Changeset 58481 for branches/6.0/src/wp-includes/blocks.php

Timestamp:

06/24/2024 03:17:32 PM (20 months ago)

Author:

audrasjb

Message:

Grouped Backports to the 6.0 branch.

• Editor: Fix Path Traversal issue on Windows in Template-Part Block.
• Editor: Sanitize Template Part HTML tag on save.

Merges [58470], [58471], [58472] and [58473] to the 6.0 branch.
Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz.

File:

• branches/6.0/src/wp-includes/blocks.php (modified) (4 diffs)

branches/6.0/src/wp-includes/blocks.php

@@ -688 +688 @@
  */
 function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
-    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols, $block );
 
     if ( is_array( $block['innerBlocks'] ) ) {
@@ -704 +704 @@
  *
  * @since 5.3.1
+ * @since 6.5.5 Added the `$block_context` parameter.
  *
  * @param string[]|string $value             The attribute value to filter.
@@ -710 +711 @@
  *                                           such as 'post'.
  * @param string[]        $allowed_protocols Array of allowed URL protocols.
+ * @param array           $block_context     Optional. The block the attribute belongs to, in parsed block array format.
  * @return string[]|string The filtered and sanitized result.
  */
-function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array(), $block_context = null ) {
     if ( is_array( $value ) ) {
         foreach ( $value as $key => $inner_value ) {
-            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
-            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context );
+            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context );
+
+            if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) {
+                $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html );
+            }
 
             if ( $filtered_key !== $key ) {
@@ -729 +735 @@
 
     return $value;
+}
+
+/**
+ * Sanitizes the value of the Template Part block's `tagName` attribute.
+ *
+ * @since 6.5.5
+ *
+ * @param string          $attribute_value   The attribute value to filter.
+ * @param string          $attribute_name    The attribute name.
+ * @param array[]|string  $allowed_html      An array of allowed HTML elements and attributes,
+ *                                           or a context name such as 'post'. See wp_kses_allowed_html()
+ *                                           for the list of accepted context names.
+ * @return string The sanitized attribute value.
+ */
+function filter_block_core_template_part_attributes( $attribute_value, $attribute_name, $allowed_html ) {
+    if ( empty( $attribute_value ) || 'tagName' !== $attribute_name ) {
+        return $attribute_value;
+    }
+    if ( ! is_array( $allowed_html ) ) {
+        $allowed_html = wp_kses_allowed_html( $allowed_html );
+    }
+    return isset( $allowed_html[ $attribute_value ] ) ? $attribute_value : '';
 }