Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Categories block: Escape label #65540

Open
wants to merge 2 commits into
base: trunk
Choose a base branch
from
Open

Categories block: Escape label #65540

wants to merge 2 commits into from

Conversation

carolinan
Copy link
Contributor

@carolinan carolinan commented Sep 21, 2024
edited
Loading

What?

This PR escapes the label block attribute in the categories block with wp_kses_post() before printing it inside the <label> HTML element.
The PR addresses feedback left during code review of the package sync for WordPress 6.7.

Why?

For security reasons it is best practise to escape user-provided content late, before output.
wp_kses_post() is used to allow the HTML tags allowed in the RichText field, and to be consistent with the escaping of other similar labels in other blocks.

How?

This PR escapes the label block attribute with wp_kses_post() before printing it inside the <label> HTML element.

Testing Instructions

Add a categories block.
In the block settings sidebar, enable the options "Display as dropdown" and "Show label".
Enter a custom label text. Type some random HTML tags, then select parts of the text and enable a style setting such as bold, or use the dropdown option to add an inline image, etc.

In the editor, the label is entered inside a RichText field and escaped with the help of the esc-html package.
View the content of the label in the editor and front and confirm that there are no issues that may be caused by double escaping. The style and inline image should continue to work on the front of the site.

@carolinan
Categories block: Escape label
79d198e 
Escape the label attribute before output inside the label HTML element, using esc_html().
@carolinan
Categories: Switch escaping function
904871f 
Escape the label with wp_kses_post() instead of esc_html to allow some HTML tags and to be consistent with escaping other labels in other blocks.
@carolinan carolinan added [Block] Categories Affects the Categories Block Backport to WP 6.7 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta [Type] Bug An existing feature does not function as intended labels Sep 21, 2024
@carolinan carolinan marked this pull request as ready for review September 21, 2024 02:25
@github-actions GitHub Actions
Copy link

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: carolinan <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

@github-actions GitHub Actions
Copy link

Flaky tests detected in 904871f.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/10968820565
📝 Reported issues:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Backport to WP 6.7 Beta/RC Pull request that needs to be backported to the WordPress major release that's currently in beta [Block] Categories Affects the Categories Block [Type] Bug An existing feature does not function as intended
Projects
WordPress 6.7 Editor Tasks
Status: 🔎 Needs Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@carolinan