From 9ad568e78a8ca73f8a4ad05a80f9fbea48ef92d8 Mon Sep 17 00:00:00 2001 From: Jorge Costa Date: Mon, 17 Oct 2022 21:23:38 +0100 Subject: [PATCH] Add: Missing output escaping on some blocks. (#45045) --- packages/block-library/src/navigation/index.php | 2 +- packages/block-library/src/rss/index.php | 6 +++--- packages/block-library/src/search/index.php | 10 +++++----- packages/widgets/src/blocks/legacy-widget/index.php | 2 +- packages/widgets/src/blocks/widget-group/index.php | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/packages/block-library/src/navigation/index.php b/packages/block-library/src/navigation/index.php index 33e1ebdbab56d..c3f6317eb2955 100644 --- a/packages/block-library/src/navigation/index.php +++ b/packages/block-library/src/navigation/index.php @@ -646,7 +646,7 @@ function render_block_core_navigation( $attributes, $content, $block ) { $toggle_aria_label_close, esc_attr( implode( ' ', $responsive_container_classes ) ), esc_attr( implode( ' ', $open_button_classes ) ), - safecss_filter_attr( $colors['overlay_inline_styles'] ), + esc_attr( safecss_filter_attr( $colors['overlay_inline_styles'] ) ), __( 'Menu' ), $toggle_button_content, $toggle_close_button_content diff --git a/packages/block-library/src/rss/index.php b/packages/block-library/src/rss/index.php index 0edbc90490c31..e32155195af1d 100644 --- a/packages/block-library/src/rss/index.php +++ b/packages/block-library/src/rss/index.php @@ -20,7 +20,7 @@ function render_block_core_rss( $attributes ) { $rss = fetch_feed( $attributes['feedURL'] ); if ( is_wp_error( $rss ) ) { - return '
' . __( 'RSS Error:' ) . ' ' . $rss->get_error_message() . '
'; + return '
' . __( 'RSS Error:' ) . ' ' . esc_html( $rss->get_error_message() ) . '
'; } if ( ! $rss->get_item_quantity() ) { @@ -48,8 +48,8 @@ function render_block_core_rss( $attributes ) { if ( $date ) { $date = sprintf( ' ', - date_i18n( get_option( 'c' ), $date ), - date_i18n( get_option( 'date_format' ), $date ) + esc_attr( date_i18n( get_option( 'c' ), $date ) ), + esc_attr( date_i18n( get_option( 'date_format' ), $date ) ) ); } } diff --git a/packages/block-library/src/search/index.php b/packages/block-library/src/search/index.php index 61b2cf2b06b51..26b6a7585ccc7 100644 --- a/packages/block-library/src/search/index.php +++ b/packages/block-library/src/search/index.php @@ -367,12 +367,12 @@ function styles_for_block_core_search( $attributes ) { // Add color styles. $has_text_color = ! empty( $attributes['style']['color']['text'] ); if ( $has_text_color ) { - $button_styles[] = sprintf( 'color: %s;', esc_attr( $attributes['style']['color']['text'] ) ); + $button_styles[] = sprintf( 'color: %s;', $attributes['style']['color']['text'] ); } $has_background_color = ! empty( $attributes['style']['color']['background'] ); if ( $has_background_color ) { - $button_styles[] = sprintf( 'background-color: %s;', esc_attr( $attributes['style']['color']['background'] ) ); + $button_styles[] = sprintf( 'background-color: %s;', $attributes['style']['color']['background'] ); } $has_custom_gradient = ! empty( $attributes['style']['color']['gradient'] ); @@ -399,9 +399,9 @@ function styles_for_block_core_search( $attributes ) { } return array( - 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $input_styles ) ) ) : '', - 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $button_styles ) ) ) : '', - 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) : '', + 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $input_styles ) ) ) ) : '', + 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $button_styles ) ) ) ) : '', + 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) ) : '', 'label' => ! empty( $label_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $label_styles ) ) ) ) : '', ); } diff --git a/packages/widgets/src/blocks/legacy-widget/index.php b/packages/widgets/src/blocks/legacy-widget/index.php index c3aa55fdfe241..94cfb9ba71ebf 100644 --- a/packages/widgets/src/blocks/legacy-widget/index.php +++ b/packages/widgets/src/blocks/legacy-widget/index.php @@ -34,7 +34,7 @@ function render_block_core_legacy_widget( $attributes ) { if ( isset( $attributes['instance']['encoded'], $attributes['instance']['hash'] ) ) { $serialized_instance = base64_decode( $attributes['instance']['encoded'] ); - if ( wp_hash( $serialized_instance ) !== $attributes['instance']['hash'] ) { + if ( ! hash_equals( wp_hash( $serialized_instance ), (string) $attributes['instance']['hash'] ) ) { return ''; } $instance = unserialize( $serialized_instance ); diff --git a/packages/widgets/src/blocks/widget-group/index.php b/packages/widgets/src/blocks/widget-group/index.php index 6cf6442346a30..8c8584b296d57 100644 --- a/packages/widgets/src/blocks/widget-group/index.php +++ b/packages/widgets/src/blocks/widget-group/index.php @@ -28,7 +28,7 @@ function render_block_core_widget_group( $attributes, $content, $block ) { $html = ''; if ( ! empty( $attributes['title'] ) ) { - $html .= $before_title . $attributes['title'] . $after_title; + $html .= $before_title . esc_html( $attributes['title'] ) . $after_title; } $html .= '
';