Make WordPress Core

Changeset 58474


Ignore:
Timestamp:
06/24/2024 03:02:41 PM (5 months ago)
Author:
audrasjb
Message:

Grouped Backports to the 6.5 branch.

  • Editor: Fix Path Traversal issue on Windows in Template-Part Block.
  • Editor: Sanitize Template Part HTML tag on save.
  • HTML API: Run URL attributes through esc_url().

Merges [58470], [58471], [58472] and [58473] to the 6.5 branch.
Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz, dmsnell, gziolo.

Location:
branches/6.5/src/wp-includes
Files:
4 edited

Legend:

Unmodified
Added
Removed
  • branches/6.5/src/wp-includes/blocks.php

    r57677 r58474  
    14481448 */
    14491449function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
    1450     $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
     1450    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols, $block );
    14511451
    14521452    if ( is_array( $block['innerBlocks'] ) ) {
     
    14641464 *
    14651465 * @since 5.3.1
     1466 * @since 6.5.5 Added the `$block_context` parameter.
    14661467 *
    14671468 * @param string[]|string $value             The attribute value to filter.
     
    14711472 * @param string[]        $allowed_protocols Optional. Array of allowed URL protocols.
    14721473 *                                           Defaults to the result of wp_allowed_protocols().
     1474 * @param array           $block_context     Optional. The block the attribute belongs to, in parsed block array format.
    14731475 * @return string[]|string The filtered and sanitized result.
    14741476 */
    1475 function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
     1477function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array(), $block_context = null ) {
    14761478    if ( is_array( $value ) ) {
    14771479        foreach ( $value as $key => $inner_value ) {
    1478             $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
    1479             $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
     1480            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context );
     1481            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context );
     1482
     1483            if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) {
     1484                $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html );
     1485            }
    14801486
    14811487            if ( $filtered_key !== $key ) {
     
    14901496
    14911497    return $value;
     1498}
     1499
     1500/**
     1501 * Sanitizes the value of the Template Part block's `tagName` attribute.
     1502 *
     1503 * @since 6.5.5
     1504 *
     1505 * @param string          $attribute_value   The attribute value to filter.
     1506 * @param string          $attribute_name    The attribute name.
     1507 * @param array[]|string  $allowed_html      An array of allowed HTML elements and attributes,
     1508 *                                           or a context name such as 'post'. See wp_kses_allowed_html()
     1509 *                                           for the list of accepted context names.
     1510 * @return string The sanitized attribute value.
     1511 */
     1512function filter_block_core_template_part_attributes( $attribute_value, $attribute_name, $allowed_html ) {
     1513    if ( empty( $attribute_value ) || 'tagName' !== $attribute_name ) {
     1514        return $attribute_value;
     1515    }
     1516    if ( ! is_array( $allowed_html ) ) {
     1517        $allowed_html = wp_kses_allowed_html( $allowed_html );
     1518    }
     1519    return isset( $allowed_html[ $attribute_value ] ) ? $attribute_value : '';
    14921520}
    14931521
  • branches/6.5/src/wp-includes/formatting.php

    r57626 r58474  
    48034803 *
    48044804 * @since 2.5.0
     4805 * @since 6.5.5 Allow hyphens in tag names (i.e. custom elements).
    48054806 *
    48064807 * @param string $tag_name
     
    48084809 */
    48094810function tag_escape( $tag_name ) {
    4810     $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9_:]/', '', $tag_name ) );
     4811    $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9-_:]/', '', $tag_name ) );
    48114812    /**
    48124813     * Filters a string cleaned and escaped for output as an HTML tag.
  • branches/6.5/src/wp-includes/functions.php

    r57707 r58474  
    61936193    }
    61946194
     6195    // Normalize path for Windows servers
     6196    $file = wp_normalize_path( $file );
     6197
    61956198    // `../` on its own is not allowed:
    61966199    if ( '../' === $file ) {
  • branches/6.5/src/wp-includes/html-api/class-wp-html-tag-processor.php

    r57815 r58474  
    29692969            $updated_attribute = $name;
    29702970        } else {
    2971             $escaped_new_value = esc_attr( $value );
     2971            $comparable_name = strtolower( $name );
     2972
     2973            /*
     2974             * Escape URL attributes.
     2975             *
     2976             * @see https://html.spec.whatwg.org/#attributes-3
     2977             */
     2978            $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
    29722979            $updated_attribute = "{$name}=\"{$escaped_new_value}\"";
    29732980        }
Note: See TracChangeset for help on using the changeset viewer.