Jan 23, 2018
View reviewed changes
Copy link
Collaborator

@ThierryA ThierryA left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work on debugging this @kienstra. Changes are approved from my perspective.

@kienstra
Copy link
Contributor Author

kienstra commented Jan 23, 2018
edited
Loading

Basic Testing

Hi @ThierryA and @westonruter,
Thanks for working on this. I've been doing basic testing of this, visiting pages from the WordPress theme unit test data and the embed test page from the wp-cli script.

I haven't seen any regression yet. But some more sanity-checking would probably help.

@westonruter
Copy link
Member

@kienstra I used git-bisect between 0.5.1 and 0.6 to find the commit that introduced the problem. Given this script https://gist.github.com/westonruter/39d251d6f3ff8f9958f8fd1d11167da5 I found that the issue appeared as of a066117. Prior to that commit, the script tag is successfully stripped.

@westonruter
Copy link
Member

I tested the page generated via create-embed-test-post.php and it is outputting a lot of <script async=""></script> which are making it AMP-invalid. These aren't getting sanitized from source HTML like <script async src="//cdn.someecards.com/assets/embed/embed-v1.07.min.js" charset="utf-8"></script>.

@kienstra
Copy link
Contributor Author

kienstra commented Jan 24, 2018
edited
Loading

Tested, No Regressions Found

Hi @westonruter,
Your commits above look good. I tested them on the AMP version of about 20 posts and pages from the Theme Unit Test Data.

There weren't any regressions from the earlier version, 0.5.1. Of course, we're still working toward support of some embeds that we didn't expect to work yet in this version. But there were no new AMP errors.

@westonruter westonruter merged commit 0e494a7 into 0.6 Jan 24, 2018
@westonruter westonruter deleted the fix/script-tags-output-cdata branch January 24, 2018 04:50
@westonruter westonruter mentioned this pull request Jan 24, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThierryA ThierryA ThierryA approved these changes

@westonruter westonruter westonruter approved these changes

Assignees

@westonruter westonruter

@ThierryA ThierryA

Labels
None yet
Projects
None yet
Milestone
v0.6
Development

Successfully merging this pull request may close these issues.
3 participants
@kienstra @westonruter @ThierryA