-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Categories block: Escape label #65540
Conversation
Escape the label attribute before output inside the label HTML element, using esc_html().
Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks.
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.
To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Flaky tests detected in 904871f. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/10968820565
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
* Categories block: Escape label Escape the label attribute before output inside the label HTML element, using esc_html(). * Categories: Switch escaping function Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks. Co-authored-by: carolinan <poena@git.wordpress.org> Co-authored-by: cbravobernal <cbravobernal@git.wordpress.org>
I just cherry-picked this PR to the wp/6.7 branch to get it included in the next release: bcba55a |
* Categories block: Escape label Escape the label attribute before output inside the label HTML element, using esc_html(). * Categories: Switch escaping function Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks. Co-authored-by: carolinan <poena@git.wordpress.org> Co-authored-by: cbravobernal <cbravobernal@git.wordpress.org>
This reverts commit 8339b8a.
What?
This PR escapes the
label
block attribute in the categories block withwp_kses_post()
before printing it inside the<label>
HTML element.The PR addresses feedback left during code review of the package sync for WordPress 6.7.
Why?
For security reasons it is best practise to escape user-provided content late, before output.
wp_kses_post()
is used to allow the HTML tags allowed in the RichText field, and to be consistent with the escaping of other similar labels in other blocks.How?
This PR escapes the
label
block attribute withwp_kses_post()
before printing it inside the<label>
HTML element.Testing Instructions
Add a categories block.
In the block settings sidebar, enable the options "Display as dropdown" and "Show label".
Enter a custom label text. Type some random HTML tags, then select parts of the text and enable a style setting such as bold, or use the dropdown option to add an inline image, etc.
In the editor, the label is entered inside a RichText field and escaped with the help of the esc-html package.
View the content of the label in the editor and front and confirm that there are no issues that may be caused by double escaping. The style and inline image should continue to work on the front of the site.