Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Categories block: Escape label #65540

Merged
merged 2 commits into from
Sep 30, 2024
Merged

Conversation

carolinan
Copy link
Contributor

@carolinan carolinan commented Sep 21, 2024

What?

This PR escapes the label block attribute in the categories block with wp_kses_post() before printing it inside the <label> HTML element.
The PR addresses feedback left during code review of the package sync for WordPress 6.7.

Why?

For security reasons it is best practise to escape user-provided content late, before output.
wp_kses_post() is used to allow the HTML tags allowed in the RichText field, and to be consistent with the escaping of other similar labels in other blocks.

How?

This PR escapes the label block attribute with wp_kses_post() before printing it inside the <label> HTML element.

Testing Instructions

Add a categories block.
In the block settings sidebar, enable the options "Display as dropdown" and "Show label".
Enter a custom label text. Type some random HTML tags, then select parts of the text and enable a style setting such as bold, or use the dropdown option to add an inline image, etc.

In the editor, the label is entered inside a RichText field and escaped with the help of the esc-html package.
View the content of the label in the editor and front and confirm that there are no issues that may be caused by double escaping. The style and inline image should continue to work on the front of the site.

Escape the label attribute before output inside the label HTML element, using esc_html().
Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks.
@carolinan carolinan added [Block] Categories Affects the Categories Block Backport to WP 6.7 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta [Type] Bug An existing feature does not function as intended labels Sep 21, 2024
@carolinan carolinan marked this pull request as ready for review September 21, 2024 02:25
Copy link

github-actions bot commented Sep 21, 2024

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: carolinan <poena@git.wordpress.org>
Co-authored-by: cbravobernal <cbravobernal@git.wordpress.org>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

Copy link

Flaky tests detected in 904871f.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/10968820565
📝 Reported issues:

Copy link
Contributor

@cbravobernal cbravobernal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cbravobernal cbravobernal enabled auto-merge (squash) September 30, 2024 07:05
@cbravobernal cbravobernal merged commit 0ae80bc into trunk Sep 30, 2024
73 of 74 checks passed
@cbravobernal cbravobernal deleted the update/categories-escape-label branch September 30, 2024 07:07
@github-actions github-actions bot added this to the Gutenberg 19.4 milestone Sep 30, 2024
@github-actions github-actions bot removed the Backport to WP 6.7 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta label Sep 30, 2024
gutenbergplugin pushed a commit that referenced this pull request Sep 30, 2024
* Categories block: Escape label

Escape the label attribute before output inside the label HTML element, using esc_html().

* Categories: Switch escaping function

Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks.

Co-authored-by: carolinan <poena@git.wordpress.org>
Co-authored-by: cbravobernal <cbravobernal@git.wordpress.org>
@github-actions github-actions bot added the Backported to WP Core Pull request that has been successfully merged into WP Core label Sep 30, 2024
Copy link

I just cherry-picked this PR to the wp/6.7 branch to get it included in the next release: bcba55a

huubl pushed a commit to huubl/gutenberg that referenced this pull request Oct 2, 2024
* Categories block: Escape label

Escape the label attribute before output inside the label HTML element, using esc_html().

* Categories: Switch escaping function

Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks.

Co-authored-by: carolinan <poena@git.wordpress.org>
Co-authored-by: cbravobernal <cbravobernal@git.wordpress.org>
huubl added a commit to huubl/gutenberg that referenced this pull request Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Backported to WP Core Pull request that has been successfully merged into WP Core [Block] Categories Affects the Categories Block [Type] Bug An existing feature does not function as intended
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

2 participants