WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
02/10/2025 10:27:49 PM (2 months ago)
Author:
peterwilsoncc
Message:

Global Styles: Improve sanitization of block variation styles.

Fixes an issue where block style variations containing inner block type and element styles would have those inner styles stripped when the user attempting to save Global Styles does not have the unfiltered_html capability.

Props aaronrobertshaw, mukesh27, andrewserong.
Fixes #62372.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/class-wp-theme-json.php

    r59499 r59802  
    35533553                    $variation_output = static::remove_insecure_styles( $variation_input );
    35543554
    3555                     // Process a variation's elements and element pseudo selector styles.
     3555                    if ( isset( $variation_input['blocks'] ) ) {
     3556                        $variation_output['blocks'] = static::remove_insecure_inner_block_styles( $variation_input['blocks'] );
     3557                    }
     3558
    35563559                    if ( isset( $variation_input['elements'] ) ) {
    3557                         foreach ( $valid_element_names as $element_name ) {
    3558                             $element_input = $variation_input['elements'][ $element_name ] ?? null;
    3559                             if ( $element_input ) {
    3560                                 $element_output = static::remove_insecure_styles( $element_input );
    3561 
    3562                                 if ( isset( static::VALID_ELEMENT_PSEUDO_SELECTORS[ $element_name ] ) ) {
    3563                                     foreach ( static::VALID_ELEMENT_PSEUDO_SELECTORS[ $element_name ] as $pseudo_selector ) {
    3564                                         if ( isset( $element_input[ $pseudo_selector ] ) ) {
    3565                                             $element_output[ $pseudo_selector ] = static::remove_insecure_styles( $element_input[ $pseudo_selector ] );
    3566                                         }
    3567                                     }
    3568                                 }
    3569 
    3570                                 if ( ! empty( $element_output ) ) {
    3571                                     _wp_array_set( $variation_output, array( 'elements', $element_name ), $element_output );
    3572                                 }
    3573                             }
    3574                         }
     3560                        $variation_output['elements'] = static::remove_insecure_element_styles( $variation_input['elements'] );
    35753561                    }
    35763562
     
    36083594
    36093595        return $theme_json;
     3596    }
     3597
     3598    /**
     3599     * Remove insecure element styles within a variation or block.
     3600     *
     3601     * @since 6.8.0
     3602     *
     3603     * @param array $elements The elements to process.
     3604     * @return array The sanitized elements styles.
     3605     */
     3606    protected static function remove_insecure_element_styles( $elements ) {
     3607        $sanitized           = array();
     3608        $valid_element_names = array_keys( static::ELEMENTS );
     3609
     3610        foreach ( $valid_element_names as $element_name ) {
     3611            $element_input = $elements[ $element_name ] ?? null;
     3612            if ( $element_input ) {
     3613                $element_output = static::remove_insecure_styles( $element_input );
     3614
     3615                if ( isset( static::VALID_ELEMENT_PSEUDO_SELECTORS[ $element_name ] ) ) {
     3616                    foreach ( static::VALID_ELEMENT_PSEUDO_SELECTORS[ $element_name ] as $pseudo_selector ) {
     3617                        if ( isset( $element_input[ $pseudo_selector ] ) ) {
     3618                            $element_output[ $pseudo_selector ] = static::remove_insecure_styles( $element_input[ $pseudo_selector ] );
     3619                        }
     3620                    }
     3621                }
     3622
     3623                $sanitized[ $element_name ] = $element_output;
     3624            }
     3625        }
     3626        return $sanitized;
     3627    }
     3628
     3629    /**
     3630     * Remove insecure styles from inner blocks and their elements.
     3631     *
     3632     * @since 6.8.0
     3633     *
     3634     * @param array $blocks The block styles to process.
     3635     * @return array Sanitized block type styles.
     3636     */
     3637    protected static function remove_insecure_inner_block_styles( $blocks ) {
     3638        $sanitized = array();
     3639        foreach ( $blocks as $block_type => $block_input ) {
     3640            $block_output = static::remove_insecure_styles( $block_input );
     3641
     3642            if ( isset( $block_input['elements'] ) ) {
     3643                $block_output['elements'] = static::remove_insecure_element_styles( $block_input['elements'] );
     3644            }
     3645
     3646            $sanitized[ $block_type ] = $block_output;
     3647        }
     3648        return $sanitized;
    36103649    }
    36113650
Note: See TracChangeset for help on using the changeset viewer.