Opened 13 months ago
Last modified 8 months ago
#59310 assigned defect (bug)
Parse blocks being applied unnecessarily
Reported by: | spacedmonkey | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.3.1 |
Component: | Editor | Keywords: | has-patch |
Focuses: | performance | Cc: |
Description
The filter wp_pre_kses_block_attributes
is applied to any field that runs through wp_kses_hook
. Any fields on any object field that is run through wp_filter_kses
. This includes fields like comment_author_email, user_email, term_name and user_last_name. It is extremely unlikely that these text fields will contain block data. This filter should be changed.
Attachments (1)
Change History (10)
This ticket was mentioned in Slack in #core-performance by spacedmonkey. View the logs.
13 months ago
#4
@
13 months ago
Yes, the referenced patch was related to a security vulnerability, so I’d exercise caution with any revisions. That said, there were additional tests in the private security test suite beyond what’s included in the public commit, which may provide some assurances to avoid a regression.
As far as fields where block content isn’t expected or supported, I don’t specifically recall if those were susceptible in the same way, so it might be possible to exclude them specifically for some gains.
There may also be some options to optimize such that it’s only applied at save-time, but it’d need to be done in a way that handles legacy content.
I’d suggest collaborating with someone on the security team to navigate any potential regressions, as well as to help run the security test suite against any proposed patches.
This ticket was mentioned in PR #5174 on WordPress/wordpress-develop by @spacedmonkey.
13 months ago
#5
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/59310
#6
@
13 months ago
I have put together a PR as a POC of remove filter on term name. This reduced the number of times blocks are parsed. See https://github.com/WordPress/wordpress-develop/pull/5174
This was added in [46896], which seems to have been done for security purposes, so whomever looks into this should ensure that any adjustments made here don't expose the security bug that this was added to fix.