After [33148]:

Don't nest `esc_attr()` and `htmlspecialchars()` when escaping the post title on the edit post screen.

Unrevert parts of [32851] and [32850].

Adds/alters unit tests.

Props miqrogroove.
Fixes #17780.


git-svn-id: https://develop.svn.wordpress.org/trunk@33271 602fd350-edb4-49c9-b593-d223f7449a82

src/wp-admin/edit-form-advanced.php

@@ -494,7 +494,7 @@ do_action( 'edit_form_top', $post ); ?>
 	$title_placeholder = apply_filters( 'enter_title_here', __( 'Enter title here' ), $post );
 	?>
 	<label class="screen-reader-text" id="title-prompt-text" for="title"><?php echo $title_placeholder; ?></label>
-	<input type="text" name="post_title" size="30" value="<?php echo esc_attr( htmlspecialchars( $post->post_title ) ); ?>" id="title" spellcheck="true" autocomplete="off" />
+	<input type="text" name="post_title" size="30" value="<?php echo esc_attr( $post->post_title ); ?>" id="title" spellcheck="true" autocomplete="off" />
 </div>
 <?php
 /**

src/wp-includes/formatting.php

@@ -752,25 +752,14 @@ function _wp_specialchars( $string, $quote_style = ENT_NOQUOTES, $charset = fals
 		$quote_style = ENT_NOQUOTES;
 	}
 
-	// Handle double encoding ourselves
-	if ( $double_encode ) {
-		$string = @htmlspecialchars( $string, $quote_style, $charset );
-	} else {
-		// Decode & into &
-		$string = wp_specialchars_decode( $string, $_quote_style );
-
-		// Guarantee every &entity; is valid or re-encode the &
+	if ( ! $double_encode ) {
+		// Guarantee every &entity; is valid, convert &garbage; into &garbage;
+		// This is required for PHP < 5.4.0 because ENT_HTML401 flag is unavailable.
 		$string = wp_kses_normalize_entities( $string );
-
-		// Now re-encode everything except &entity;
-		$string = preg_split( '/(&#?x?[0-9a-z]+;)/i', $string, -1, PREG_SPLIT_DELIM_CAPTURE );
-
-		for ( $i = 0, $c = count( $string ); $i < $c; $i += 2 ) {
-			$string[$i] = @htmlspecialchars( $string[$i], $quote_style, $charset );
-		}
-		$string = implode( '', $string );
 	}
 
+	$string = @htmlspecialchars( $string, $quote_style, $charset, $double_encode );
+
 	// Backwards compatibility
 	if ( 'single' === $_quote_style )
 		$string = str_replace( "'", '&#039;', $string );

tests/phpunit/tests/formatting/EscAttr.php

@@ -26,7 +26,7 @@ class Tests_Formatting_EscAttr extends WP_UnitTestCase {
 	}
 
 	function test_esc_attr_amp() {
-		$out = esc_attr( 'foo & bar &baz; '' );
-		$this->assertEquals( "foo & bar &baz; '", $out );
+		$out = esc_attr( 'foo & bar &baz;  ' );
+		$this->assertEquals( "foo & bar &baz;  ", $out );
 	}
 }

tests/phpunit/tests/formatting/EscHtml.php

@@ -34,7 +34,7 @@ class Tests_Formatting_EscHtml extends WP_UnitTestCase {
 
 	function test_ignores_existing_entities() {
 		$source = '& £ " &';
-		$res = '& £ " &';
+		$res = '& £ " &';
 		$this->assertEquals( $res, esc_html($source) );
 	}
 }

tests/phpunit/tests/formatting/JSEscape.php

@@ -23,13 +23,13 @@ class Tests_Formatting_JSEscape extends WP_UnitTestCase {
 	}
 
 	function test_js_escape_amp() {
-		$out = esc_js('foo & bar &baz; '');
-		$this->assertEquals("foo & bar &baz; '", $out);
+		$out = esc_js('foo & bar &baz;  ');
+		$this->assertEquals("foo & bar &baz;  ", $out);
 	}
 
 	function test_js_escape_quote_entity() {
 		$out = esc_js('foo ' bar ' baz &');
-		$this->assertEquals("foo \\' bar \\' baz &", $out);
+		$this->assertEquals("foo \\' bar \\' baz &", $out);
 	}
 
 	function test_js_no_carriage_return() {

tests/phpunit/tests/formatting/WPSpecialchars.php

@@ -17,6 +17,10 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase {
 
 		// Allowed entities should be unchanged
 		foreach ( $allowedentitynames as $ent ) {
+			if ( 'apos' == $ent ) {
+				// But for some reason, PHP doesn't allow '
+				continue;
+			}
 			$ent = '&' . $ent . ';';
 			$this->assertEquals( $ent, _wp_specialchars( $ent ) );
 		}
@@ -39,4 +43,58 @@ class Tests_Formatting_WPSpecialchars extends WP_UnitTestCase {
 		$this->assertEquals( '"'hello!'"', _wp_specialchars($source, true) );
 		$this->assertEquals( $source, _wp_specialchars($source) );
 	}
+
+	/**
+	 * Check some of the double-encoding features for entity references.
+	 *
+	 * @ticket 17780
+	 * @dataProvider data_double_encoding
+	 */
+	function test_double_encoding( $input, $output ) {
+		return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, true ) );
+	}
+
+	function data_double_encoding() {
+		return array(
+			array(
+				'This & that, this & that, — " " Ú   " " " " " $ ×',
+				'This & that, this & that, — " " Ú   " " " " " $ ×',
+			),
+			array(
+				'&& && && &;',
+				'&& && && &;',
+			),
+			array(
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+			),
+		);
+	}
+
+	/**
+	 * Check some of the double-encoding features for entity references.
+	 *
+	 * @ticket 17780
+	 * @dataProvider data_no_double_encoding
+	 */
+	function test_no_double_encoding( $input, $output ) {
+		return $this->assertEquals( $output, _wp_specialchars( $input, ENT_NOQUOTES, false, false ) );
+	}
+
+	function data_no_double_encoding() {
+		return array(
+			array(
+				'This & that, this & that, — " " Ú   " " " " " $ ×',
+				'This & that, this & that, — " " Ú   " " " " " $ ×',
+			),
+			array(
+				'&& && && &;',
+				'&& && && &;',
+			),
+			array(
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+				'&garbage; &***; &aaaa; &0000; &####; &;;',
+			),
+		);
+	}
 }