hoakley May 22, 2021 General, Language, Life, Macs, Painting, Technology

How WordPress comments and Property Lists can trip you up

Did you realise that when you write a comment to one of these articles, you’re actually writing XML? Much of the time it makes little difference, but occasionally it bites back by annoying us. Some people like to use ‘angle brackets’, the mathematical less than < and greater than > symbols, for various purposes. Unfortunately, because they’re two of the five characters with special meanings in XML, this has unexpected effects.

Another place where you may come to write XML without being fully aware is when editing Property Lists (including Preference files) in macOS. This caught a user out recently when they were editing an extended attribute in my free utility xattred: that particular extended attribute is stored in Property List format, so when they inadvertently used the ampersand & they were unable to save their changed extended attribute.

This is perhaps easier to cope with in Property Lists, which at least have the decency to tell you that they’re written in XML. At the top of every Property List you should see the preamble
<?xml version="1.0" encoding="UTF-8"?>

WordPress comments don’t tell you that, of course, but lull you into a sense of false security before tripping you up with at least two (sometimes three) of those five special characters.

In theory, apps like xattred and the WordPress comment editor could allow for this and perform automatic character substitution. The problem they face in doing that is that they can’t distinguish reliably between, say, a regular ampersand and one used correctly to construct an ‘escape’ character. Although I seldom use characters like < in my articles, there are times when you can’t avoid them. For me, they’re most common in quotations from logs and the command line. Knowing of the problem, I manually replace each < with < in the article. But what if my editor were to automatically replace every & with &? That would of course be far worse.

So apps like xattred, and the WordPress comment editor, have to make the ill-founded assumption that everyone knows that they’re typing in XML and will make the appropriate substitutions.

For the record, here are the five characters which XML treats differently, and how you can type them in so the correct character appears:

< less than – use < every time;
> greater than – use > every time;
& ampersand – use & when necessary;
” double-quote – this is seldom a problem, and only when used inside another XML double-quotation, where you can use "
‘ apostrophe or single-quote – this is seldom a problem, and only when used inside another XML single-quotation, where you can use '

I will add information about this to xattred’s Help book in its next revision, but if you’ll forgive me, I think that I’ve now escaped enough for today and will sit down and do some graphics rather than XML.

15Comments

Add yours

1

Andrew Reilly on May 22, 2021 at 7:24 am

Is this claim about WordPress comments true? It sounds like a grievous failure of data cleaning if so: good old Bobby Tables all over again. Doesn’t seem to be the case on my own blog (which is also running on WordPress). A quick test just now showed that “&” came across just fine, as was “<", but single quote came through as "'", but it all displayed just fine. Let's see how this one fares…

LikeLiked by 1 person
- 2
  
  Andrew Reilly on May 22, 2021 at 7:27 am
  
  Hmm. There’s something to that: I typed that single quote as & # 0 3 9 ; (without the spaces), so there’s XML available for explicit spelling of special characters, but the input widget seems happy to do the translation itself, as (IMO) it should.
  
  LikeLiked by 1 person
- 3
  
  hoakley on May 22, 2021 at 7:28 am
  
  Try > then. If you read what I have written there, you’ll see that it is one of the two invariable problems. Ampersands can cause issues but not normally in comments. Quotation marks only in XML strings in property lists etc.
  Howard
  
  LikeLike
  - 4
    
    Andrew Reilly on May 22, 2021 at 7:35 am
    
    foo, bar; baz
    
    Seems to work for me…
    
    LikeLiked by 1 person
- 5
  
  Tom J Nowell on May 29, 2021 at 1:18 pm
  
  No it’s not, WordPress comments are a subset of HTML, so that you can use pre tags for code and bold/italics. Anything not on a whitelist is stripped out.
  
  The implementation is here:
  
  https://developer.wordpress.org/reference/functions/wp_filter_kses/
  
  The list of allowed HTML tags:
  
  https://developer.wordpress.org/reference/functions/allowed_tags/#comment-1767
  
  For reference, this is the result of a script tag in a comment: alert("scripts"); Some WP users may retort that this is not true and try to demonstrate it by doing this on their own site, but these users will have fallen into a trap specific to self-hosted WP sites specific to site administrators. Site administrator has a special privilege that allows them to bypass the stripping called unfiltered_html, but you will find that wordpress.com does not allow this, and authors/editors/subscribers do not have this privilege either. Personally I would advise disabling this if you have it LikeLiked by 1 person
  - 6
    
    Tom J Nowell on May 29, 2021 at 1:20 pm
    
    a terribly broken looking comment ( because I did not close the tags in my example ), but you can see the tags got balanced and nothing malicious made it through. The script tags were stripped out and it become a paragraph
    
    LikeLiked by 1 person
  - 7
    
    hoakley on May 29, 2021 at 7:44 pm
    
    Thank you for correcting me. As far as the user is concerned, they’re typing in HTML, then, which also disallows <, > and sometimes & – so the effect is the same.
    Howard.
    
    LikeLike
8

Andrew Reilly on May 22, 2021 at 7:37 am

No, no it doesn’t. That line came out with the last bit saying < quux > on my blog. Must be different setups. It’s a big, complicated, all held together with string and bailing wire…

LikeLiked by 1 person
9

Duncan on May 22, 2021 at 1:27 pm

I’ve been tripped up by the angle brackets here myself. But regardless of which characters might or might not cause problems, what’s really needed at any comment site is the ability to preview one’s comments before posting (as available at Ars Technica, for example). That way we’d know for sure before hitting the ‘Post Comment’ button.

LikeLiked by 1 person
- 10
  
  hoakley on May 23, 2021 at 8:44 am
  
  Thank you.
  I agree, however that’s not an option open to me. I wish it was!
  Howard.
  
  LikeLike
11

markbot2zero on May 23, 2021 at 9:03 pm

Thank you, Howard, this is good to know.

I think the editor also automatically turns plain ASCII quotes into ‘smart’ quotes: “Quote”

And two dashes — which I’ll place on either side of this clause — get turned into single em dashes.

It strips out any leading indentations or white space, like the 5 spaces before this sentence.

And finally I can enclose URLs in angle brackets (I hope):

&lthttps://eclecticlight.co/&rt

Let’s hope it comes through.

–Mark (two dashes before my name will probably get turned into a single one, rather than an em dash.

LikeLiked by 1 person
- 12
  
  hoakley on May 23, 2021 at 9:12 pm
  
  Thanks – I hate it! I want what I type to appear, not what someone else thinks I meant.
  Howard.
  
  LikeLike
13

markbot2zero on May 23, 2021 at 9:04 pm

Oops — try again:

&lt https://eclecticlight.co/ &rt

LikeLiked by 1 person
14

markbot2zero on May 23, 2021 at 9:09 pm

Hmm, bracketts ain’t working. I used an ‘rt’ instead of ‘gt’ — got that wrong. Gotta have an ‘;’ at the end as a separator, like Pascal?

Wait:

<https://electiclight.co/>

or

< https://electlight.co/ >

LikeLiked by 1 person
- 15
  
  hoakley on May 23, 2021 at 9:13 pm
  
  You got there!
  Now imagine doing that with dozens of <private> in log quotations, as I do. Ouch!
  Howard.
  
  LikeLike

·Comments are closed.

Share this:

Related