WordPress.org

1. Miral
   Member
   Posted 4 years ago #

   Ok, I'm not 100% certain that this is the plugin (I saw this happen on someone else's site), but it looks like this plugin doesn't roundtrip the HTML encoding properly.

   If I type "test" into the original comment field and surround it with escaped angle bracket entities (which this forum thing won't let me post here), this is stored literally and then displayed as "<test>" in the actual page, as expected.

   If I then go to edit it, it's now shown as "<test>" in the comment edit field. If I don't re-encode this before saving then it will get treated as an actual HTML tag (and become invisible).

   Most likely, you need to call htmlspecialchars on the comment text before inserting it into the textarea control.

2. Miral
   Member
   Posted 4 years ago #

   I'm definitely sure it's this plugin now.

   Moreover, the fix is fairly simple: in wp-ajax-edit-comments.php, function getComment, it makes a call to html_entity_decode. This needs to be removed and then it will work.

3. ronalfy
   Member
   Posted 4 years ago #

   Miral,

   Thanks for finding the bug and the fix. I'll need to do some more testing to see how taking the html_entity_decode affects how other characters are rendered. If all goes well, I'll release a bug fix.

   Thanks again.

4. xLynx
   Member
   Posted 4 years ago #

   and so on, fix it, or take suggestions of Miral? cause it's very critical bug i see, when html go on!!!??? may be test javascripts now, scriptkiddy i think would stay on it :(

5. ronalfy
   Member
   Posted 4 years ago #

   The recent 1.1.4 update should resolve this bug. Thanks.

6. xLynx
   Member
   Posted 4 years ago #

   oh!! BIG THNX ronalfy! ;)

Topic Closed

This topic has been closed to new replies.