Opened 4 weeks ago
Last modified 4 weeks ago
#62787 new defect (bug)
Twenty Nineteen: sanitize output of twentynineteen_custom_colors_css()
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | |
Component: | Bundled Theme | Keywords: | has-patch |
Focuses: | coding-standards | Cc: |
Description (last modified by )
In theme Twenty Nineteen , I can see one PHPCS Warning in functions.php
file i.e.
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'twentynineteen_custom_colors_css'
Here :
<style type="text/css" id="custom-theme-colors" <?php echo is_customize_preview() ? 'data-hue="' . absint( $primary_color ) . '"' : ''; ?>> <?php echo twentynineteen_custom_colors_css(); ?> </style>
Attachments (1)
Change History (6)
This ticket was mentioned in Slack in #core-test by oglekler. View the logs.
4 weeks ago
#2
@
4 weeks ago
- Component changed from Themes to Bundled Theme
- Description modified (diff)
- Focuses coding-standards added; php-compatibility removed
- Summary changed from Twenty Nineteen : PHPCS Fixes to Twenty Nineteen: sanitize output of twentynineteen_custom_colors_css()
- The default output of
twentynineteen_custom_colors_css()
is CSS only, but that is filterable. - At least two plugins use the filter.
- To remove any added HTML entirely, consider
wp_strip_all_tags()
instead ofesc_html()
. Note that either function could affect a tag name within a CSS comment (esc_html
would be better for that unlikely possibility). twentynineteen_custom_colors_css()
outputs code in two places. If the 'custom-theme-colors' styles escape or remove HTML tags, then the inline style for 'twentynineteen-editor-customizer-styles' probably should use the same function.
This ticket was mentioned in PR #8101 on WordPress/wordpress-develop by @abcd95.
4 weeks ago
#3
Trac ticket: 62787
This PR adds proper sanitization to the custom colors CSS output in the Twenty Nineteen theme. The twentynineteen_custom_colors_css() function's output is filterable and currently outputs unsanitized content in two locations:
- Frontend custom theme colors
- Block editor customizer styles
The PR wraps both outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.
This ticket was mentioned in PR #8108 on WordPress/wordpress-develop by @mdviralsampat.
4 weeks ago
#5
Trac ticket: 62798
This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.
The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.
Thanks,
Patch for this issue