Make WordPress Core

Opened 4 weeks ago

Last modified 4 weeks ago

#62787 new defect (bug)

Twenty Nineteen: sanitize output of twentynineteen_custom_colors_css()

Reported by: pitamdey's profile pitamdey Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Bundled Theme Keywords: has-patch
Focuses: coding-standards Cc:

Description (last modified by sabernhardt)

In theme Twenty Nineteen , I can see one PHPCS Warning in functions.php file i.e.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'twentynineteen_custom_colors_css'

Here :

<style type="text/css" id="custom-theme-colors" <?php echo is_customize_preview() ? 'data-hue="' . absint( $primary_color ) . '"' : ''; ?>>
		<?php echo twentynineteen_custom_colors_css(); ?>
	</style>

Attachments (1)

62787.patch (565 bytes) - added by pitamdey 4 weeks ago.
Patch for this issue

Download all attachments as: .zip

Change History (6)

@pitamdey
4 weeks ago

Patch for this issue

This ticket was mentioned in Slack in #core-test by oglekler. View the logs.


4 weeks ago

#2 @sabernhardt
4 weeks ago

  • Component changed from Themes to Bundled Theme
  • Description modified (diff)
  • Focuses coding-standards added; php-compatibility removed
  • Summary changed from Twenty Nineteen : PHPCS Fixes to Twenty Nineteen: sanitize output of twentynineteen_custom_colors_css()
  1. The default output of twentynineteen_custom_colors_css() is CSS only, but that is filterable.
  2. At least two plugins use the filter.
  3. To remove any added HTML entirely, consider wp_strip_all_tags() instead of esc_html(). Note that either function could affect a tag name within a CSS comment (esc_html would be better for that unlikely possibility).
  4. twentynineteen_custom_colors_css() outputs code in two places. If the 'custom-theme-colors' styles escape or remove HTML tags, then the inline style for 'twentynineteen-editor-customizer-styles' probably should use the same function.

This ticket was mentioned in PR #8101 on WordPress/wordpress-develop by @abcd95.


4 weeks ago
#3

Trac ticket: 62787

This PR adds proper sanitization to the custom colors CSS output in the Twenty Nineteen theme. The twentynineteen_custom_colors_css() function's output is filterable and currently outputs unsanitized content in two locations:

  • Frontend custom theme colors
  • Block editor customizer styles

The PR wraps both outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.

#4 @abcd95
4 weeks ago

Thanks @sabernhardt for the follow-up. Please let me know if PR #8101 looks good.

This ticket was mentioned in PR #8108 on WordPress/wordpress-develop by @mdviralsampat.


4 weeks ago
#5

Trac ticket: 62798

This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.

The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.

Thanks,

Note: See TracTickets for help on using tickets.