pods icon indicating copy to clipboard operation
pods copied to clipboard

Published 20 hours ago verified publisher icon pods-framework

Field data truncated when using <

Open mircobabini opened this issue 3 years ago • 4 comments

Description

On a simple input meta, when saving data like "abcd<123", the last part is lost => "abcd".

This is because of the < symbol.

Version

2.8.8.1

Testing Instructions

  1. Create a simple input text meta
  2. Write the demo text and save

Screenshots / Screencast

No response

Possible Workaround

No response

Site Health Information

WP latest, only Pods.

Pods Package

No response

mircobabini avatar Jan 25 '22 13:01 mircobabini

From the PHP documentation on removing HTML tags at https://www.php.net/manual/en/function.strip-tags.php

Warning: Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.

This is the function we use for removing HTML if HTML is not allowed for the text field (there's an option for that).

Unfortunately this will remove malformed-looking HTML tags like <123 too.

There's not a great workaround for this at the moment unless you enable HTML for the field and then esc_html( $value ) before outputting that value onto your page.

I'll continue to look into this but if anyone has any other ideas on a solution here, I'm open to them.

cc @JoryHogeveen @pdclark

sc0ttkclark avatar Jan 30 '22 19:01 sc0ttkclark

Thanks for the workaround (enabling HTML for that field).

From my perspective strip_tags should not act the way it does, it's a buggy behaviour. Btw it's intended to be used with HTML and having "<" unencoded in HTML is essentially wrong, it should be "<".

Probably using strip_tags to remove tags in a scope where html is not enabled is not a big deal, because "<" is a valid char in our context.

What about this:

function strip_valid_tags( $str ) {
	$str = preg_replace( '/<([^>]*(<|$))/', '&lt;$1', $str );

	return html_entity_decode(
		strip_tags( $str ),
		ENT_NOQUOTES,
		'UTF-8'
	);
}

$str = "<p>I am currently <30 years old.</p>";
echo strip_valid_tags( $str );
// => I am currently <30 years old.

Credits: https://stackoverflow.com/a/38022499/1160173

It doesn't solve the issue 100% by the way, a case like "asd<1.2.3.>dfg" will still become "asddfg".

mircobabini avatar Jan 30 '22 19:01 mircobabini

Related: #6107

Same issue reported here: https://wordpress.org/support/topic/caracter-cut-metadata/

JoryHogeveen avatar Feb 14 '22 07:02 JoryHogeveen

html_entity_decode() in this use case will expose other HTML that was submitted as encoded already. This one is going to take more thought and review on how best to address these cases.

The suggested code also only covers cases where there is an HTML tag after the usage of the lone < which wouldn't be a complete solution there.

sc0ttkclark avatar Sep 11 '22 15:09 sc0ttkclark