Global Styles: unable to save block variations when KSES is active

[dsas]

Description

The KSES filters prevent changing block variation styles via the Global Styles sidebar in the site editor.

These filters are only registered when a user doesn't have the unfiltered_html capability (which is the case for multisite regular admins).

When these filters are active, any change to the block variation property is reverted back to its previous value.

Looking at the HTTP request to the global-styles endpoint, the PUT request includes the block variation changes but the response doesn't.

Step-by-step reproduction instructions

1. Activate latest Gutenberg on a multisite install, or test with a user not having the unfiltered_html capability, or enable the KSES filters with add_action( 'init', 'kses_init_filters' );
2. Go to Appearance > Editor
3. Open the Styles sidebar
4. Select "Blocks"
5. Select "Button"
6. Select the Outline style variation
7. Change a property away from the initial setting, e.g. set the background
8. Save the changes
9. ⚠️ Note how the changes are reverted

Screenshots, screen recording, code snippet

Screen.Recording.2023-08-08.at.15.26.58.mov

Environment info

GB plugin trunk

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

Yes

[dsas]

The kses filter at fault is gutenberg_filter_global_styles_post. It uses WP_Theme_JSON_Gutenberg::remove_insecure_properties to secure the value, however this function doesn't have any support for block variations.

WP_Theme_JSON_Gutenberg::remove_insecure_properties works by getting the style nodes from the input (in theme.json format) and computing the values from them, retaining the computed values. It doesn't know about block style variations so they don't get retained.

[dsas]

Here's a rough PoC which includes hooking init to trigger the bug, and ensuring that variations are not removed. variation-with-sanitisation.patch

[dsas]

@tellthemachines, @andrewserong 👋 looks like you initially worked on the variation style editor. This bug has been reported which shows that the variation styles are not saved on multisite installs. I've cobbled together a very rough patch which shows what roughly needs to be done. However I'm not familiar with this or the surrounding code (or theme.json really). Is this something you could take on? Or failing that guide me through?

[tellthemachines]

Thanks for reporting this @dsas ! That patch looks OK. Would you like to open a PR with it?

[andrewserong]

That patch looks OK. Would you like to open a PR with it?

+1 that looks like a good direction to me, too! Happy to help review once you've got a PR open 🙂