WordPress.org

Make WordPress Core

Opened 12 months ago

Last modified 2 months ago

#50461 new defect (bug)

Sanitation breaking scripts in custom HTML block

Reported by: claudiulodro Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.4.2
Component: Formatting Keywords:
Focuses: Cc:

Description

In certain scenarios, some sort of (most likely regex-based) sanitization in core WordPress converts && elements into && even when placed within a custom HTML block and using a user with unfiltered_html capabilities.

Here is a sample page content you can use to see the issue:

<!-- wp:html -->
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<!-- /wp:html -->

<!-- wp:html -->
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
    alert('worked');
}
</script>
<!-- /wp:html -->

On the frontend, this will be output as:

<script>
This should work: &&
This doesn't: <= &#038;&#038;
> && After the "tag" is closed it works again
</script>

<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo &#038;&#038; true ) {
    alert('worked');
}
</script>

The reason I believe this is a regex issue is because only && characters after <= characters get converted to entities, and after a > character the conversion stops and && are output as normal. My theory is it's some sort of regex-based sanitization for html attributes, but I haven't been able to track down which one specifically.

Change History (3)

#1 @claudiulodro
12 months ago

Note: the issue is probably not from the Gutenberg editor, as the custom HTML block is purely JS and the post content saves into the database correctly.

I reproduced the issue on a clean site running WP 5.4.2 with Twenty Twenty theme and no active plugins.

Last edited 12 months ago by claudiulodro (previous) (diff)

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


2 months ago

#3 @peterwilsoncc
2 months ago

  • Component changed from Editor to Formatting

This was discussed in a triage session today.

This seems very similar to #34698 which involved the santization functions rather than the editor so I've moved this over to the formatting component.

Note: See TracTickets for help on using tickets.