9 March 2009

htmlspecialchars_decode bug in Wordpress 2.7.1

It has been brought to my attention that there is currently a small bug in Wordpress 2.7.1 that affects certain users of my Status Press Widget and Customizable Search Widget.

This bug mainly affects users of PHP4, because the htmlspecialchars_decode function is not included until PHP5, so Wordpress has now integrated a simulation of the same function in the code core of 2.7.

If you are a PHP4 user running Wordpress 2.7.1, you may get this error from a plugin or widget that attempts to access the htmlspecialchars_decode function:

Warning: htmlspecialchars_decode() expects parameter 1 to be string, NULL given in /home/myname/public_html/personal/wp-includes/compat.php on line 105:

PHP5 users already have this function inherint in their repository, so it just bypasses the Wordpress simulation function.

Apparently when 2.7.1 was released, a slight oversight caused the function to be looking for a variable that was not being passed to it because of a misnaming error.

Details about this error are located in the Wordpress bug tracking system, and it looks like a fix has been submitted for the next version.

However, what should I do until the update? I did some looking into the code that is affected, and noticed that basically in the htmlspecialchars_decode function, Wordpress passes the two expected variables (the string, and the quote style) to its own parser called wp_specialchars_decode. Instead of relying on the PHP version, I have updated my plugins to directly call the Wordpress version of the function to ensure compatibility. Scratch that, that’s not going to work. The wp_specialchars_decode function is only included in Wordpress as of 2.7.1, so it is not backwards compatible and not wise to use.

Instead, you should go ahead and fix the problem with the core file if you are using 2.7.1 and PHP4.

  1. Open up /public_html/<WP Directory>/wp-includes/compat.php
  2. Scroll down to line 104:   if ( !is_scalar( $string ) ) {
  3. Change $string to $str
  4. Do the same thing for the line below it, 105.
  5. Save the file back to your server
  6. Update your plugins.

When you have followed these steps, you should be good to go.  If you do not feel comfortable editing the file yourself, you can just download my edited copy of compat.php:

  compat.php (3.4 KiB, 176 hits)
You need to be a registered user to download this file.

Be sure to upload it to the wp-includes directory. Then update the plugins and widgets that have become broken.

You can find the updates to my widgets here:

If you have any questions or concerns, please do not hesitate to let me know. Oh, and if this has helped you, don’t forget to show a little love:

6 Responses to “htmlspecialchars_decode bug in Wordpress 2.7.1”

  1. David Burns
    March 23rd, 2009 at 11:39 am

    Hi Brian,

    Your users shouldn’t have to hack WordPress to get your plugin to work. Of course, WP should not have shipped code with zero testing either, but that’s damage already done.

    Here’s the code I’ve used in the TextImage plugin to work around this bug. With PHP 5.1 or better, the PHP version is defined and we can use it. If lower, the buggy Wordpress version gets defined so we need to avoid it. Just insert the following code, replacing ti_ with something unique. Declare $(unique)_htmlspecialchars_decode global within the function where you want to call htmlspecialchars_decode, and you can call $(unique)_htmlspecialchars_decode(str) in place of htmlspecialchars_decode(str).

    // Wordpress 2.7.1 introduced an untested, buggy version of htmlspecialchars_decode
    // so now we need to work around Wordpress.

    // substitute implementation of htmlspecialchars_decode
    function ti_htmlspecialchars_decode_impl($text)
    {
    return strtr($text, array_flip(get_html_translation_table(HTML_SPECIALCHARS)));
    }

    // which to use?
    if (floatval(phpversion()) < 5.1)
    {
    $ti_htmlspecialchars_decode = “ti_htmlspecialchars_decode_impl”; // use my version
    } else {
    $ti_htmlspecialchars_decode = “htmlspecialchars_decode”; // use PHP version
    }

  2. bbbco
    March 23rd, 2009 at 12:48 pm

    David,

    Thanks for your comment! I agree that users should not have to hack Wordpress in order to get anything to work properly. Thanks for your suggestion in using a unique function instead of the default name for it. I don’t know why I didn’t think of that myself. Oh well, when I get off work, I will probably look into integrating this. Hopefully WP 2.7.2 will come out soon with a fix though.

    Brian

  3. Michael’s Blog » Blog Archive » htmlspecialchars_decode bug in Wordpress 2.7.1
    April 8th, 2009 at 6:43 am

    [...] htmlspecialchars_decode bug in Wordpress 2.7.1 | Life of Brian. Share and [...]

  4. vinoth
    June 15th, 2009 at 6:07 am

    thanks for your solution, this solution is realy usefull for me.

  5. Torsten
    July 20th, 2009 at 5:28 pm

    Custom.. Search Plugin doesn’t work anymore in 2.8 or later.

  6. Owen
    December 7th, 2009 at 9:20 am

    Agree with Brian (not David) on the point above. If a particular version of WordPress ships with a bug, it would be madness for plugin authors to build workarounds for specific version issues within their plugin.

    It’s not quite hacking the core if you fix the underlying problem

    Owen

Leave a Reply

SEO Powered by Platinum SEO from Techblissonline