Fix regression in wp.sanitize.stripTags() when input is null or undefined
#10833
Conversation
…efined. Ensure that `wp.sanitize.stripTags()` returns an empty string when the input is `null` or `undefined`, preventing it from being converted to the string "null" by `DOMParser`. Added regression tests. Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
There was a problem hiding this comment.
Gemini happily generated all these tests.
There was a problem hiding this comment.
What do you think about adding tests for wp.sanitize.stripTags( 0 ), wp.sanitize.stripTags( '0' ) and wp.sanitize.stripTags( '' )? That way, more edge cases would be covered.
There was a problem hiding this comment.
Pull request overview
Fixes a regression in wp.sanitize.stripTags() where null/undefined inputs could be coerced into the strings "null"/"undefined" via DOMParser, by returning an empty string instead, and adds QUnit regression tests.
Changes:
- Add an early-return in
wp.sanitize.stripTags()fornull/undefined. - Add QUnit coverage for
stripTags()andstripTagsAndEncodeText()withnull/undefinedinputs. - Register the new QUnit test file in the QUnit runner
index.html.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/js/_enqueues/wp/sanitize.js |
Adds a null/undefined guard to prevent "null"/"undefined" string coercion through DOMParser. |
tests/qunit/wp-includes/js/wp-sanitize.js |
Introduces regression tests covering null/undefined and basic behavior for sanitize helpers. |
tests/qunit/index.html |
Ensures the new QUnit test file is loaded by the test runner. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| stripTags: function( text ) { | ||
| if ( null === text || 'undefined' === typeof text ) { | ||
| return ''; | ||
| } |
There was a problem hiding this comment.
The JSDoc for stripTags() still declares text as {string}, but the function now explicitly supports null/undefined by returning an empty string (and tests also pass a number). Please update the parameter type (and ideally stripTagsAndEncodeText()'s matching JSDoc) so the documented contract matches the behavior.
There was a problem hiding this comment.
I don't think this is necessary. We don't want a non-string value to be passed. Accepting null or undefined is a back-compat consideration.
|
@westonruter Can you share testing steps please? |
|
@mukeshpanchal27 the ticket description has the reproduction info. I guess go to a screen where that script is enqueued, or enqueued the script yourself, and then run the function in the console. |
| * @return {string} Stripped text. | ||
| */ | ||
| stripTags: function( text ) { | ||
| if ( null === text || 'undefined' === typeof text ) { |
There was a problem hiding this comment.
Minor: I consider null == text to be the canonical "null or undefined" check, it's well specified behavior.
Is there a reason to use a typeof check? I associate 'undefined' === typeof variable with a test where we don't know whether a variable is defined.
| if ( null === text || 'undefined' === typeof text ) { | |
| if ( null == text ) { |
There was a problem hiding this comment.
Good question. This is part of WordPress's JavaScript Coding Standards on Equality:
Strict equality checks (
===) must be used in favor of abstract equality checks (==).
So avoiding the loose comparison is in keeping with the coding standards.
There was a problem hiding this comment.
These are the preferred ways of checking the type of an object:
- …
- null or undefined:
object == null
sirreal
left a comment
sirreal
left a comment
There was a problem hiding this comment.
The test are running and passing and appear correct.
I'll leave the suggestion to your discretion: https://github.com/WordPress/wordpress-develop/pull/10833/changes#r2753604980
4 participants
Ensure that
wp.sanitize.stripTags()returns an empty string when the input isnullorundefined, preventing it from being converted to the string "null" byDOMParser.Added regression tests.
Trac ticket: https://core.trac.wordpress.org/ticket/64574
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.