Make WordPress Core

Opened 4 months ago

Closed 3 months ago

Last modified 3 months ago

#60360 closed task (blessed) (fixed)

Make WP_Theme_JSON to sanitize data on indexed arrays

Reported by: mmaattiiaass's profile mmaattiiaass Owned by: youknowriad's profile youknowriad
Milestone: 6.5 Priority: normal
Severity: normal Version: 6.5
Component: Editor Keywords: gutenberg-merge has-patch has-unit-tests
Focuses: Cc:

Description

Currently, WP_Theme_JSON sanitization is not able to sanitize data contained on indexed arrays. So certain data from theme.json, for example, settings.typography.fontFamilies which is a JSON array, cannot be sanitized. Why? because when parsing the JSON data WP_Theme_JSON translates JSON arrays into PHP indexed arrays and the class is not capable of sanitizing that kind of data.

I think it would be useful to add nested indexed array schema sanitization capabilities to the WP_Theme_JSON class. For that reason, this ticket is aimed to bring that capability into core from WP_Theme_JSON_Gutenberg.

Syncs https://github.com/WordPress/gutenberg/pull/56447

Change History (13)

This ticket was mentioned in PR #5957 on WordPress/wordpress-develop by matiasbenedetto.


4 months ago
#1

## What?
WP_Theme_JSON:

  • Add nested indexed array schema sanitization capabilities.
  • Add settings.typography.fontFamilies validation
  • Add unit tests.

## Why?
Currently, WP_Theme_JSON sanitization is not able to sanitize data contained on indexed arrays. So certain data from theme.json, for example, settings.typography.fontFamilies which is a JSON array, cannot be sanitized. Why? because when parsing the JSON data WP_Theme_JSON class translates JSON arrays into PHP indexed arrays and the it is not capable of sanitizing that kind of data.

---
Trac ticket: https://core.trac.wordpress.org/ticket/60360#

#2 @youknowriad
4 months ago

  • Owner set to youknowriad
  • Resolution set to fixed
  • Status changed from new to closed

In 57496:

Editor: Sanitize nested array in theme.json properly.

WP_Theme_JSON sanitization is now able to sanitize data contained on indexed arrays.
So certain data from theme.json, for example, settings.typography.fontFamilies which is a JSON array will be sanitized.

Props mmaattiiaass, mukesh27.
Fixes #60360.

#3 @youknowriad
4 months ago

  • Milestone changed from Awaiting Review to 6.5

#5 @spacedmonkey
4 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

#6 follow-up: @spacedmonkey
4 months ago

I wonder instead of creating a new method is_assoc, we could simply use array_is_list ( which can be used in core since [57337]) or maybe wp_is_numeric_array?

This ticket was mentioned in PR #6007 on WordPress/wordpress-develop by @mmaattiiaass.


4 months ago
#7

  • Remove custom is_assoc method and replace it by the wp_is_numeric_array.
  • Simplify the code by reverting the order of an if and else to avoid using !wp_is_numeric_array() and isnstead use wp_is_numeric_array()

props to @spacedmonkey that suggested the user of wp_is_numeric_array https://core.trac.wordpress.org/ticket/60360#comment:6

#8 in reply to: ↑ 6 @mmaattiiaass
4 months ago

Replying to spacedmonkey:

I wonder instead of creating a new method is_assoc, we could simply use array_is_list ( which can be used in core since [57337]) or maybe wp_is_numeric_array?

Yes, good idea, thanks for pointing that out.
I implemented the suggested change here: https://github.com/WordPress/wordpress-develop/pull/6007

This ticket was mentioned in Slack in #core by chaion07. View the logs.


3 months ago

#10 @swissspidy
3 months ago

  • Type changed from enhancement to task (blessed)

Marking as task for the follow-up polish required here.

#11 @swissspidy
3 months ago

I don't really like this protected is_assoc method either, so let's make sure we fix this in 6.5.

#12 @swissspidy
3 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 57751:

Editor: Simplify sanitization code path in WP_Theme_JSON after [57496]

Removes the custom WP_Theme_JSON::is_assoc() method again in favor of the existing wp_is_numeric_array() helper function.

Props mmaattiiaass, costdev, swissspidy, spacedmonkey.
Fixes #60360.

Note: See TracTickets for help on using tickets.