Make WordPress Core

Changeset 57754


Ignore:
Timestamp:
03/02/2024 02:11:53 PM (9 months ago)
Author:
swissspidy
Message:

Editor: do not expose protected post meta fields in block bindings.

Ignores meta keys which are considered protected or not registered to be shown in the REST API. Adds tests.

Props santosguillamot, swissspidy, gziolo, xknown, peterwilsoncc.
Fixes #60651.

Location:
trunk
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/block-bindings/post-meta.php

    r57641 r57754  
    3535    }
    3636
     37    // Check if the meta field is protected.
     38    if ( is_protected_meta( $source_args['key'], 'post' ) ) {
     39        return null;
     40    }
     41
     42    // Check if the meta field is registered to be shown in REST.
     43    $meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] );
     44    // Add fields registered for all subtypes.
     45    $meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) );
     46    if ( empty( $meta_keys[ $source_args['key'] ]['show_in_rest'] ) ) {
     47        return null;
     48    }
     49
    3750    return get_post_meta( $post_id, $source_args['key'], true );
    3851}
  • trunk/tests/phpunit/tests/block-bindings/render.php

    r57641 r57754  
    199199        );
    200200    }
     201
     202    /**
     203     * Tests if the block content is sanitized when unsafe HTML is passed.
     204     *
     205     * @ticket 60651
     206     *
     207     * @covers ::register_block_bindings_source
     208     */
     209    public function test_source_value_with_unsafe_html_is_sanitized() {
     210        $get_value_callback = function () {
     211            return '<script>alert("Unsafe HTML")</script>';
     212        };
     213
     214        register_block_bindings_source(
     215            self::SOURCE_NAME,
     216            array(
     217                'label'              => self::SOURCE_LABEL,
     218                'get_value_callback' => $get_value_callback,
     219            )
     220        );
     221
     222        $block_content = <<<HTML
     223<!-- wp:paragraph {"metadata":{"bindings":{"content":{"source":"test/source"}}}} -->
     224<p>This should not appear</p>
     225<!-- /wp:paragraph -->
     226HTML;
     227        $parsed_blocks = parse_blocks( $block_content );
     228        $block         = new WP_Block( $parsed_blocks[0] );
     229        $result        = $block->render();
     230
     231        $this->assertSame(
     232            '<p>alert("Unsafe HTML")</p>',
     233            trim( $result ),
     234            'The block content should be updated with the value returned by the source.'
     235        );
     236    }
    201237}
Note: See TracChangeset for help on using the changeset viewer.