Make WordPress Core

Changeset 58471


Ignore:
Timestamp:
06/24/2024 02:40:47 PM (8 months ago)
Author:
audrasjb
Message:

Editor: Sanitize Template Part HTML tag on save.

Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/blocks.php

    r58408 r58471  
    17261726 */
    17271727function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
    1728     $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
     1728    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols, $block );
    17291729
    17301730    if ( is_array( $block['innerBlocks'] ) ) {
     
    17421742 *
    17431743 * @since 5.3.1
     1744 * @since 6.5.5 Added the `$block_context` parameter.
    17441745 *
    17451746 * @param string[]|string $value             The attribute value to filter.
     
    17491750 * @param string[]        $allowed_protocols Optional. Array of allowed URL protocols.
    17501751 *                                           Defaults to the result of wp_allowed_protocols().
     1752 * @param array           $block_context     Optional. The block the attribute belongs to, in parsed block array format.
    17511753 * @return string[]|string The filtered and sanitized result.
    17521754 */
    1753 function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
     1755function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array(), $block_context = null ) {
    17541756    if ( is_array( $value ) ) {
    17551757        foreach ( $value as $key => $inner_value ) {
    1756             $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
    1757             $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
    1758 
     1758            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context );
     1759            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context );
     1760
     1761            if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) {
     1762                $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html );
     1763            }
    17591764            if ( $filtered_key !== $key ) {
    17601765                unset( $value[ $key ] );
     
    17681773
    17691774    return $value;
     1775}
     1776
     1777
     1778/**
     1779 * Sanitizes the value of the Template Part block's `tagName` attribute.
     1780 *
     1781 * @since 6.5.5
     1782 *
     1783 * @param string          $attribute_value   The attribute value to filter.
     1784 * @param string          $attribute_name    The attribute name.
     1785 * @param array[]|string  $allowed_html      An array of allowed HTML elements and attributes,
     1786 *                                           or a context name such as 'post'. See wp_kses_allowed_html()
     1787 *                                           for the list of accepted context names.
     1788 * @return string The sanitized attribute value.
     1789 */
     1790function filter_block_core_template_part_attributes( $attribute_value, $attribute_name, $allowed_html ) {
     1791    if ( empty( $attribute_value ) || 'tagName' !== $attribute_name ) {
     1792        return $attribute_value;
     1793    }
     1794    if ( ! is_array( $allowed_html ) ) {
     1795        $allowed_html = wp_kses_allowed_html( $allowed_html );
     1796    }
     1797    return isset( $allowed_html[ $attribute_value ] ) ? $attribute_value : '';
    17701798}
    17711799
  • trunk/src/wp-includes/formatting.php

    r58409 r58471  
    47914791 *
    47924792 * @since 2.5.0
     4793 * @since 6.5.5 Allow hyphens in tag names (i.e. custom elements).
    47934794 *
    47944795 * @param string $tag_name
     
    47964797 */
    47974798function tag_escape( $tag_name ) {
    4798     $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9_:]/', '', $tag_name ) );
     4799    $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9-_:]/', '', $tag_name ) );
    47994800    /**
    48004801     * Filters a string cleaned and escaped for output as an HTML tag.
Note: See TracChangeset for help on using the changeset viewer.