โ ๐ Bug Report: Users without unfiltered_html capability can not save links / captions with e.g. & (ampersand) #23302
Labels
component/code
Indicates when a topic is related to a componentโs code.
component/role-manager
References any component related to the Role Manager.
editor
References the Elementor Editor and all its components.
mod*
type/security
Indicates when a topic is related to component Security.
Prerequisites
Description
Currently all fields for users without unfiltered_html capability go through wp_kses_post:
elementor/core/base/document.php
Lines 735 to 737 in 6779aa6
While this can be desirable to mitigate HTML injections, it has the side effect of many fields in the editor working incorrectly when entering things that would be escaped like
&
(ampersand), they become&
(even in the editor backend).Examples of fields this applies to are (but not limited to): URL / Link fields (images / buttons / webhooks in forms, ...), Caption fields.
This sadly comes in combo with WordPress Bug 50260: Multisite - Getting actual user capabilities with get_role_caps() different with current_user_can(), which causes current_user_can to return false for Administrators of a multisite that are not superadmin. (We had quite some nice encounters when people that were not super admin edited a page and suddenly the webhooks would not work anymore because of the & to &).
Steps to reproduce
https://www.test.com/?a=1&b=0
as Link URL.https://www.test.com/?a=1&b=0
.Alternatively do the same on a multi site with an admin user that doesn't have super admin (as long as the WordPress bug 502060 remains unfixed).
Isolating the problem
System Info
Click to reveal
The text was updated successfully, but these errors were encountered: