Make WordPress Core

Opened 4 years ago

Closed 23 months ago

Last modified 3 months ago

#50997 closed defect (bug) (reported-upstream)

Block Editor showing blank in WordPress 5.5

Reported by: david-woakes's profile david-woakes Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.5
Component: Editor Keywords:
Focuses: Cc:

Description (last modified by SergeyBiryukov)

I've disabled all plugins but and this still happens. It happens in Chrome and Firefox (latest version of both browsers).

In the developer plugin I can see the following CSP errors

Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    441 https://www.shbforum.co.uk/wp-includes/js/dist/blocks.min.js?ver=e817d20512a049ea38d1e1f22097be1f:3
    r https://www.shbforum.co.uk/wp-includes/js/dist/blocks.min.js?ver=e817d20512a049ea38d1e1f22097be1f:2
    blocks https://www.shbforum.co.uk/wp-includes/js/dist/blocks.min.js?ver=e817d20512a049ea38d1e1f22097be1f:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/blocks.min.js?ver=e817d20512a049ea38d1e1f22097be1f:2
data.min.js:2:4301
Uncaught TypeError: wp.blocks is undefined
    <anonymous> https://www.shbforum.co.uk/wp-admin/post.php?post=588&action=edit:108
post.php:108:1
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    440 https://www.shbforum.co.uk/wp-includes/js/dist/rich-text.min.js?ver=a4056cfcb2aec8ceb3c8e8935dfd0bc4:7
    r https://www.shbforum.co.uk/wp-includes/js/dist/rich-text.min.js?ver=a4056cfcb2aec8ceb3c8e8935dfd0bc4:2
    richText https://www.shbforum.co.uk/wp-includes/js/dist/rich-text.min.js?ver=a4056cfcb2aec8ceb3c8e8935dfd0bc4:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/rich-text.min.js?ver=a4056cfcb2aec8ceb3c8e8935dfd0bc4:2
data.min.js:2:4301
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    a https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    $ https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    b https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    456 https://www.shbforum.co.uk/wp-includes/js/dist/keyboard-shortcuts.min.js?ver=9cbe52add50401a0e626ebfcb37d742a:2
    n https://www.shbforum.co.uk/wp-includes/js/dist/keyboard-shortcuts.min.js?ver=9cbe52add50401a0e626ebfcb37d742a:2
    keyboardShortcuts https://www.shbforum.co.uk/wp-includes/js/dist/keyboard-shortcuts.min.js?ver=9cbe52add50401a0e626ebfcb37d742a:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/keyboard-shortcuts.min.js?ver=9cbe52add50401a0e626ebfcb37d742a:2
data.min.js:2:4301
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    a https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    $ https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    b https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    455 https://www.shbforum.co.uk/wp-includes/js/dist/notices.min.js?ver=e8ba84906787f0394f07956c137fc314:2
    r https://www.shbforum.co.uk/wp-includes/js/dist/notices.min.js?ver=e8ba84906787f0394f07956c137fc314:2
    notices https://www.shbforum.co.uk/wp-includes/js/dist/notices.min.js?ver=e8ba84906787f0394f07956c137fc314:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/notices.min.js?ver=e8ba84906787f0394f07956c137fc314:2
data.min.js:2:4301
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    a https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    $ https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    registerStore https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    b https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    454 https://www.shbforum.co.uk/wp-includes/js/dist/viewport.min.js?ver=74fa211298bad8b930c1e9c17d583843:2
    n https://www.shbforum.co.uk/wp-includes/js/dist/viewport.min.js?ver=74fa211298bad8b930c1e9c17d583843:2
    viewport https://www.shbforum.co.uk/wp-includes/js/dist/viewport.min.js?ver=74fa211298bad8b930c1e9c17d583843:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/viewport.min.js?ver=74fa211298bad8b930c1e9c17d583843:2
data.min.js:2:4301
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"blockTypes":r["blockTypes"](s["blockTypes"],a),"blockStyles":r["blockStyles"](s["blockStyles"],a),"blockVariations":r["blockVariations"](s["blockVariations"],a),"defaultBlockName":r["defaultBlockName"](s["defaultBlockName"],a),"freeformFallbackBlockName":r["freeformFallbackBlockName"](s["freeformFallbackBlockName"],a),"unregisteredFallbackBlockName":r["unregisteredFallbackBlockName"](s["unregisteredFallbackBlockName"],a),"groupingBlockName":r["groupingBlockName"](s["groupingBlockName"],a),"categories":r["categories"](s["categories"],a),"collections":r["collections"](s["collections"],a),}
}. data.min.js:2:4300
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"formatTypes":r["formatTypes"](s["formatTypes"],a),}
}. data.min.js:2:4300
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"metadata":r["metadata"](s["metadata"],a),"root":r["root"](s["root"],a),}
}. 3 data.min.js:2:4300
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    Hu Lodash
    blockEditor https://www.shbforum.co.uk/wp-includes/js/dist/block-editor.min.js?ver=6d92bbc61845b6652c64f83c59aee1f0:12
    n https://www.shbforum.co.uk/wp-includes/js/dist/block-editor.min.js?ver=6d92bbc61845b6652c64f83c59aee1f0:2
    blockEditor https://www.shbforum.co.uk/wp-includes/js/dist/block-editor.min.js?ver=6d92bbc61845b6652c64f83c59aee1f0:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/block-editor.min.js?ver=6d92bbc61845b6652c64f83c59aee1f0:2
data.min.js:2:4301
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    447 https://www.shbforum.co.uk/wp-includes/js/dist/core-data.min.js?ver=966113d894f354075b1eed5a141241bb:2
    r https://www.shbforum.co.uk/wp-includes/js/dist/core-data.min.js?ver=966113d894f354075b1eed5a141241bb:2
    coreData https://www.shbforum.co.uk/wp-includes/js/dist/core-data.min.js?ver=966113d894f354075b1eed5a141241bb:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/core-data.min.js?ver=966113d894f354075b1eed5a141241bb:2
data.min.js:2:4301
Uncaught TypeError: K is undefined
    436 https://www.shbforum.co.uk/wp-includes/js/dist/block-library.min.js?ver=e663e74b68c0a8539a9c2ae8bf4dfd07:29
    r https://www.shbforum.co.uk/wp-includes/js/dist/block-library.min.js?ver=e663e74b68c0a8539a9c2ae8bf4dfd07:2
    blockLibrary https://www.shbforum.co.uk/wp-includes/js/dist/block-library.min.js?ver=e663e74b68c0a8539a9c2ae8bf4dfd07:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/block-library.min.js?ver=e663e74b68c0a8539a9c2ae8bf4dfd07:2
block-library.min.js:29:59845
Uncaught TypeError: i is undefined
    438 https://www.shbforum.co.uk/wp-includes/js/dist/editor.min.js?ver=1b4e724c353c8156e7987cc825fcf6d6:12
    n https://www.shbforum.co.uk/wp-includes/js/dist/editor.min.js?ver=1b4e724c353c8156e7987cc825fcf6d6:2
    editor https://www.shbforum.co.uk/wp-includes/js/dist/editor.min.js?ver=1b4e724c353c8156e7987cc825fcf6d6:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/editor.min.js?ver=1b4e724c353c8156e7987cc825fcf6d6:2
editor.min.js:12:28196
Uncaught EvalError: call to Function() blocked by CSP
    t https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    exports https://www.shbforum.co.uk/wp-includes/js/dist/data.min.js?ver=75f90354ddff4acd5b0b4026454037ca:2
    Hu Lodash
    439 https://www.shbforum.co.uk/wp-includes/js/dist/edit-post.min.js?ver=c2b76a0494382d835bb3dbd6b0e2c934:7
    r https://www.shbforum.co.uk/wp-includes/js/dist/edit-post.min.js?ver=c2b76a0494382d835bb3dbd6b0e2c934:2
    editPost https://www.shbforum.co.uk/wp-includes/js/dist/edit-post.min.js?ver=c2b76a0494382d835bb3dbd6b0e2c934:2
    <anonymous> https://www.shbforum.co.uk/wp-includes/js/dist/edit-post.min.js?ver=c2b76a0494382d835bb3dbd6b0e2c934:2
data.min.js:2:4301
Uncaught TypeError: wp.richText is undefined
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/classic-paragraph.js?ver=5500:1
    o https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/classic-paragraph.js?ver=5500:1
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/classic-paragraph.js?ver=5500:1
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/classic-paragraph.js?ver=5500:1
classic-paragraph.js:1:1166
Uncaught TypeError: n.blockEditor is undefined
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/richtext-buttons.js?ver=5500:1
    o https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/richtext-buttons.js?ver=5500:1
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/richtext-buttons.js?ver=5500:1
    <anonymous> https://www.shbforum.co.uk/wp-content/plugins/tinymce-advanced/block-editor/richtext-buttons.js?ver=5500:1
richtext-buttons.js:1:1088
Uncaught TypeError: o is undefined
    jQuery 5
load-scripts.php:13:26279
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"byClientId":r["byClientId"](s["byClientId"],a),"attributes":r["attributes"](s["attributes"],a),"order":r["order"](s["order"],a),"parents":r["parents"](s["parents"],a),"controlledInnerBlocks":r["controlledInnerBlocks"](s["controlledInnerBlocks"],a),}
}. data.min.js:2:4300
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"items":r["items"](s["items"],a),"queries":r["queries"](s["queries"],a),}
}. data.min.js:2:4300
Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”). Source: function anonymous(r,s,a
) {
return {"panels":r["panels"](s["panels"],a),"features":r["features"](s["features"],a),"editorMode":r["editorMode"](s["editorMode"],a),"hiddenBlockTypes":r["hiddenBlockTypes"](s["hiddenBlockTypes"],a),"preferredStyleVariations":r["preferredStyleVariations"](s["preferredStyleVariations"],a),"localAutosaveInterval":r["localAutosaveInterval"](s["localAutosaveInterval"],a),}
}. data.min.js:2:4300
Uncaught TypeError: wp.editPost is undefined
    _wpLoadBlockEditor https://www.shbforum.co.uk/wp-admin/post.php?post=588&action=edit:278
    r https://www.shbforum.co.uk/wp-includes/js/dist/dom-ready.min.js?ver=db63eb2f693cb5e38b083946b14f0684:2
    _wpLoadBlockEditor https://www.shbforum.co.uk/wp-admin/post.php?post=588&action=edit:277
    <anonymous> https://www.shbforum.co.uk/wp-admin/post.php?post=588&action=edit:276
    <anonymous> https://www.shbforum.co.uk/wp-admin/post.php?post=588&action=edit:281
post.php:278:4

Change History (15)

#1 @SergeyBiryukov
4 years ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Severity changed from critical to normal
  • Status changed from new to closed

Hi there, welcome to Trac! Thanks for the report.

I'm sorry to hear you are having issues with your website since the latest update, but this topic is best discussed on the support forums or directly with the developer of your theme or website.

Before heading there to create a post though, I recommend reading through the following list of potential issues with 5.5: https://wordpress.org/support/topic/read-this-first-wordpress-5-5-master-list/

The most likely issue is that a plugin on your site is running old JavaScript code. Could you try installing and activating this plugin: https://wordpress.org/plugins/enable-jquery-migrate-helper/.

This will confirm that there is JavaScript on your site that needs to be updated to follow more modern jQuery practices. You can leave the plugin active for the time being, but the breaking code will need to be updated before the next step of the Upgrading jQuery in Core roadmap.

If this does not fix the issue, feel free to create a support topic.

#2 in reply to: ↑ description @johnxba
3 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened
Last edited 3 years ago by johnxba (previous) (diff)

#3 follow-up: @johnxba
3 years ago

"Uncaught EvalError: call to Function() blocked by CSP" is Firefox complaining (F12) about the use of eval in scripts. Eval must not be used in scripts because it is a security risk. CSP (Content Security Policy) can be used to enforce protection.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Why eval should not be used in Javascript: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

The error appears when wp-admin is used and an admin is logged in. In the current version of WordPress, two of the scripts containing eval according to Firefox are:
wp-includes/js/wp-util.min.js?ver=5.8:2
wp-includes/js/underscore.min.js?ver=1.8.3:2

Please remove the use of eval in scripts in WordPress.

Last edited 3 years ago by johnxba (previous) (diff)

#4 @jornfranke
3 years ago

I support this. Eval is a no go from a security point of view and does not allow to use WordPress in safe manner. I think those security aspects should play a more important role. Wordpress core should be free of inline scripts/css and eval.
For plugins one can then decide not to use them if they do not support this. I would estimate though that plugin developers will also quicker update the plugins as no one will use unsafe developed plugins.

#5 in reply to: ↑ 3 @jornfranke
2 years ago

Replying to johnxba:

"Uncaught EvalError: call to Function() blocked by CSP" is Firefox complaining (F12) about the use of eval in scripts. Eval must not be used in scripts because it is a security risk. CSP (Content Security Policy) can be used to enforce protection.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Why eval should not be used in Javascript: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval

The error appears when wp-admin is used and an admin is logged in. In the current version of WordPress, two of the scripts containing eval according to Firefox are:
wp-includes/js/wp-util.min.js?ver=5.8:2
wp-includes/js/underscore.min.js?ver=1.8.3:2

Please remove the use of eval in scripts in WordPress.

#6 @jornfranke
2 years ago

Can anyone say if this has been resolved in 5.9.x?

#7 @desrosj
2 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

I've been doing some testing for this one and I'm unable to reproduce.

I've also checked, and I'm unable to find any occurrences of eval() in the source code of WordPress 6.0 (with a few exceptions found within external libraries).

If anyone is able to reproduce this, please reopen with detailed steps how they are able to reproduce so other contributors can investigate further.

#8 @jornfranke
2 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

I still see it in the latest WP6 version.
Please note that unsafe-eval is not only about eval, but also about Function() etc. (see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions).

