﻿id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc	focuses
65608	Themes: Harden process_blocks_custom_css() against non-string input	hannahtinkler		"`WP_Theme_JSON::process_blocks_custom_css()` accepts a `$css` parameter typed as string in its docblock, but performs no runtime type check. If a non-string value reaches the function, the `explode()` call will produce a PHP fatal error (8.X) or warning (7.X).

This can happen because:
1. The `VALID_STYLES` schema marks CSS as null, which means `remove_keys_not_in_schema()` accepts any type for this key -  arrays and integers pass through schema sanitization unchanged.
2. The `wp_theme_json_data_*` filters allow plugins and themes to modify the theme JSON data at runtime. A callback that returns a non-string value for CSS (e.g. an array) will not be caught by the sanitization and will reach `process_blocks_custom_css()`.
3. The method was made `public static` in 7.0 (changeset 61678) for use by the `custom-css block` support, making it callable by external code.


The function already has an `empty()` guard at the top. Extending this to also return early on a non-string value keeps the fix local to the function and consistent with how it already handles unusable input.
"	enhancement	new	normal	Awaiting Review	Themes	trunk	normal		has-patch has-unit-tests close		
