-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom Link: Decode value in URL input field #55549
Conversation
Size Change: -80 B (0%) Total Size: 1.7 MB
ℹ️ View Unchanged
|
Flaky tests detected in 54e8d74. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/6825190338
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the testing, @getdave!
I think this is because the label is filtered by the However, this problem also occurs on trunk. Maybe |
I suppose the label doesn't have to be 1:1 with the URL especially where that it potentially inappropriate. I think we're good to merge as is. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Concerns resolved. Let's bring this in 👍
Fixes #55537
Related to #46435
What?
This PR fixes an issue where the URL cannot be changed correctly from the navigation sidebar in the Custom Link block.
Why?
The URL in this block is sanitized by
esc_url()
when rendered. As a result, the correct URL may not be rendered, for example if it contains parameters as shown below.My understanding is that to prevent this, it was changed in #19679 to keep the encoded URL as an attribute value. This comment explains more about why. And then #46435 was filed to properly decode the encoded URL on the front end.
On the other hand, although the URL can be changed from the block sidebar, the encoded URL was displayed as the value of the text field. The encoded URL may represent one character with multiple characters. Deleting one of those characters by keyboard will corrupt the encoded string, and the block will internally attempt to repair the URL, causing problems like the one reported in #55537 to appear.
User-editable fields should display the decoded URL instead of the encoded URL.
How?
In the URL input field, the encoded URL was decoded using the
safeDecodeURI()
function.Testing Instructions
https://google.com?param=<%>
in the text field.https://google.com?param=%3C%25%3E
).https://google.com?param=<%>
).https://google.com?param=<%>
without being stripped.Screenshots or screencast
a5b14855454bc515541677c2eaf289ce.mp4