WordPress-C
/
WordPress
mirror of https://github.com/WordPress/WordPress.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Editor: Prevent KSES stripping global layout style properties. 

Layout style properties are stored using indirect values, rather than direct CSS properties. 

Allow users without the `unfiltered_html` capability to modify global styles using the indirect block spacing properties `contentSize`, `wideSize`, and `blockGap`, using a mapping of the eventual CSS property to the indirect property stored in `theme.json`. The mapped CSS property is then used for CSS validation.

Props andrewserong, costdev, hellofromtonya, mamaduka, mmtr86.
Fixes #57321.



Built from https://develop.svn.wordpress.org/trunk@55345


git-svn-id: http://core.svn.wordpress.org/trunk@54878 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2023-02-15 03:57:17 +00:00
parent fc49b0b92a
commit 5deb3698e5
2 changed files with 61 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
wp-includes/class-wp-theme-json.php
View File

@ -262,6 +262,35 @@ class WP_Theme_JSON {
'box-shadow' => array( 'shadow' ), 'box-shadow' => array( 'shadow' ),
); );
/**
* Indirect metadata for style properties that are not directly output.
*
* Each element maps from a CSS property name to an array of
* paths to the value in theme.json & block attributes.
*
* Indirect properties are not output directly by `compute_style_properties`,
* but are used elsewhere in the processing of global styles. The indirect
* property is used to validate whether or not a style value is allowed.
*
* @since 6.1.2
* @var array
*/
const INDIRECT_PROPERTIES_METADATA = array(
'gap' => array(
array( 'spacing', 'blockGap' ),
),
'column-gap' => array(
array( 'spacing', 'blockGap', 'left' ),
),
'row-gap' => array(
array( 'spacing', 'blockGap', 'top' ),
),
'max-width' => array(
array( 'layout', 'contentSize' ),
array( 'layout', 'wideSize' ),
),
);
/** /**
* Protected style properties. * Protected style properties.
* *
@ -2949,6 +2978,10 @@ class WP_Theme_JSON {
} }
} }
} }
// Ensure indirect properties not included in any `PRESETS_METADATA` value are allowed.
static::remove_indirect_properties( $input, $output );
return $output; return $output;
} }
@ -2977,6 +3010,10 @@ class WP_Theme_JSON {
} }
} }
} }
// Ensure indirect properties not handled by `compute_style_properties` are allowed.
static::remove_indirect_properties( $input, $output );
return $output; return $output;
} }
@ -2995,6 +3032,29 @@ class WP_Theme_JSON {
return ! empty( trim( $filtered ) ); return ! empty( trim( $filtered ) );
} }
/**
* Removes indirect properties from the given input node and
* sets in the given output node.
*
* @since 6.1.2
*
* @param array $input Node to process.
* @param array $output The processed node. Passed by reference.
*/
private static function remove_indirect_properties( $input, &$output ) {
foreach ( static::INDIRECT_PROPERTIES_METADATA as $property => $paths ) {
foreach ( $paths as $path ) {
$value = _wp_array_get( $input, $path );
if (
is_string( $value ) &&
static::is_safe_css_declaration( $property, $value )
) {
_wp_array_set( $output, $path, $value );
}
}
}
}
/** /**
* Returns the raw data. * Returns the raw data.
* *

2
wp-includes/version.php
View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.2-beta2-55344'; $wp_version = '6.2-beta2-55345';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.