Bug in php/class-delivery.php breaks certain blocks by forgetting to re-slash

  • Hello,

    There is a bug in version 3.0.4, line 256 in php/class-delivery.php

         if ( empty( $cloudinary_urls ) ) {
            return $content;
        }

    The problem is that at line 249, this content has been run through wp_unslash. This code should be

         if ( empty( $cloudinary_urls ) ) {
            if ( $unslashed ) {
                $content = wp_slash( $content );
            }
            return $content;
        }

    – like for then normal function return.

    With this bug, if the early exit is done, any block that uses the serialize_block_attributes function to ensure the block attributes are safe, will be corrupted if any attributes were protected by slashing and there are no cloudinary resources on the page. This will e.g. affect ACF Pro blocks and probably more.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support loic @ cloudinary

    (@loiccloudinary)

    Hi Iver,

    Thanks for reaching out.

    We are aware of an issue with Unicode characters on ACF where the slash is actually stripped so it might be definitely related to what you mentioned.

    You are mentioning 3.0.4 but the issue should also be in 3.0.3. Do you mind letting me know the issues you are facing on your side so we can add this to our test when a fix will be ready?

    Thanks in advance.
    Best,
    Loic

    Thread Starter Iver Odin Kvello

    (@iverok)

    The issue was an ACF block (which you need ACF Pro for) with a textarea-field. If you add any html tags, entities or as you say unicode chars to this, they will be escaped with slashes.

    The problem is that you unslash the post content before processing, but if you find no cloudinary images in the content, you return early without reslashing the post content. This therefore removes all escaping slashes from posts with no cloudinary data in it.

    If there are cloudinary images, the method processes the content and correctly re-slashes it before return.

    The code I described above ensures the posts are re-slashed on all return branches and fixes the issue.

    I see I haven’t mentioned the method name, it is filter_out_cloudinary in class Delivery.

    Plugin Support loic @ cloudinary

    (@loiccloudinary)

    Hi @iverok,

    After discussing with the development team, we are now considering your solution and we will test it to make sure everything works as expected.

    Thanks for your contribution and we will let you know when this is released.
    Best,
    Loic

    Plugin Support Wissam @ Cloudinary

    (@wissamcloudinary)

    Hi @iverok,

    Please note that version 3.0.5 has just been released.

    Could you please upgrade and let us know your feedback?

    Regards,
    Wissam

    Thread Starter Iver Odin Kvello

    (@iverok)

    Yes, 3.0.5 fixes the issue.

    Plugin Support Wissam @ Cloudinary

    (@wissamcloudinary)

    Hi @iverok,

    Thank you for your feedback.
    Happy to see that the issue was resolved.

    Regards,
    Wissam

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Bug in php/class-delivery.php breaks certain blocks by forgetting to re-slash’ is closed to new replies.