Post type label being encoded / double encoded...

[rmorse]

Hey WebDevStudios! Long time user of your plugin :)

We develop another plugin, which lists post types, and we're having trouble with post types with special characters created by your plugin, which means when we output the labels, it looks like this (the second option is CPT UI post type)

What we've noticed:

1. Create a post type with the label ' Special (notice the apostrophe at the beginning)
2. Then fetch post types using the WP function get_post_types()
3. Check the label, it will be: ' Special
4. This is double encoded which seems like a bug... It should be ' Special
5. Or even just ' Special

To verify WP behaviour, I tested registering a post type using the WP function register_post_type(), for example:

function wporg_custom_post_type() {
	register_post_type('wporg_product',
		array(
			'labels'      => array(
				'name'          => __("' Special", 'textdomain'),
				'singular_name' => __("' Special", 'textdomain'),
			),
			'public'      => true,
			'has_archive' => true,
		)
	);
}
add_action('init', 'wporg_custom_post_type');

And when we look at the label of this in a get_post_types() call, it looks like this:
' Special

To work around this we'd have to double entity_decode() post type labels generated by this plugin, which I don't think is a good idea (especially if someone purposely wanted some special chars to show, unlikely but possible).

Also I think whenever we see anything double encoded we've likely run into a bug.

Thanks

[tw2113]

Not sure what's going to be the best path forward here, since I would much rather have security cleanup measures in place than not.

Here's the code used when cleaning up a given label:

	foreach ( $data['cpt_labels'] as $key => $label ) {
		if ( empty( $label ) ) {
			unset( $data['cpt_labels'][ $key ] );
		}

		$label = str_replace( '"', '', htmlspecialchars_decode( $label ) );
		$label = htmlspecialchars( $label, ENT_QUOTES );
		$label = trim( $label );
		if ( 'parent' === $key ) {
			$data['cpt_labels']['parent_item_colon'] = stripslashes_deep( $label );
		} else {
			$data['cpt_labels'][ $key ] = stripslashes_deep( $label );
		}
	}

I have verified that the UI shows the apostrophe, and does save as the encoded version in the database. Not sure where the & portion is coming from, as I've checked and the label is still ' Special at the point of registration.

With the get_post_types() call, I'm only getting "special" back without any other characters.

[rmorse]

Hey @tw2113 thanks for the quick feedback, I'm away for a couple of days but I'm going to retest this later this week.

I'm almost certain it was coming out double encoded (I got this reported from a user initially), so I'm going to try to recreate this and provide clearer steps.

[tw2113]

Noted, thanks.

[tw2113]

@rmorse did you ever get this figured out, or is it still presenting some problems?

[rmorse]

Hey @tw2113 , this issue was still presenting last time I checked, unfortunately I had to leave this alone for now but I think I'll revisit it in a couple of months.

[tw2113]

I'll leave the issue open for the moment then.