From b20675e8dd6301fcaef1683951de0d7ae4b0ac5d Mon Sep 17 00:00:00 2001
From: Jb Audras <audrasjb@git.wordpress.org>
Date: Tue, 11 Oct 2022 10:27:00 +0000
Subject: [PATCH] Formatting: Strip object replacement characters from slugs.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This changeset prevents object replacement characters – UTF-8 `%ef%bf%bc`, used as a placeholder in text for an otherwise unspecified object – from being added to slugs.

Props cantuaria, costdev, audrasjb, SergeyBiryukov, archon810, maciejmackowiak, BaneD, markparnell, ironprogrammer, dmsnell, nikkigagency, webprom.
Fixes #55117.


git-svn-id: https://develop.svn.wordpress.org/trunk@54474 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/formatting.php                             | 1 +
 tests/phpunit/tests/formatting/sanitizeTitleWithDashes.php | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index a76e954e89..a9a43bda4d 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -2329,6 +2329,7 @@ function sanitize_title_with_dashes( $title, $raw_title = '', $context = 'displa
 				'%e2%80%ad', // Left-to-right override.
 				'%e2%80%ae', // Right-to-left override.
 				'%ef%bb%bf', // Byte order mark.
+				'%ef%bf%bc', // Object replacement character.
 			),
 			'',
 			$title
diff --git a/tests/phpunit/tests/formatting/sanitizeTitleWithDashes.php b/tests/phpunit/tests/formatting/sanitizeTitleWithDashes.php
index 0fc199013a..5c7a81cb29 100644
--- a/tests/phpunit/tests/formatting/sanitizeTitleWithDashes.php
+++ b/tests/phpunit/tests/formatting/sanitizeTitleWithDashes.php
@@ -151,6 +151,7 @@ class Tests_Formatting_SanitizeTitleWithDashes extends WP_UnitTestCase {
 
 	/**
 	 * @ticket 47912
+	 * @ticket 55117
 	 * @dataProvider data_removes_non_visible_characters_without_width
 	 *
 	 * @param string $title     The title to be sanitized.
@@ -179,6 +180,7 @@ class Tests_Formatting_SanitizeTitleWithDashes extends WP_UnitTestCase {
 			'only %e2%80%ad'     => array( '%e2%80%ad' ),
 			'only %e2%80%ae'     => array( '%e2%80%ae' ),
 			'only %ef%bb%bf'     => array( '%ef%bb%bf' ),
+			'only %ef%bf%bc'     => array( '%ef%bf%bc' ),
 
 			// Non-visible characters within the title.
 			'in middle of title' => array(
@@ -202,6 +204,7 @@ class Tests_Formatting_SanitizeTitleWithDashes extends WP_UnitTestCase {
 
 	/**
 	 * @ticket 47912
+	 * @ticket 55117
 	 * @dataProvider data_non_visible_characters_without_width_when_not_save
 	 *
 	 * @param string $title     The title to be sanitized.
@@ -230,6 +233,7 @@ class Tests_Formatting_SanitizeTitleWithDashes extends WP_UnitTestCase {
 			'only %e2%80%ad'     => array( '%e2%80%ad', '%e2%80%ad' ),
 			'only %e2%80%ae'     => array( '%e2%80%ae', '%e2%80%ae' ),
 			'only %ef%bb%bf'     => array( '%ef%bb%bf', '%ef%bb%bf' ),
+			'only %ef%bf%bc'     => array( '%ef%bf%bc', '%ef%bf%bc' ),
 
 			// Non-visible characters within the title.
 			'in middle of title' => array(