From 5683c462770a857a5244576010a97ea125e1e079 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Sun, 8 Nov 2020 09:52:10 +0000
Subject: [PATCH] Site Health: Validate the test result data format in JS
 before using it.

This will discard any invalid responses instead of causing fatal errors.

It also makes badges optional, on the same basis as actions are optional. They are expected, but there may be situations where they are not present.

Props Clorith, dogwithblog, kraftbj, whyisjake, SergeyBiryukov.
Fixes #50145.
Built from https://develop.svn.wordpress.org/trunk@49537


git-svn-id: http://core.svn.wordpress.org/trunk@49275 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-admin/js/site-health.js     | 59 ++++++++++++++++++++++++++++++++++
 wp-admin/js/site-health.min.js |  2 +-
 wp-admin/site-health.php       |  4 ++-
 wp-includes/version.php        |  2 +-
 4 files changed, 64 insertions(+), 3 deletions(-)

diff --git a/wp-admin/js/site-health.js b/wp-admin/js/site-health.js
index 3314f41e1e..d91b75e90a 100644
--- a/wp-admin/js/site-health.js
+++ b/wp-admin/js/site-health.js
@@ -65,6 +65,57 @@ jQuery( document ).ready( function( $ ) {
 		$( this ).attr( 'aria-expanded', ! goodIssuesWrapper.hasClass( 'hidden' ) );
 	} );
 
+	/**
+	 * Validates the Site Health test result format.
+	 *
+	 * @since 5.6.0
+	 *
+	 * @param {Object} issue
+	 *
+	 * @return {boolean}
+	 */
+	function validateIssueData( issue ) {
+		// Expected minimum format of a valid SiteHealth test response.
+		var minimumExpected = {
+				test: 'string',
+				label: 'string',
+				description: 'string'
+			},
+			passed = true,
+			key, value, subKey, subValue;
+
+		// If the issue passed is not an object, return a `false` state early.
+		if ( 'object' !== typeof( issue ) ) {
+			return false;
+		}
+
+		// Loop over expected data and match the data types.
+		for ( key in minimumExpected ) {
+			value = minimumExpected[ key ];
+
+			if ( 'object' === typeof( value ) ) {
+				for ( subKey in value ) {
+					subValue = value[ subKey ];
+
+					if ( 'undefined' === typeof( issue[ key ] ) ||
+						'undefined' === typeof( issue[ key ][ subKey ] ) ||
+						subValue !== typeof( issue[ key ][ subKey ] )
+					) {
+						passed = false;
+					}
+				}
+			} else {
+				if ( 'undefined' === typeof( issue[ key ] ) ||
+					value !== typeof( issue[ key ] )
+				) {
+					passed = false;
+				}
+			}
+		}
+
+		return passed;
+	}
+
 	/**
 	 * Appends a new issue to the issue list.
 	 *
@@ -78,6 +129,14 @@ jQuery( document ).ready( function( $ ) {
 			heading,
 			count;
 
+		/*
+		 * Validate the issue data format before using it.
+		 * If the output is invalid, discard it.
+		 */
+		if ( ! validateIssueData( issue ) ) {
+			return false;
+		}
+
 		SiteHealth.site_status.issues[ issue.status ]++;
 
