Make WordPress Core

Opened 8 months ago

Last modified 7 weeks ago

#60979 reviewing defect (bug)

safecss_filter_attr() should support query strings with "&" as used by Gutenberg

Reported by: philippmuenchen's profile philippmuenchen Owned by:
Milestone: 6.8 Priority: normal
Severity: normal Version: 6.5
Component: Formatting Keywords: has-patch has-unit-tests changes-requested
Focuses: Cc:

Description

Gutenberg transforms "&" to "&" when saving content.

E.g. for the Media/Text-Block the content that is filtered by safecss_filter_attr() might contain "&" as here:

style="background-image:url(https://example.com/uploads/sites/2/2023/10/image.jpg?width=1024&height=600);background-position:46% 43%"


As safecss_filter_attr() simply explodes the style value by semicolons. Therefore the example above does not pass and gets striped out. Finally the block layout breaks as the saved result is:

style="background-position:46% 43%"

Fixing it for the moment by filtering the content before kses-functions:

<?php
add_filter('pre_kses', function ($content) {
    // Replace all '&amp;' with '&' in the parameters of every URL in the content
    return preg_replace_callback('/(https?:\/\/[^\s]*?)&amp;([^#]*?)/', function($matches) {
        return str_replace('&amp;', '&', $matches[0]);
    }, $content);
});

Change History (28)

#1 @khoipro
8 months ago

  • Keywords needs-dev-note added

Great catch! I have the same issue with one of my project.

This ticket was mentioned in PR #6645 on WordPress/wordpress-develop by @narenin.


6 months ago
#2

  • Keywords has-patch added; needs-patch removed

#3 @narenin
6 months ago

  • Keywords needs-testing added

Hi,

I have added the PR with Fix.

#4 @swissspidy
6 months ago

  • Component changed from Posts, Post Types to Formatting
  • Keywords needs-unit-tests dev-feedback added; needs-dev-note removed
  • Milestone changed from Awaiting Review to 6.6

#5 @narenin
6 months ago

  • Keywords has-unit-tests added; needs-unit-tests removed

@hmbashar commented on PR #6645:


6 months ago
#6

This PR look good for me

This ticket was mentioned in Slack in #core by oglekler. View the logs.


6 months ago

This ticket was mentioned in PR #6645 on WordPress/wordpress-develop by @narenin.


6 months ago
#8

Trac ticket: Core-60979

This ticket was mentioned in PR #6645 on WordPress/wordpress-develop by @narenin.


5 months ago
#9

Trac ticket: Core-60979

This ticket was mentioned in Slack in #core by nhrrob. View the logs.


5 months ago

#11 @nhrrob
5 months ago

  • Milestone changed from 6.6 to 6.7

We are very close 6.6 RC1
Moving to next milestone

#12 @hellofromTonya
5 months ago

  • Type changed from defect (bug) to enhancement

Patch: https://github.com/WordPress/wordpress-develop/pull/6645

The scope of work in the patch appears to be more of an enhancement, as it adds a lot of new code and new functions to add support for query strings with "&amp;".

Changing this ticket to enhancement.

This ticket was mentioned in PR #6645 on WordPress/wordpress-develop by @narenin.


5 months ago
#13

Trac ticket: Core-60979

@dmsnell commented on PR #6645:


5 months ago
#14

By accident I pushed an additional commit to this branch after merging in trunk and then I didn't notice for the past two weeks. I've removed the commit I pushed (74d3c4c94a) to bring it back to the state @narenin left it in, just with the previous trunk merge.

#15 @desrosj
2 months ago

@dmsnell Are you looking to try and commit this for 6.7? The beta 1 deadline is in roughly 24 hours.

#16 @hellofromTonya
2 months ago

  • Keywords dev-feedback removed
  • Type changed from enhancement to defect (bug)

Patch: https://github.com/WordPress/wordpress-develop/pull/6645

Converting this ticket back to a defect. The scope of the patch is directly focused on fixing the bug. No new functionality is added.

Removing dev-feedback given multiple committers involved in the patch's review.

#17 @hellofromTonya
2 months ago

  • Keywords commit added; needs-testing removed
  • Owner set to hellofromTonya
  • Status changed from new to reviewing

Patch: https://github.com/WordPress/wordpress-develop/pull/6645

Has an approval from @dmsnell.

I also reviewed, tested, and approved it.

The patch is ready for commit. Self-assigning to commit it.

@hellofromTonya commented on PR #6645:


2 months ago
#18

As I was preparing a commit for this, I started to wonder:

$css = WP_HTML_Decoder::decode_attribute( $css );

Within a URL query params, _could there ever_ be valid entities that should not be decoded?

@dmsnell @peterwilsoncc @sabernhardt (for CSS expertise)

@dmsnell commented on PR #6645:


2 months ago
#19

Within a URL query params, could there ever be valid entities that should not be decoded?

@hellofromtonya this is a good question, and one reason to avoid html_entity_decode(). there are special rules regarding an "ambiguous ampersand" in attribute values specifically to handle cases where people don't properly encode the value.

otherwise, the value in the attribute _will_ be decoded by a browser, so the argument here is that we should work with the same value a browser will, otherwise errors and potential vulnerabilities will slip in.

_if_ the value comes from an HTML attribute, unless it was retrieved by the HTML API's get_attribute() (which automatically performs the decoding), then we will want to transform from HTML space to PHP space, process, and then transform back.

@hellofromTonya commented on PR #6645:


2 months ago
#20

Thank you @dmsnell for confirming. I added another dataset with valid entities in the path and query params, just to validate it before and after the changes.

Alrighty, now ready for commit.

This ticket was mentioned in Slack in #core by chaion07. View the logs.


2 months ago

#22 @chaion07
2 months ago

  • Keywords changes-requested added

Thanks @philippmuenchen for reporting this. We reviewed this Ticket during a recent bug-scrub session. Here's the summary:

  1. There's a small change request comment recently made under PR
  2. We are adding the changes-requested label
  3. We should follow up with the PR submitter

Thank you.

Props to @pratiklondhe for these suggestions.

Cheers!

@sabernhardt commented on PR #6645:


2 months ago
#23

Do the tests still need to cover multiple properties grouped together, as in the example from the ticket's description?
background-image:url(https://example.com/uploads/sites/2/2023/10/image.jpg?width=1024&amp;height=600);background-position:46% 43%

@narenin commented on PR #6645:


2 months ago
#24

Thanks @sabernhardt and @peterwilsoncc for the test scenarios.

I have added these and it is passing, please check.

#25 @hellofromTonya
2 months ago

  • Keywords commit removed

Removing commit. Need to first explore the possibility of a safety concern for decoding without re-encoding:

What if the incoming string has encoded nefarious HTML in it? For example, what if it's this

'background-image: url("&#60script&#62alert`1`&#60/script&#62")'

Result:

background-image: url("<script>alert`1`</script>")

Seems unsafe unless it gets re-encoded before returning.

#26 @hellofromTonya
2 months ago

  • Owner hellofromTonya deleted

As this is not yet ready for commit, i.e. as the discussion continues, removing myself as committer.

This ticket was mentioned in Slack in #core by stoyangeorgiev. View the logs.


7 weeks ago

#28 @stoyangeorgiev
7 weeks ago

  • Milestone changed from 6.7 to 6.8

Discussed in a bug-scrub. As the PR is pending review at the moment of discussion and Beta 3 coming in a few hours, moving this one to 6.8

Note: See TracTickets for help on using tickets.