-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tag Processor: throw when supplied unacceptible attribute names. #44431
Conversation
d1fc120
to
8c7344d
Compare
The `WP_HTML_Tag_Processor` allows setting new HTML attributes with a given name and value. Previously this has allowed any string input for the attribute name, but we have to be careful not to print output that might break the HTML we're modifying. In this patch we're adding a check against the given attribute name and rejecting invalid or unacceptible names. WordPress here is more restrictive than HTML5.
8c7344d
to
c284114
Compare
|
I needed to manually set |
throw new Exception( 'Invalid attribute name' ); | ||
} | ||
|
||
return; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return new WP_Error perhaps?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should return an object as devs won't check the return value anyway.
The special case in the debug mode looks like a reasonable approach. I'm curious whether there is any standardized way of logging those issues.
Maybe we could call _doing_it_wrong
. We use that in several places when registering blocks or similar stuff for the block editor, for example:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the big point about this patch that I'm unsure of. my only goal is to quickly bail if someone submits the wrong attribute, as I don't think it's likely people will send user-input attribute names here. if they do do that then I don't want it to crash the full render.
I'll ask around and see if anyone else has experience with this kind of failure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my only goal is to quickly bail if someone submits the wrong attribute
Yes, think this is the best approach here. If a plugin allows user input for attribute names (very unlikely as usually these are not random), it will have to make sure the input is valid, or the attribute will be skipped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm curious whether there is any standardized way of logging those issues.
Think there isn't one, unfortunately. Has been discussed few times afaik but a decision on how to implement it was not reached. Thinking it is time for this to be added to core. Perhaps another constant: WP_DEV_MODE
or similar, then be much bolder about throwing errors and exceptions (with backtrace?) and writing in logs.
Using WP_DEBUG
seems proper here imho. doing_it_wrong
doesn't seem as good because it is targeted more at developers that try to use some function/method improperly (when there are better ways).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@azaozz, great feedback! Thank you so much for clarifying where given options fit best.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I left a few comments, but my only substantial point is about the test cases.
The tests verifying behaviors dependent on whether `WP_DEBUG` is set need to run in an isolated environment so that the constant's definition doesn't bleed into other tests. The isolated runner is very slow in comparison to the non-isolated runner so only those tests dependent on the constant are moved over.
I added some positive test cases in ff9da88. |
Part of #44410
What
The
WP_HTML_Tag_Processor
allows setting new HTML attributes with a given name and value. Previously this has allowed any string input for the attribute name, but we have to be careful not to print output that might break the HTML we're modifying.In this patch we're adding a check against the given attribute name and rejecting invalid or unacceptible names. WordPress here is more restrictive than HTML5.
Why?
We don't want to allow setting attributes whose names could break the HTML syntax or open new vulnerabilities in code that parses post content.
How?
Validate the given attribute name with a PCRE pattern that looks for unalloyed characters.
Testing Instructions
Please audit the code and review the new unit tests.
Review with an eye towards security.
cc: @azaozz