Opened 4 years ago
Closed 4 weeks ago
#50461 closed defect (bug) (duplicate)
Sanitation breaking scripts in custom HTML block
| Reported by: |
claudiulodro
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 5.4.2 |
| Component: | Formatting | Keywords: | |
| Focuses: | Cc: |
Description
In certain scenarios, some sort of (most likely regex-based) sanitization in core WordPress converts && elements into && even when placed within a custom HTML block and using a user with unfiltered_html capabilities.
Here is a sample page content you can use to see the issue:
<!-- wp:html -->
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<!-- /wp:html -->
<!-- wp:html -->
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
alert('worked');
}
</script>
<!-- /wp:html -->
On the frontend, this will be output as:
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
alert('worked');
}
</script>
The reason I believe this is a regex issue is because only && characters after <= characters get converted to entities, and after a > character the conversion stops and && are output as normal. My theory is it's some sort of regex-based sanitization for html attributes, but I haven't been able to track down which one specifically.
@
@
Note: the issue is probably not from the Gutenberg editor, as the custom HTML block is purely JS and the post content saves into the database correctly.
I reproduced the issue on a clean site running WP 5.4.2 with Twenty Twenty theme and no active plugins.