Changeset 58475 for branches/6.4/src/wp-includes/blocks.php

Timestamp:

06/24/2024 03:08:05 PM (17 months ago)

Author:

audrasjb

Message:

Grouped Backports to the 6.4 branch.

• Editor: Fix Path Traversal issue on Windows in Template-Part Block.
• Editor: Sanitize Template Part HTML tag on save.
• HTML API: Run URL attributes through esc_url().

Merges [58470], [58471], [58472] and [58473] to the 6.4 branch.
Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz, dmsnell, gziolo.

File:

• branches/6.4/src/wp-includes/blocks.php (modified) (4 diffs)

branches/6.4/src/wp-includes/blocks.php

@@ -1227 +1227 @@
  */
 function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
-    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols, $block );
 
     if ( is_array( $block['innerBlocks'] ) ) {
@@ -1243 +1243 @@
  *
  * @since 5.3.1
+ * @since 6.5.5 Added the `$block_context` parameter.
  *
  * @param string[]|string $value             The attribute value to filter.
@@ -1250 +1251 @@
  * @param string[]        $allowed_protocols Optional. Array of allowed URL protocols.
  *                                           Defaults to the result of wp_allowed_protocols().
+ * @param array           $block_context     Optional. The block the attribute belongs to, in parsed block array format.
  * @return string[]|string The filtered and sanitized result.
  */
-function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array(), $block_context = null ) {
     if ( is_array( $value ) ) {
         foreach ( $value as $key => $inner_value ) {
-            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
-            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context );
+            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context );
+
+            if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) {
+                $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html );
+            }
 
             if ( $filtered_key !== $key ) {
@@ -1269 +1275 @@
 
     return $value;
+}
+
+/**
+ * Sanitizes the value of the Template Part block's `tagName` attribute.
+ *
+ * @since 6.5.5
+ *
+ * @param string          $attribute_value   The attribute value to filter.
+ * @param string          $attribute_name    The attribute name.
+ * @param array[]|string  $allowed_html      An array of allowed HTML elements and attributes,
+ *                                           or a context name such as 'post'. See wp_kses_allowed_html()
+ *                                           for the list of accepted context names.
+ * @return string The sanitized attribute value.
+ */
+function filter_block_core_template_part_attributes( $attribute_value, $attribute_name, $allowed_html ) {
+    if ( empty( $attribute_value ) || 'tagName' !== $attribute_name ) {
+        return $attribute_value;
+    }
+    if ( ! is_array( $allowed_html ) ) {
+        $allowed_html = wp_kses_allowed_html( $allowed_html );
+    }
+    return isset( $allowed_html[ $attribute_value ] ) ? $attribute_value : '';
 }