Changeset 58474

Timestamp:

06/24/2024 03:02:41 PM (7 weeks ago)

Author:

audrasjb

Message:

Grouped Backports to the 6.5 branch.

• Editor: Fix Path Traversal issue on Windows in Template-Part Block.
• Editor: Sanitize Template Part HTML tag on save.
• HTML API: Run URL attributes through esc_url().

Merges [58470], [58471], [58472] and [58473] to the 6.5 branch.
Props xknown, peterwilsoncc, jorbin, bernhard-reiter, azaozz, dmsnell, gziolo.

Location:

branches/6.5/src/wp-includes

Files:

• blocks.php (modified) (4 diffs)
• formatting.php (modified) (2 diffs)
• functions.php (modified) (1 diff)
• html-api/class-wp-html-tag-processor.php (modified) (1 diff)

branches/6.5/src/wp-includes/blocks.php

@@ -1448 +1448 @@
  */
 function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
-    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+    $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
 
     if ( is_array( $block['innerBlocks'] ) ) {
@@ -1464 +1464 @@
  *
  * @since 5.3.1
+
  *
  * @param string[]|string $value             The attribute value to filter.
@@ -1471 +1472 @@
  * @param string[]        $allowed_protocols Optional. Array of allowed URL protocols.
  *                                           Defaults to the result of wp_allowed_protocols().
+
  * @return string[]|string The filtered and sanitized result.
  */
-function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
     if ( is_array( $value ) ) {
         foreach ( $value as $key => $inner_value ) {
-            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
-            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+            $filtered_key   = filter_block_kses_value( $key, $allowed_html, $allowed_protocols, $block_context );
+            $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols, $block_context );
+
+            if ( isset( $block_context['blockName'] ) && 'core/template-part' === $block_context['blockName'] ) {
+                $filtered_value = filter_block_core_template_part_attributes( $filtered_value, $filtered_key, $allowed_html );
+            }
 
             if ( $filtered_key !== $key ) {
@@ -1490 +1496 @@
 
     return $value;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }
 

branches/6.5/src/wp-includes/formatting.php

@@ -4803 +4803 @@
  *
  * @since 2.5.0
+
  *
  * @param string $tag_name
@@ -4808 +4809 @@
  */
 function tag_escape( $tag_name ) {
-    $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9_:]/', '', $tag_name ) );
+    $safe_tag = strtolower( preg_replace( '/[^a-zA-Z0-9_:]/', '', $tag_name ) );
     /**
      * Filters a string cleaned and escaped for output as an HTML tag.

branches/6.5/src/wp-includes/functions.php

@@ -6193 +6193 @@
     }
 
+
+
+
     // `../` on its own is not allowed:
     if ( '../' === $file ) {

branches/6.5/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -2969 +2969 @@
             $updated_attribute = $name;
         } else {
-            $escaped_new_value = esc_attr( $value );
+            $comparable_name = strtolower( $name );
+
+            /*
+             * Escape URL attributes.
+             *
+             * @see https://html.spec.whatwg.org/#attributes-3
+             */
+            $escaped_new_value = in_array( $comparable_name, wp_kses_uri_attributes() ) ? esc_url( $value ) : esc_attr( $value );
             $updated_attribute = "{$name}=\"{$escaped_new_value}\"";
         }