Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Social Previews: Decode entities in post titles, excerpts, and descriptions #40256

Merged
merged 4 commits into from
Nov 22, 2024
Merged

Social Previews: Decode entities in post titles, excerpts, and descriptions #40256

merged 4 commits into from
Nov 22, 2024

Conversation

sixhours
Copy link
Contributor

@sixhours sixhours commented Nov 19, 2024
edited
Loading

Fixes #26760

Proposed changes:

  • Run decodeEntities on post title & description before showing them in the Social Previews panel.
  • Core seems to encode special characters in post meta while Jetpack does not.
  • I'm posing this as a proof of concept because I'm concerned it's not as secure as it could be. I see we're using decodeEntities elsewhere in the plugin, so it's probably okay? But I wonder about the potential for XSS issues sneaking through. Answered in comments.

Before

Screenshot 2024-11-19 at 12 18 32 PM

After

Screenshot 2024-11-19 at 12 17 06 PM

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

Testing instructions:

  • Apply this patch to your sandbox and sandbox the API
  • Create a new post in the editor on a Simple site with a Business plan. Ensure the post title and description include a special character like &
  • Publish the post
  • Go to the Jetpack toolbar
  • Go to Social Previews
  • Click Preview to see the modal
  • The special characters should be rendered/decoded rather than showing as encoded (like &)

@sixhours sixhours self-assigned this Nov 19, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 19, 2024
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the fix/decode-entitles-title branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack fix/decode-entitles-title

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 19, 2024
edited
Loading

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Choose a review path based on your changes:
    • A. Team Review: add the "[Status] Needs Team Review" label
      • For most changes, including minor cross-team impacts.
      • Example: Updating a team-specific component or a small change to a shared library.
    • B. Crew Review: add the "[Status] Needs Review" label
      • For significant changes to core functionality.
      • Example: Major updates to a shared library or complex features.
    • C. Both: Start with Team, then request Crew
      • For complex changes or when you need extra confidence.
      • Example: Refactor affecting multiple systems.
  3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

@github-actions github-actions bot added the [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! label Nov 19, 2024
@jeherve jeherve added [Type] Bug When a feature is broken and / or not performing as intended [Extension] Social Previews Social Preview block editor plugin [Pri] Normal labels Nov 20, 2024
@sixhours sixhours added the Groundskeeping Worked on by Dotcom Groundskeeping label Nov 20, 2024
@manzoorwanijk
Copy link
Member

I'm posing this as a proof of concept because I'm concerned it's not as secure as it could be. I see we're using decodeEntities elsewhere in the plugin, so it's probably okay? But I wonder about the potential for XSS issues sneaking through.

Thank you for considering that. Since the text is passed to and rendered by React components, it's safe to decode the HTML entities.

@sixhours sixhours changed the title POC: Social Previews: Decode entities in post titles and descriptions Social Previews: Decode entities in post titles and descriptions Nov 21, 2024
@sixhours sixhours changed the title Social Previews: Decode entities in post titles and descriptions Social Previews: Decode entities in post titles, excerpts, and descriptions Nov 21, 2024
@sixhours
Copy link
Contributor Author

FYI I'm on vacation next week. If this gets approved before I get back, please feel free to merge on my behalf!

@manzoorwanijk manzoorwanijk added [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. and removed [Status] Needs Author Reply We would need you to make some changes or provide some more details about your PR. Thank you! labels Nov 22, 2024
manzoorwanijk
manzoorwanijk approved these changes Nov 22, 2024
View reviewed changes
Copy link
Member

@manzoorwanijk manzoorwanijk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. Thank you for fixing it.

@manzoorwanijk manzoorwanijk merged commit f1ad00d into trunk Nov 22, 2024
61 checks passed
@manzoorwanijk manzoorwanijk deleted the fix/decode-entitles-title branch November 22, 2024 05:06
@github-actions github-actions bot removed the [Status] Needs Review To request a review from fellow Jetpack developers. Label will be renamed soon. label Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manzoorwanijk manzoorwanijk manzoorwanijk approved these changes

Assignees

@sixhours sixhours

Labels
[Extension] Social Previews Social Preview block editor plugin Groundskeeping Worked on by Dotcom Groundskeeping [JS Package] Publicize Components [Pri] Normal RNA [Type] Bug When a feature is broken and / or not performing as intended
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Jetpack Social Preview does not render & properly
3 participants
@sixhours @manzoorwanijk @jeherve