Opened 13 months ago
Last modified 8 months ago
#62798 new defect (bug)
Twenty Seventeen: sanitize output of twentyseventeen_custom_colors_css()
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Bundled Theme | Keywords: | has-patch has-test-info |
| Focuses: | coding-standards | Cc: |
Description
Hello Team,
I have checked WordPress fork and found PHPCS Warning in functions.php file for "TwentySeventeen" theme.
i.e
All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found 'twentyseventeen_custom_colors_css'.
<style type="text/css" id="custom-theme-colors" <?php echo $customize_preview_data_hue; ?>> <?php echo twentyseventeen_custom_colors_css(); ?> </style>
Note: I have checked the core trac and found the similar issue. #62787
Thanks,
Change History (7)
This ticket was mentioned in PR #8108 on WordPress/wordpress-develop by @mdviralsampat.
13 months ago
#2
- Keywords has-patch added
Trac ticket: https://core.trac.wordpress.org/ticket/62798
This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.
The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.
Thanks,
This ticket was mentioned in PR #8115 on WordPress/wordpress-develop by @mdviralsampat.
13 months ago
#3
Trac ticket: https://core.trac.wordpress.org/ticket/62798
This PR adds proper sanitization to the custom colors CSS output in the Twenty Seventeen theme. The twentyseventeen_custom_colors_css() function's output is filterable and currently outputs unsanitized content.
The PR wraps outputs with wp_strip_all_tags() to ensure only CSS is included, preventing potential injection of unwanted HTML through filters.
Thanks,
#4
@
8 months ago
Reproduction Report
Description
This report validates whether the issue can be reproduced.
Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.28
- Server: nginx/1.27.5
- Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
- Browser: Chrome 137.0.0.0
- OS: macOS
- Theme: Twenty Seventeen 3.9
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Steps to Reproduce
- Activate the Twenty Seventeen theme.
- Add a filter in
functions.php:
add_filter( 'twentyseventeen_custom_colors_css', function( $css ) {
return $css . '<script>console.log("XSS");</script>';
} );
- Go to Appearance → Customize → Colors, adjust any custom color value (e.g., accent hue).
- You will see a popup with "XSS".
Actual Results
- ✅ Error condition occurs (reproduced).
Supplemental Artifacts
#5
follow-up:
↓ 6
@
8 months ago
Test Report
Description
This report validates whether the indicated patch works as expected.
Patch tested: https://github.com/WordPress/wordpress-develop/pull/8115.diff
Environment
- WordPress: 6.9-alpha-60093-src
- PHP: 8.2.28
- Server: nginx/1.27.5
- Database: mysqli (Server: 8.4.5 / Client: mysqlnd 8.2.28)
- Browser: Chrome 137.0.0.0
- OS: macOS
- Theme: Twenty Seventeen 3.9
- MU Plugins: None activated
- Plugins:
- Test Reports 1.2.0
Actual Results
- ✅ Issue resolved with patch.
#6
in reply to:
↑ 5
;
follow-up:
↓ 7
@
8 months ago
- Keywords has-test-info added; dev-feedback needs-testing removed
Replying to rishabhwp:
Test Report
@rishabhwp one little trick: There is a report called "Combined Bug Reproduction and Test Report", where you combine both reports, and it looks much better and all in one place (easier to read by future code reviewers). I recommend using this, here is an example
Hello Team,
I have added its PR, Please review it: PRhttps://github.com/WordPress/wordpress-develop/pull/8108
Thanks,