 		count = SiteHealth.site_status.issues[ issue.status ];
diff --git a/wp-admin/js/site-health.min.js b/wp-admin/js/site-health.min.js
index 1333d7a01f..18295a79da 100644
--- a/wp-admin/js/site-health.min.js
+++ b/wp-admin/js/site-health.min.js
@@ -1,2 +1,2 @@
 /*! This file is auto-generated */
-jQuery(document).ready(function(h){var a,t,s,c=wp.i18n.__,n=wp.i18n._n,o=wp.i18n.sprintf,i=new ClipboardJS(".site-health-copy-buttons .copy-button"),d=h(".health-check-body.health-check-debug-tab").length,l=h("#health-check-accordion-block-wp-paths-sizes");function r(e){var t,s,a=wp.template("health-check-issue"),i=h("#health-check-issues-"+e.status);SiteHealth.site_status.issues[e.status]++,s=SiteHealth.site_status.issues[e.status],void 0===e.test&&(e.test=e.status+s),"critical"===e.status?t=o(n("%s critical issue","%s critical issues",s),'<span class="issue-count">'+s+"</span>"):"recommended"===e.status?t=o(n("%s recommended improvement","%s recommended improvements",s),'<span class="issue-count">'+s+"</span>"):"good"===e.status&&(t=o(n("%s item with no issues detected","%s items with no issues detected",s),'<span class="issue-count">'+s+"</span>")),t&&h(".site-health-issue-count-title",i).html(t),h(".issues","#health-check-issues-"+e.status).append(a(e))}function u(){var e,t,s=h(".site-health-progress"),a=s.closest(".site-health-progress-wrapper"),i=h(".site-health-progress-label",a),n=h(".site-health-progress svg #bar"),o=parseInt(SiteHealth.site_status.issues.good,0)+parseInt(SiteHealth.site_status.issues.recommended,0)+1.5*parseInt(SiteHealth.site_status.issues.critical,0),l=.5*parseInt(SiteHealth.site_status.issues.recommended,0)+1.5*parseInt(SiteHealth.site_status.issues.critical,0),r=100-Math.ceil(l/o*100);0!==o?(a.removeClass("loading"),e=n.attr("r"),r<0&&(r=0),100<r&&(r=100),t=(100-r)/100*(Math.PI*(2*e)),n.css({strokeDashoffset:t}),parseInt(SiteHealth.site_status.issues.critical,0)<1&&h("#health-check-issues-critical").addClass("hidden"),parseInt(SiteHealth.site_status.issues.recommended,0)<1&&h("#health-check-issues-recommended").addClass("hidden"),80<=r&&0===parseInt(SiteHealth.site_status.issues.critical,0)?(a.addClass("green").removeClass("orange"),i.text(c("Good")),wp.a11y.speak(c("All site health tests have finished running. Your site is looking good, and the results are now available on the page."))):(a.addClass("orange").removeClass("green"),i.text(c("Should be improved")),wp.a11y.speak(c("All site health tests have finished running. There are items that should be addressed, and the results are now available on the page."))),d||(h.post(ajaxurl,{action:"health-check-site-status-result",_wpnonce:SiteHealth.nonce.site_status_result,counts:SiteHealth.site_status.issues}),100===r&&(h(".site-status-all-clear").removeClass("hide"),h(".site-status-has-issues").addClass("hide")))):s.addClass("hidden")}function p(e,t){var s;s={status:"recommended",label:c("A test is unavailable"),badge:{color:"red",label:c("Unavailable")},description:"<p>"+e+"</p><p>"+t+"</p>",actions:""},r(wp.hooks.applyFilters("site_status_test_result",s))}i.on("success",function(e){var t=h(e.trigger),s=h(".success",t.closest("div"));e.clearSelection(),t.focus(),clearTimeout(a),s.removeClass("hidden"),a=setTimeout(function(){s.addClass("hidden"),i.clipboardAction.fakeElem&&i.clipboardAction.removeFake&&i.clipboardAction.removeFake()},3e3),wp.a11y.speak(c("Site information has been copied to your clipboard."))}),h(".health-check-accordion").on("click",".health-check-accordion-trigger",function(){"true"===h(this).attr("aria-expanded")?(h(this).attr("aria-expanded","false"),h("#"+h(this).attr("aria-controls")).attr("hidden",!0)):(h(this).attr("aria-expanded","true"),h("#"+h(this).attr("aria-controls")).attr("hidden",!1))}),h(".site-health-view-passed").on("click",function(){var e=h("#health-check-issues-good");e.toggleClass("hidden"),h(this).attr("aria-expanded",!e.hasClass("hidden"))}),"undefined"==typeof SiteHealth||d||(0===SiteHealth.site_status.direct.length&&0===SiteHealth.site_status.async.length?u():SiteHealth.site_status.issues={good:0,recommended:0,critical:0},0<SiteHealth.site_status.direct.length&&h.each(SiteHealth.site_status.direct,function(){r(this)}),0<SiteHealth.site_status.async.length?function t(){var s=!0;1<=SiteHealth.site_status.async.length&&h.each(SiteHealth.site_status.async,function(){var e={action:"health-check-"+this.test.replace("_","-"),_wpnonce:SiteHealth.nonce.site_status};return!!this.completed||(s=!1,this.completed=!0,void 0!