WordPress.org
Get WordPress

Make WordPress Core

Opened 14 hours ago

Last modified 11 hours ago

#64545 reopened defect (bug)

Style Engine: Harden add_declaration against being passed illegal values

Reported by: andrewserong's profile andrewserong Owned by: isabel_brison's profile isabel_brison
Milestone: 6.9.1 Priority: normal
Severity: normal Version: trunk
Component: Editor Keywords: gutenberg-merge has-patch has-unit-tests dev-feedback
Focuses: Cc:

Description

Currently the add_declaration method assumes that it has been passed a string, when it might not have been.

I noticed on a website that someone had malformed block markup that nested margin within the spacing.padding object for a block, instead of having margin be a sibling to padding. These sorts of issues should generally fail silently rather than throwing an error.

It turns out that block spacing is passed on by the layout block support to the Style Engine, where it assumes the properties and values are correct.

We can harden against these sorts of circumstances by ensuring that the Style Engine bails early if it isn't given a string when adding a declaration.

This has already been fixed in Gutenberg, and this ticket proposes including the fix in core. The Gutenberg PR is: https://github.com/WordPress/gutenberg/pull/74881

Change History (6)

This ticket was mentioned in PR #10779 on WordPress/wordpress-develop by @andrewserong.
14 hours ago #1

  • Keywords has-patch has-unit-tests added

This PR hardens add_declaration in the Style Engine when passed non-string values. The changes are already in Gutenberg over in: https://github.com/WordPress/gutenberg/pull/74881

Trac ticket: https://core.trac.wordpress.org/ticket/64545

#2 @andrewserong
14 hours ago

  • Type changed from enhancement to defect (bug)

#3 @isabel_brison
13 hours ago

  • Owner set to isabel_brison
  • Resolution set to fixed
  • Status changed from new to closed

In 61516:

Editor: guard against non-string values in style engine.

Checks that the value passed to add_declaration is a string to prevent fatal errors due to malformed block attributes.

Props andrewserong.
Fixes #64545.

#4 @isabel_brison
13 hours ago

  • Milestone changed from 7.0 to 6.9.1
  • Resolution fixed deleted
  • Status changed from closed to reopened

#5 @isabel_brison
13 hours ago

  • Keywords dev-feedback added

@jorbin @wildworks adding this bug to the milestone because it can cause fatal errors on the front end when block attributes are malformed. Thought it would be good to get it in! The patch is committed to trunk already but needs a double check from another committer to go into the release branch, right?

#6 @wildworks
11 hours ago

it can cause fatal errors on the front end when block attributes are malformed.

If I understand correctly, this bug has been there since 6.1 when the WP_Style_Engine_CSS_Declarations class was introduced, right?

https://github.com/WordPress/wordpress-develop/blob/6.1/src/wp-includes/style-engine/class-wp-style-engine-css-declarations.php#L58-L67

I don't have a strong opinion, but personally I don't think it's necessary to backport it to a minor release right now.

Note: See TracTickets for help on using tickets.