You need to edit any post in the Block editor and in/related to the following scripts (or scripts these scripts are calling) - most of them are related to the use of Function():

  • /wp-includes/js/dist/data.min.js
  • /wp-includes/js/dist/core-data.min.js
  • wp-includes/js/dist/reusable-blocks.min.js
  • wp-includes/js/dist/notices.min.js
  • wp-includes/js/dist/keyboard-shortcuts.min.js
  • wp-includes/js/dist/rich-text.min.js
  • wp-includes/js/dist/viewport.min.js?
  • wp-includes/js/dist/block-editor.min.js
  • wp-includes/js/dist/preferences.min.js
  • wp-includes/js/dist/editor.min.js
  • wp-includes/js/dist/edit-post.min.js wp-includes/js/dist/block-directory.min.js
  • wp-includes/js/dist/format-library.min.js
  • wp-includes/js/dist/dom-ready.min.js
  • wp-content/themes/twentytwentyone/assets/js/editor.js
  • ... in fact many more (because they dont get called, I think all js files in dist are affected)

See here for examples for problematic statements:

Note: those are just some examples, the files even contain much more instances of function (see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function)

Those are as said before mostly related to function() {} and thus they prevent setting a secure CSP on any WordPress instance.

All this prevents to remove unsafe-eval from the CSPs and they introduce significant security risks.

I do not know why WP does it this way, so I cannot estimate the efforts. However, the security benefits of having a safe CSP outweights this probably. Looking forward to test any fix to this.

#9 @jornfranke
2 years ago

Sorry, I meant of course Function (capital F) object. Examples:

As you see it is the same as eval and thus bad.

It is also in a couple of other places, but luckily not in as many as above.
Unfortunately, the concept of having a Function object as parameter is in nearly all JS files mentioned above meaning it will be more work to update it. For example (there are more):

However, from a security point of view a must from my point of view. While the use itself it is insecure, also we cannot use CSPs to prevent that it is used by accident or on purpose in plugins that may then also introduce security problems.

Version 1, edited 2 years ago by jornfranke (previous) (next) (diff)

#10 @jornfranke
2 years ago

btw. the vega visualization grammar had a similar issue (they used eval/Functions) and they wrote an interpreter to represent calculation expressions, maybe in a solution to the problem you can inspire from this? Find it here: https://github.com/vega/vega/tree/main/packages/vega-interpreter

#11 @desrosj
2 years ago

  • Keywords reporter-feedback close added
  • Milestone set to Awaiting Review

Please note that unsafe-eval is not only about eval, but also about Function() etc. (see here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_eval_expressions).

Understood.

I'm still unable to reproduce these warnings on a fresh install. To test, I've manually added almost every core block type and I don't see the CSP warnings above. Can you share more about how you're able to reproduce? Are there any plugins running on sites where you are able to reproduce? Are you using a non-default theme.

All of the files above are maintained within the Gutenberg repository on GitHub, so this will likely need to be opened as an issue there. I did find Gutenberg-20395 from ~2.5 years ago, but otherwise no mention of this issue.

Adding the close keyword since this may need to be reported upstream, but waiting for more details to try and reproduce.

#12 @jornfranke
2 years ago

Well, they are in the Javascript files distributed with the current version of WordPress (as also demonstrated via the links above) - I can also reproduce them with a WordPress 6.x installation, so I think the issue is correct here. They may not be only related to the block editor, but the issue is most visible there.

The Function objects need to be for sure removed from the WordPress repository. Not sure if the Gutenberg repository helps here.

One third party dependency in Gutenberg is turbo-combine-reducers (a not maintained package), which is used at least in the data package of Gutenberg: https://github.com/aduth/turbo-combine-reducers/blob/master/index.js#L25

Which has the issue.

Another one is directly in Gutenberg: https://github.com/WordPress/gutenberg/blob/trunk/packages/block-editor/src/utils/parse-css-unit-to-px.js#L27

I created for the one in Gutenberg an issue there: https://github.com/WordPress/gutenberg/issues/42513

However, since WordPress contains the problematic code of Gutenberg, I recommend to keep this open until it is fixed there and integrated in WordPress

#13 @desrosj
23 months ago

  • Keywords reporter-feedback close removed
  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from reopened to closed

However, since WordPress contains the problematic code of Gutenberg, I recommend to keep this open until it is fixed there and integrated in WordPress

While this is true, there are no actions that can be taken on the Core SVN side until changes are made upstream in the Gutenberg repository and the related npm packages are updated. Any changes made upstream will be merged into WordPress Core itself when those dependency versions are bumped.

#14 @jornfranke
9 months ago

This has been fixed by Gutenberg:
https://github.com/WordPress/gutenberg/issues/42513

Any idea when this can be included?

I see still in Wordpress 6.4.2 the issue...
Thanks!

Last edited 9 months ago by jornfranke (previous) (diff)

#15 @jornfranke
3 months ago

This was fixed in WordPress 6.5 including the Gutenberg editor that removed the need for using unsafe-eval in the content security policy.

Last edited 3 months ago by jornfranke (previous) (diff)
Note: See TracTickets for help on using tickets.