==this.has_rest&&this.has_rest?wp.apiRequest({url:this.test,headers:this.headers}).done(function(e){r(wp.hooks.applyFilters("site_status_test_result",e))}).fail(function(e){var t;t=void 0!==e.responseJSON&&void 0!==e.responseJSON.message?e.responseJSON.message:c("No details available"),p(this.url,t)}).always(function(){t()}):h.post(ajaxurl,e).done(function(e){r(wp.hooks.applyFilters("site_status_test_result",e.data))}).fail(function(e){var t;t=void 0!==e.responseJSON&&void 0!==e.responseJSON.message?e.responseJSON.message:c("No details available"),p(this.url,t)}).always(function(){t()}),!1)}),s&&u()}():u()),d&&(l.length?(t=(new Date).getTime(),s=window.setTimeout(function(){wp.a11y.speak(c("Please wait..."))},3e3),wp.apiRequest({path:"/wp-site-health/v1/directory-sizes"}).done(function(e){!function(i){var e=h("button.button.copy-button"),a=e.attr("data-clipboard-text");h.each(i,function(e,t){var s=t.debug||t.size;void 0!==s&&(a=a.replace(e+": loading...",e+": "+s))}),e.attr("data-clipboard-text",a),l.find("td[class]").each(function(e,t){var s=h(t),a=s.attr("class");i.hasOwnProperty(a)&&i[a].size&&s.text(i[a].size)})}(e||{})}).always(function(){var e=(new Date).getTime()-t;h(".health-check-wp-paths-sizes.spinner").css("visibility","hidden"),u(),3e3<e?(e=6e3<e?0:6500-e,window.setTimeout(function(){wp.a11y.speak(c("All site health tests have finished running."))},e)):window.clearTimeout(s),h(document).trigger("site-health-info-dirsizes-done")})):u())});
\ No newline at end of file
+jQuery(document).ready(function(c){var a,t,s,h=wp.i18n.__,n=wp.i18n._n,o=wp.i18n.sprintf,i=new ClipboardJS(".site-health-copy-buttons .copy-button"),d=c(".health-check-body.health-check-debug-tab").length,r=c("#health-check-accordion-block-wp-paths-sizes");function l(e){var t,s,a=wp.template("health-check-issue"),i=c("#health-check-issues-"+e.status);if(!function(e){var t,s,a,i,n={test:"string",label:"string",description:"string"},o=!0;if("object"!=typeof e)return!1;for(t in n)if("object"==typeof(s=n[t]))for(a in s)i=s[a],void 0!==e[t]&&void 0!==e[t][a]&&i===typeof e[t][a]||(o=!1);else void 0!==e[t]&&s===typeof e[t]||(o=!1);return o}(e))return!1;SiteHealth.site_status.issues[e.status]++,s=SiteHealth.site_status.issues[e.status],void 0===e.test&&(e.test=e.status+s),"critical"===e.status?t=o(n("%s critical issue","%s critical issues",s),'<span class="issue-count">'+s+"</span>"):"recommended"===e.status?t=o(n("%s recommended improvement","%s recommended improvements",s),'<span class="issue-count">'+s+"</span>"):"good"===e.status&&(t=o(n("%s item with no issues detected","%s items with no issues detected",s),'<span class="issue-count">'+s+"</span>")),t&&c(".site-health-issue-count-title",i).html(t),c(".issues","#health-check-issues-"+e.status).append(a(e))}function u(){var e,t,s=c(".site-health-progress"),a=s.closest(".site-health-progress-wrapper"),i=c(".site-health-progress-label",a),n=c(".site-health-progress svg #bar"),o=parseInt(SiteHealth.site_status.issues.good,0)+parseInt(SiteHealth.site_status.issues.recommended,0)+1.5*parseInt(SiteHealth.site_status.issues.critical,0),r=.5*parseInt(SiteHealth.site_status.issues.recommended,0)+1.5*parseInt(SiteHealth.site_status.issues.critical,0),l=100-Math.ceil(r/o*100);0!==o?(a.removeClass("loading"),e=n.attr("r"),l<0&&(l=0),100<l&&(l=100),t=(100-l)/100*(Math.PI*(2*e)),n.css({strokeDashoffset:t}),parseInt(SiteHealth.site_status.issues.critical,0)<1&&c("#health-check-issues-critical").addClass("hidden"),parseInt(SiteHealth.site_status.issues.recommended,0)<1&&c("#health-check-issues-recommended").addClass("hidden"),80<=l&&0===parseInt(SiteHealth.site_status.issues.critical,0)?(a.addClass("green").removeClass("orange"),i.text(h("Good")),wp.a11y.speak(h("All site health tests have finished running. Your site is looking good, and the results are now available on the page."))):(a.addClass("orange").removeClass("green"),i.text(h("Should be improved")),wp.a11y.speak(h("All site health tests have finished running. There are items that should be addressed, and the results are now available on the page."))),d||(c.post(ajaxurl,{action:"health-check-site-status-result",_wpnonce:SiteHealth.nonce.site_status_result,counts:SiteHealth.site_status.issues}),100===l&&(c(".site-status-all-clear").removeClass("hide"),c(".site-status-has-issues").addClass("hide")))):s.addClass("hidden")}function p(e,t){var s;s={status:"recommended",label:h("A test is unavailable"),badge:{color:"red",label:h("Unavailable")},description:"<p>"+e+"</p><p>"+t+"</p>",actions:""},l(wp.hooks.applyFilters("site_status_test_result",s))}i.on("success",function(e){var t=c(e.trigger),s=c(".success",t.closest("div"));e.clearSelection(),t.focus(),clearTimeout(a),s.removeClass("hidden"),a=setTimeout(function(){s.addClass("hidden"),i.clipboardAction.fakeElem&&i.clipboardAction.removeFake&&i.clipboardAction.removeFake()},3e3),wp.a11y.speak(h("Site information has been copied to your clipboard."))}),c(".health-check-accordion").on("click",".health-check-accordion-trigger",function(){"true"===c(this).attr("aria-expanded")?(c(this).attr("aria-expanded","false"),c("#"+c(this).attr("aria-controls")).attr("hidden",!0)):(c(this).attr("aria-expanded","true"),c("#"+c(this).attr("aria-controls")).attr("hidden",!1))}),c(".site-health-view-passed").on("click",function(){var e=c("#health-check-issues-good");e.toggleClass("hidden"),c(this).attr("aria-expanded",!e.hasClass("hidden"))}),"undefined"==typeof SiteHealth||d||(0===SiteHealth.site_status.direct.length&&0===SiteHealth.site_status.async.length?u():SiteHealth.site_status.issues={good:0,recommended:0,critical:0},0<SiteHealth.site_status.direct.length&&c.each(SiteHealth.site_status.direct,function(){l(this)}),0<SiteHealth.site_status.async.length?function t(){var s=!0;1<=SiteHealth.site_status.async.length&&c.each(SiteHealth.site_status.async,function(){var e={action:"health-check-"+this.test.replace("_","-"),_wpnonce:SiteHealth.nonce.site_status};return!!this.completed||(s=!1,this.completed=!0,void 0!==this.has_rest&&this.has_rest?wp.apiRequest({url:this.test,headers:this.headers}).done(function(e){l(wp.hooks.applyFilters("site_status_test_result",e))}).fail(function(e){var t;t=void 0!==e.responseJSON&&void 0!==e.responseJSON.message?e.responseJSON.message:h("No details available"),p(this.url,t)}).always(function(){t()}):c.post(ajaxurl,e).done(function(e){l(wp.hooks.applyFilters("site_status_test_result",e.data))}).fail(function(e){var t;t=void 0!==e.responseJSON&&void 0!==e.responseJSON.message?e.responseJSON.message:h("No details available"),p(this.url,t)}).always(function(){t()}),!1)}),s&&u()}():u()),d&&(r.length?(t=(new Date).getTime(),s=window.setTimeout(function(){wp.a11y.speak(h("Please wait..."))},3e3),wp.apiRequest({path:"/wp-site-health/v1/directory-sizes"}).done(function(e){!function(i){var e=c("button.button.copy-button"),a=e.attr("data-clipboard-text");c.each(i,function(e,t){var s=t.debug||t.size;void 0!==s&&(a=a.replace(e+": loading...",e+": "+s))}),e.attr("data-clipboard-text",a),r.find("td[class]").each(function(e,t){var s=c(t),a=s.attr("class");i.hasOwnProperty(a)&&i[a].size&&s.text(i[a].size)})}(e||{})}).always(function(){var e=(new Date).getTime()-t;c(".health-check-wp-paths-sizes.spinner").css("visibility","hidden"),u(),3e3<e?(e=6e3<e?0:6500-e,window.setTimeout(function(){wp.a11y.speak(h("All site health tests have finished running."))},e)):window.clearTimeout(s),c(document).trigger("site-health-info-dirsizes-done")})):u())});
\ No newline at end of file
diff --git a/wp-admin/site-health.php b/wp-admin/site-health.php
index 376ec80411..b7cc728ef6 100644
--- a/wp-admin/site-health.php
+++ b/wp-admin/site-health.php
@@ -144,7 +144,9 @@ require_once ABSPATH . 'wp-admin/admin-header.php';
 	<h4 class="health-check-accordion-heading">
 		<button aria-expanded="false" class="health-check-accordion-trigger" aria-controls="health-check-accordion-block-{{ data.test }}" type="button">
 			<span class="title">{{ data.label }}</span>
-			<span class="badge {{ data.badge.color }}">{{ data.badge.label }}</span>
+			<# if ( data.badge ) { #>
+				<span class="badge {{ data.badge.color }}">{{ data.badge.label }}</span>
+			<# } #>
 			<span class="icon"></span>
 		</button>
 	</h4>
diff --git a/wp-includes/version.php b/wp-includes/version.php
index d72219dedf..8a3a8d781a 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.6-beta3-49536';
+$wp_version = '5.6-beta3-49537';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.