Meta Box

Pattern attribute sanitization may break regex

Support General Pattern attribute sanitization may break regexResolved

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • November 5, 2023 at 11:22 AM #43742
    JackkyJackky
    Participant

    It's seems, MetaBox sanitizing each attribute of field, including pattern input attribute.
    Since I was trying to use complex regex with it, I got non-working result because of sanitization.
    Code:
    `
    'pattern' => '(?:https?:)?(?:\/\/)?(?:[0-9A-Z-]+\.)?(?:youtu\.be\/|youtube(?:-nocookie)?\.com\S*?[^\w\s-])(?:[\w-]{11})(?=[^\w-]|$)(?![?=&+%\w.-]*(?:[\'"][^<>]*>|<\/a>))[?=&+%\w.-]*',
    `
    Rendered result (HTML):
    `
    <input pattern="(?:https?:)?(?:\/\/)?(?:[0-9A-Z-]+\.)?(?:youtu\.be\/|youtube(?:-nocookie)?\.com\S*?[^\w\s-])(?:[\w-]{11})(?=[^\w-]|$)(?![?=&+%\w.-]*(?:['"][^<>]*>|<\/a>))[?=&+%\w.-]*">
    `

    November 5, 2023 at 11:30 AM #43745
    JackkyJackky
    Participant

    Ok, forum collapse entities also they are inside backticks... Here a pastebin, where converted entities are shown.

    November 6, 2023 at 7:26 PM #43747
    PeterPeter
    Moderator

    Hello Jackky,

    Do you mean some HTML entities are converted to single characters? For example: &amp ; - &
    Then the sanitization does not work as expected.

    November 28, 2023 at 6:40 AM #43953
    JackkyJackky
    Participant

    Yes, but regex must render "as is" inside the pattern attribute

    November 28, 2023 at 9:08 PM #43955
    PeterPeter
    Moderator

    Hello,

    I've escalated this issue to the development team to fix this in future updates. Thank you.

    September 26, 2024 at 5:36 PM #46538
    Anh TranAnh Tran
    Keymaster

    Hi Jackky,

    After checking this issue, I found that it's probably the browser issue. The pattern regex is outputted correctly in the input, but the browser displays it as rendered entities.

    When you view the source code of the page, you'll see the pattern attribute is outputted correctly. But when you *inspect* the input with the browser inspector, it will shows rendered entities. So, it seems to be an issue with viewing in the browser instead of a technical issue, which probably can't be fixed.

    I created a demo with pure HTML for you to check here.

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.