From 2b8fd45e37cfffa4e22fe8142e9b4618a39f77b6 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 00:25:31 +0530 Subject: [PATCH 1/7] Administration: Sanitize category and tag base to prevent URL encoding issues in permalinks. --- src/wp-admin/options-permalink.php | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/src/wp-admin/options-permalink.php b/src/wp-admin/options-permalink.php index a22cdb0c92f62..11b07ec15e767 100644 --- a/src/wp-admin/options-permalink.php +++ b/src/wp-admin/options-permalink.php @@ -126,21 +126,15 @@ } if ( isset( $_POST['category_base'] ) ) { - $category_base = $_POST['category_base']; - - if ( ! empty( $category_base ) ) { - $category_base = $blog_prefix . preg_replace( '#/+#', '/', '/' . str_replace( '#', '', $category_base ) ); - } + $category_base = ltrim( $_POST['category_base'], '/' ); + $category_base = empty( $category_base ) ? '' : $blog_prefix . '/' . implode( '/', array_map( 'sanitize_title_with_dashes', preg_split( '|/+|', $category_base ) ) ); $wp_rewrite->set_category_base( $category_base ); } if ( isset( $_POST['tag_base'] ) ) { - $tag_base = $_POST['tag_base']; - - if ( ! empty( $tag_base ) ) { - $tag_base = $blog_prefix . preg_replace( '#/+#', '/', '/' . str_replace( '#', '', $tag_base ) ); - } + $tag_base = ltrim( $_POST['tag_base'], '/' ); + $tag_base = empty( $tag_base ) ? '' : $blog_prefix . '/' . implode( '/', array_map( 'sanitize_title_with_dashes', preg_split( '|/+|', $tag_base ) ) ); $wp_rewrite->set_tag_base( $tag_base ); } From 581faf52171e79ff5d02f32937cada985323015b Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 14:46:52 +0530 Subject: [PATCH 2/7] Tests: Add tests class for the options permalink settings --- tests/phpunit/tests/admin/optionsPermalink.php | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 tests/phpunit/tests/admin/optionsPermalink.php diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php new file mode 100644 index 0000000000000..aae6882f94673 --- /dev/null +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -0,0 +1,10 @@ + Date: Tue, 9 Sep 2025 14:47:49 +0530 Subject: [PATCH 3/7] Tests: Setup the provider function --- tests/phpunit/tests/admin/optionsPermalink.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php index aae6882f94673..f5034d2678167 100644 --- a/tests/phpunit/tests/admin/optionsPermalink.php +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -7,4 +7,17 @@ * @group rewrite */ class Tests_Admin_OptionsPermalink extends WP_UnitTestCase { + /** + * Data provider for base sanitization tests. + */ + public function data_base_sanitization() { + return [ + [ 'Foo Bar', '/foo-bar' ], + [ 'Foo & Bar!', '/foo-bar' ], + [ 'Foo Bar/Baz Qux', '/foo-bar/baz-qux' ], + [ '', '' ], + [ '/Foo Bar', '/foo-bar' ], + [ 'Multiple/Slashes', '/multiple/slashes' ], + ]; + } } \ No newline at end of file From c121fb1d82bf004dbcd779ead1ca8c332c29473f Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 14:48:21 +0530 Subject: [PATCH 4/7] Fix Linting --- tests/phpunit/tests/admin/optionsPermalink.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php index f5034d2678167..8cdd376109dd8 100644 --- a/tests/phpunit/tests/admin/optionsPermalink.php +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -11,13 +11,13 @@ class Tests_Admin_OptionsPermalink extends WP_UnitTestCase { * Data provider for base sanitization tests. */ public function data_base_sanitization() { - return [ - [ 'Foo Bar', '/foo-bar' ], - [ 'Foo & Bar!', '/foo-bar' ], - [ 'Foo Bar/Baz Qux', '/foo-bar/baz-qux' ], - [ '', '' ], - [ '/Foo Bar', '/foo-bar' ], - [ 'Multiple/Slashes', '/multiple/slashes' ], - ]; + return array( + array( 'Foo Bar', '/foo-bar' ), + array( 'Foo & Bar!', '/foo-bar' ), + array( 'Foo Bar/Baz Qux', '/foo-bar/baz-qux' ), + array( '', '' ), + array( '/Foo Bar', '/foo-bar' ), + array( 'Multiple/Slashes', '/multiple/slashes' ), + ); } -} \ No newline at end of file +} From 3373eb1b632bca23c996f76623cab8a9a6c8b587 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 14:50:22 +0530 Subject: [PATCH 5/7] Tests: Add test for category and tag base sanitization --- tests/phpunit/tests/admin/optionsPermalink.php | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php index 8cdd376109dd8..28c10906be8f8 100644 --- a/tests/phpunit/tests/admin/optionsPermalink.php +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -20,4 +20,14 @@ public function data_base_sanitization() { array( 'Multiple/Slashes', '/multiple/slashes' ), ); } + + /** + * Test category and tag base sanitization. + * + * @ticket 16839 + * @dataProvider data_base_sanitization + */ + public function test_base_sanitization() { + + } } From a2f6c879d235248250d9d38d62b7756584545de9 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 14:51:39 +0530 Subject: [PATCH 6/7] Tests: Test category sanitisation --- tests/phpunit/tests/admin/optionsPermalink.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php index 28c10906be8f8..eeb0ba8cf8516 100644 --- a/tests/phpunit/tests/admin/optionsPermalink.php +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -27,7 +27,10 @@ public function data_base_sanitization() { * @ticket 16839 * @dataProvider data_base_sanitization */ - public function test_base_sanitization() { + public function test_base_sanitization( $input, $expected ) { + $base = ltrim( $input, '/' ); + $result = empty( $base ) ? '' : '/' . implode( '/', array_map( 'sanitize_title_with_dashes', preg_split( '|/+|', $base ) ) ); + $this->assertSame( $expected, $result ); } } From c11b5c3c669ed179c1b45c28cdf74f2405ef2b73 Mon Sep 17 00:00:00 2001 From: Himanshu Pathak Date: Tue, 9 Sep 2025 14:52:06 +0530 Subject: [PATCH 7/7] Fix Linting --- tests/phpunit/tests/admin/optionsPermalink.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/phpunit/tests/admin/optionsPermalink.php b/tests/phpunit/tests/admin/optionsPermalink.php index eeb0ba8cf8516..58db8838d8fde 100644 --- a/tests/phpunit/tests/admin/optionsPermalink.php +++ b/tests/phpunit/tests/admin/optionsPermalink.php @@ -28,9 +28,9 @@ public function data_base_sanitization() { * @dataProvider data_base_sanitization */ public function test_base_sanitization( $input, $expected ) { - $base = ltrim( $input, '/' ); + $base = ltrim( $input, '/' ); $result = empty( $base ) ? '' : '/' . implode( '/', array_map( 'sanitize_title_with_dashes', preg_split( '|/+|', $base ) ) ); - + $this->assertSame( $expected, $result ); } }