Changeset 61486 for trunk/src/wp-includes/kses.php

Timestamp:

01/15/2026 12:08:01 PM (3 months ago)

Author:

jonsurrell

Message:

Customize: Allow arbitrary CSS in global styles custom CSS.

Relax Global Styles custom CSS filters to allow arbitrary CSS.

Escape HTML characters <>& in Global Styles data to prevent it from being mangled by post content filters. The data is JSON encoded and stored in post_content. Filters operating on post_content expect it to contain HTML. Some KSES filters would otherwise remove essential CSS features like the <custom-ident> CSS data type because they appear to be HTML tags.

[61418] changed STYLE tag generation to use the HTML API for improved safety.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/10641.

Props jonsurrell, dmsnell, westonruter, ramonopoly, oandregal, jorgefilipecosta, sabernhardt, soyebsalar01.
See #64418.

File:

• trunk/src/wp-includes/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -2387 +2387 @@
 
         $data_to_encode['isGlobalStylesUserThemeJSON'] = true;
-        return wp_slash( wp_json_encode( $data_to_encode ) );
+        /**
+         * JSON encode the data stored in post content.
+         * Escape characters that are likely to be mangled by HTML filters: "<>&".
+         *
+         * This matches the escaping in {@see WP_REST_Global_Styles_Controller::prepare_item_for_database()}.
+         */
+        return wp_slash( wp_json_encode( $data_to_encode, JSON_UNESCAPED_SLASHES | JSON_HEX_TAG | JSON_HEX_AMP ) );
     }
     return $data;