Make WordPress Core

Changeset 54802


Ignore:
Timestamp:
11/11/2022 12:59:20 AM (7 months ago)
Author:
peterwilsoncc
Message:

Media: Prevent decoding attribute corrupting JSON data.

Workaround wp_img_tag_add_decoding_attr() potentially breaking JavaScript and JSON data by limiting the addition of the decoding attribute to image tags using unescaped double quoted attributes src attributes.

Props rodricus, TimothyBlynJacobs, joelmadigan, mw108, adamsilverstein, flixos90, desrosj, mukesh27.
Fixes #56969.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/media.php

    r54505 r54802  
    19631963 */
    19641964function wp_img_tag_add_decoding_attr( $image, $context ) {
     1965    // Only apply the decoding attribute to images that have a src attribute that
     1966    // starts with a double quote, ensuring escaped JSON is also excluded.
     1967    if ( false === strpos( $image, ' src="' ) ) {
     1968        return $image;
     1969    }
     1970
    19651971    /**
    19661972     * Filters the `decoding` attribute value to add to an image. Default `async`.
  • trunk/tests/phpunit/tests/media.php

    r54417 r54802  
    31643164
    31653165    /**
     3166     * Test that decoding="async" is not applied to img tags with single quotes.
     3167     *
     3168     * @ticket 56969
     3169     */
     3170    public function test_wp_img_tag_add_decoding_attr_with_single_quotes() {
     3171        $img = "<img src='example.png' alt='' width='300' height='225' />";
     3172        $img = wp_img_tag_add_decoding_attr( $img, 'test' );
     3173        $this->assertStringNotContainsString( ' decoding="async"', $img );
     3174    }
     3175
     3176    /**
     3177     * Test that decoding="async" is not applied to img tags inside JSON.
     3178     *
     3179     * @ticket 56969
     3180     */
     3181    public function test_decoding_async_not_applied_to_json() {
     3182        $content = '{"image": "<img src=\"example.png\" alt=\"\" width=\"300\" height=\"225\" />"}';
     3183        $content = wp_filter_content_tags( $content );
     3184        $this->assertStringNotContainsString( ' decoding="async"', $content );
     3185    }
     3186
     3187    /**
    31663188     * @ticket 50756
    31673189     */
Note: See TracChangeset for help on using the changeset viewer.