WordPress.org
Get WordPress

Make WordPress Core

Changeset 60070


Ignore:
Timestamp:
03/24/2025 02:51:19 PM (8 weeks ago)
Author:
joemcgill
Message:

Interactivity API: Apply the same directive name restrictions as the client.

This adds the same logic to filter directive data attributes to ignore invalid data attributes that is applied in the client to avoid processing directives on the server that will not be processed in the client.

Props jonsurrell, SirLouen.
Fixes #62426.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/src/wp-includes/interactivity-api/class-wp-interactivity-api.php

    r59477 r60070  
    452452                    // Checks if there is a server directive processor registered for each directive.
    453453                    foreach ( $p->get_attribute_names_with_prefix( 'data-wp-' ) as $attribute_name ) {
     454                        if ( ! preg_match(
     455                            /*
     456                             * This must align with the client-side regex used by the interactivity API.
     457                             * @see https://github.com/WordPress/gutenberg/blob/ca616014255efbb61f34c10917d52a2d86c1c660/packages/interactivity/src/vdom.ts#L20-L32
     458                             */
     459                            '/' .
     460                            '^data-wp-' .
     461                            // Match alphanumeric characters including hyphen-separated
     462                            // segments. It excludes underscore intentionally to prevent confusion.
     463                            // E.g., "custom-directive".
     464                            '([a-z0-9]+(?:-[a-z0-9]+)*)' .
     465                            // (Optional) Match '--' followed by any alphanumeric charachters. It
     466                            // excludes underscore intentionally to prevent confusion, but it can
     467                            // contain multiple hyphens. E.g., "--custom-prefix--with-more-info".
     468                            '(?:--([a-z0-9_-]+))?$' .
     469                            '/i',
     470                            $attribute_name
     471                        ) ) {
     472                            continue;
     473                        }
    454474                        list( $directive_prefix ) = $this->extract_prefix_and_suffix( $attribute_name );
    455475                        if ( array_key_exists( $directive_prefix, self::$directive_processors ) ) {

  • trunk/tests/phpunit/tests/interactivity-api/wpInteractivityAPI.php

    r59477 r60070  
    15861586        );
    15871587    }
     1588
     1589    /**
     1590     * Ensures that directives with invalid attribute names are ignored.
     1591     *
     1592     * @ticket 62426
     1593     */
     1594    public function test_invalid_directive_names_are_ignored() {
     1595        $html = <<<HTML
     1596            <div data-wp-interactive="test" data-wp-context='{ "t": true }'>
     1597                <br data-wp-class--allowed="context.t">
     1598                <br data-wp-class--dis:allowed="context.t">
     1599                <br data-wp-class--[disallowed]="context.t">
     1600            </div>
     1601HTML;
     1602
     1603        $processed_html = $this->interactivity->process_directives( $html );
     1604        $this->assertStringContainsString( 'class="allowed"', $processed_html );
     1605        $this->assertStringNotContainsString( 'class="dis:allowed"', $processed_html );
     1606        $this->assertStringNotContainsString( 'class="[disallowed]"', $processed_html );
     1607    }
    15881608}
Note: See TracChangeset for help on using the changeset viewer.