WordPress.org

Make WordPress Core

Opened 6 weeks ago

Last modified 6 weeks ago

#50461 new defect (bug)

Sanitation breaking scripts in custom HTML block

Reported by: claudiulodro Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.4.2
Component: Editor Keywords:
Focuses: Cc:

Description

In certain scenarios, some sort of (most likely regex-based) sanitization in core WordPress converts && elements into && even when placed within a custom HTML block and using a user with unfiltered_html capabilities.

Here is a sample page content you can use to see the issue:

<!-- wp:html -->
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<!-- /wp:html -->

<!-- wp:html -->
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
    alert('worked');
}
</script>
<!-- /wp:html -->

On the frontend, this will be output as:

<script>
This should work: &&
This doesn't: <= &#038;&#038;
> && After the "tag" is closed it works again
</script>

<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo &#038;&#038; true ) {
    alert('worked');
}
</script>

The reason I believe this is a regex issue is because only && characters after <= characters get converted to entities, and after a > character the conversion stops and && are output as normal. My theory is it's some sort of regex-based sanitization for html attributes, but I haven't been able to track down which one specifically.

Change History (1)

#1 @claudiulodro
6 weeks ago

Note: the issue is probably not from the Gutenberg editor, as the custom HTML block is purely JS and the post content saves into the database correctly.

I reproduced the issue on a clean site running WP 5.4.2 with Twenty Twenty theme and no active plugins.

Last edited 6 weeks ago by claudiulodro (previous) (diff)
Note: See TracTickets for help on using tickets.