[wp-trac] [WordPress Trac] #55399: esc_xml() removes valid XML input ( input that is empty() )
WordPress Trac
noreply at wordpress.org
Wed Mar 16 10:58:31 UTC 2022
#55399: esc_xml() removes valid XML input ( input that is empty() )
--------------------------+-----------------------------
Reporter: rumpel2116 | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.5
Severity: normal | Keywords: needs-patch
Focuses: |
--------------------------+-----------------------------
The with #50117 introduced function `esc_xml()` escapes/deletes some valid
input: Input that results true if passed to `empty()`.
`esc_xml('0')` and similar returns an empty string instead of returning
`'0'` while `'0'` is perfectly XML-safe.
There are two issues checking for empty regex groups that use PHPs
`empty()`:
{{{
#!php
$safe_text = (string) preg_replace_callback(
$regex,
static function( $matches ) {
if ( ! $matches[0] ) {
return '';
}
if ( ! empty( $matches['non_cdata'] ) ) {
// escape HTML entities in the non-CDATA Section.
return _wp_specialchars( $matches['non_cdata'],
ENT_XML1 );
}
// Return the CDATA Section unchanged, escape HTML
entities in the rest.
return _wp_specialchars(
$matches['non_cdata_followed_by_cdata'], ENT_XML1 ) . $matches['cdata'];
},
$safe_text
);
}}}
The first check is to skip further processing of empty strings I believe.
Can easily be replaced by `! isset( $matches[0] )` as the group is not set
if empty.
The second check validates if there is no `non_cdata` (without any cdata),
but uses `! empty()` explicitly. Same solution, using `! isset(
$matches['non_cdata'] )` covers the case, if no `non_cdata` is captured,
the regex-group is not set.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55399>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list