[wp-trac] [WordPress Trac] #3670: Removing CDATA close tag ( ]]> ) unbalances the CDATA block

WordPress Trac wp-trac at lists.automattic.com
Mon Nov 30 02:30:52 UTC 2009 

#3670: Removing CDATA close tag ( ]]> ) unbalances the CDATA block
--------------------------+-------------------------------------------------
 Reporter:  scenic        |       Owner:  andy                                          
     Type:  defect (bug)  |      Status:  new                                           
 Priority:  normal        |   Milestone:  2.9                                           
Component:  Template      |     Version:  2.1                                           
 Severity:  normal        |    Keywords:  has-patch needs-testing needs-unit-tests early
--------------------------+-------------------------------------------------
Changes (by kirkpatrick):

 * cc: kirkpatrick (added)


Comment:

 The substitution of the right bracket in the CDATA closing,
 {{{
 $excerpt = str_replace(']]>', ']]>', $excerpt);
 }}}
 occurs in a number of places in WordPress, all in wp-includes:
   comment.php Line 1355

   feed.php Line 191

   formatting.php Line 1734

   post-template.php Line 168

 So this substitution seems to be desired for reasons other than
 "protecting feeds".  Perhaps security against javascript-driven xml
 injection attacks? (It would be useful if the gods of WordPress would tell
 us the meaning of all this.)

 Anyway, as it is, a page written by a plugin that creates javascript that
 includes strings of html will not validate as xhtml.  Since we can
 (presumably) trust plugins, it should be ok to fix this: just reverse the
 order of lines 167 and 168 in post-template.php, so the filters
 (potentially set by plugins) are applied ''after'' the replacement:
 Change
 {{{
         $content = apply_filters('the_content', $content);
         $content = str_replace(']]>', ']]>', $content);
 }}}
 to
 {{{
         $content = str_replace(']]>', ']]>', $content);
         $content = apply_filters('the_content', $content);
 }}}
 This way, any CDATA in the post (as stored in the database) will lose the
 CDATA, as seems to be desired, but the plugin can still operate properly
 and validate.

 The same reversal should also be done (my application doesn't need these,
 but ...) in comment.php (line 1355 to above 1351) and formatting.php
 (exchange 1733 and 1734).

 This is a minimal change, and I believe makes more sense than the present
 code. The post content is filtered, but then the plugin is allowed to do
 its work.

 Of course, this fix does not meet the needs of the earlier change posters,
 who wish to post javascript hidden with CDATA. I don't think I support
 this for standard WordPress.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/3670#comment:30>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list