Gutenberg for non-admins and HTML entities #50050
Labels
Needs Technical Feedback
Needs testing from a developer perspective.
Needs Testing
Needs further testing to be confirmed.
[Type] Bug
An existing feature does not function as intended
Description
As a non-administrator ( someone without
unfiltered_html
capability ), when I save a prop to a React based component, some characters are getting converted to their encoded versions -&
becomes&
,>
becomes>
.I've verified this on a vanilla WordPress installation - no other plugins and the default twentytwentythree theme.
Consider the following simple component, which eventually becomes a block:
I work in a system that allows such a component to be turned into block automatically, and the block looks like this:
If a user without
unfiltered_html
capability saves such a post, what gets written to the DB is the following:In the attributes for the block, the ampersand ends up getting encoded as
\u0026amp;
. That's a raw value that gets passed along asattributes
, so when the page refreshes in the back end, that ends up showing up as&
. The immediate fallout from that is that the "Attempt Block Recovery" shows up because of the discrepancy between the&
that's written to the database and the&
that the block now wants to render:And once you recover the block, that
&
shows up in the prop for the block:I consider this a bug because it's changing the prop that gets passed to the React component from a
&
to&
, causing the Attempt Block Recovery, and looking ugly for the non-admin users. React components that accept props and render out markup shouldn't have to worry about HTML decoding the props it receives.Further, I wonder about the reasoning behind writing HTML entities to the database at all, given that recommended practice is to put all text from the DB through escaping filters before displaying them. This happens for Advanced Custom Fields when I try to save
&
in text fields. I'm sure that's a can of worms, and I am not asking for any change there.For myself, I addressed this in my system with this:
Step-by-step reproduction instructions
unfiltered_html
capability ), enter "This & That" into that text field and save the page.This & That
Screenshots, screen recording, code snippet
No response
Environment info
Please confirm that you have searched existing issues in the repo.
Yes
Please confirm that you have tested with all plugins deactivated except Gutenberg.
Yes
The text was updated successfully, but these errors were encountered: