Get WordPress

Make WordPress Core

Opened 5 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#61570 closed defect (bug) (fixed)

Change 3rd party domain mysite.com from example in editor.js in WP 6.6

Reported by: teemusuoranta's profile TeemuSuoranta Owned by:
Milestone: 6.6 Priority: normal
Severity: normal Version: 6.6
Component: Editor Keywords:
Focuses: ui-copy Cc:

Description

WP 6.6 includes following string in wp-includes/js/dist/editor.js:10076

Child pages inherit characteristics from their parent, such as URL structure. For instance, if 'Web Design' is a child of 'Services,' its URL would be mysite.com/services/web-design.

Using mysite.com as example is problematic because that's a 3rd party domain not owned by WordPress. Although we are not displaying a clickable link to it, there's a risk that some of the users will go and visit that URL and that can cause some confusion but it also opens up possibilities for bad actors at the 3rd party to create scams to that website.

Even if mysite.com could be trusted the already submitted translations by various locales contain many variations of "mysite" which increases the risk of some bad actors will reserve those domains and create harmful websites.

I propose a few alternatives:

  1. Let's not use any domain there and just say /services/web-design
  2. Let's use wordpress.org as an example because that we can trust
  3. Let's use example.com if some other external domain is needed

Related discussion on #polyglots https://wordpress.slack.com/archives/C02RP50LK/p1720016320393729

Change History (9)

This ticket was mentioned in Slack in #polyglots by teemusuoranta. View the logs.
5 weeks ago

#2 @peterwilsoncc
5 weeks ago

  • Component changed from Security to Editor
  • Milestone changed from Awaiting Review to 6.6

As this request has come from via the polyglots channel in Slack, I'm moving it to the 6.6 milestone for consideration.

This ticket was mentioned in Slack in #core-editor by peterwilsoncc. View the logs.
5 weeks ago

#4 @ramonopoly
5 weeks ago

Good idea!

Let's use example.com if some other external domain is needed

I'd vote for example.com or, better, example.org - they're intended to be test/example URLs.

There are some WordPress admin example URLs in the Gutenberg repo, so I'd suggest using WordPress.org might not be ideal as folks might click on them! 😀

#5 @peterwilsoncc
4 weeks ago

This has been fixed in the Gutenberg repository with the pull request https://github.com/WordPress/gutenberg/pull/63154

I'll leave this ticket open for now but it can be closed once the next package merge from Gutenberg takes place prior to the next release candidate. (@ramonopoly are you able to take care of this, I'll be on leave next week.)

Thanks for bringing this to our attention Teemu, it had the potential to be quite awkward if the domain changed hands.

#6 @ramonopoly
4 weeks ago

are you able to take care of this, I'll be on leave next week

I'll keep an eye on it. Enjoy your time off. Thanks for the PR

This ticket was mentioned in Slack in #core by hellofromtonya. View the logs.
4 weeks ago

#8 @hellofromTonya
4 weeks ago

  • Resolution set to fixed
  • Status changed from new to closed

@ellatrix confirmed the change was included in today's RC3 package update. Closing this ticket as fixed by [58693] on trunk and [58695] on the 6.6 branch, as tracked in #61603.

#9 @ramonopoly
4 weeks ago

Thanks for the update @hellofromTonya

Note: See TracTickets for help on using tickets.