Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve regex to not break HTML comments #6577

Open
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Open

improve regex to not break HTML comments #6577

wants to merge 1 commit into from

Conversation

kkmuffme
Copy link

@kkmuffme kkmuffme commented May 19, 2024
edited
Loading

Trac ticket: https://core.trac.wordpress.org/ticket/61246

I also added tests for the original ticket that introduced the deprecated function https://core.trac.wordpress.org/ticket/4409, since there were none.

Additionally, the fix also improves the existing logic by combining the escaping logic for <> into a single regex (ensuring it cannot be partially broken by removing of a filter and can be relied upon in 100% of cases).

Furthermore, a side effect is that it fixes broken behavior that kses would leave the last single or double quote unescaped, while escaping everything else unnecessarily.
see xssAttacks.xml "Remote Stylesheet 3" it will unnecessarily escape the " but will leave the last " unescaped
This seems to be a general issue that the last ' or " won't be escaped, e.g. also in
jQuery('#abc').append('<iframe src="xyz.com"></iframe>');
you'll end up with
jQuery(&#039;#abc&#039;).append(&#039;');

which itself was unsafe as the '); delimits the string now and can probably somehow abused (not too familiar with that tbf, so feedback welcome)
@github-actions GitHub Actions
Copy link

Test using WordPress Playground

The changes in this pull request can previewed and tested using a WordPress Playground instance.

WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser.

Some things to be aware of

  • The Plugin and Theme Directories cannot be accessed within Playground.
  • All changes will be lost when closing a tab with a Playground instance.
  • All changes will be lost when refreshing the page.
  • A fresh instance is created each time the link below is clicked.
  • Every time this pull request is updated, a new ZIP file containing all changes is created. If changes are not reflected in the Playground instance,
    it's possible that the most recent build failed, or has not completed. Check the list of workflow runs to be sure.

For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation.

Test this pull request with WordPress Playground.
@kkmuffme kkmuffme force-pushed the wp_kses-balanced-gt-lt-regex branch 3 times, most recently from 1ba2fe0 to c7387de Compare May 19, 2024 09:40
@kkmuffme kkmuffme force-pushed the wp_kses-balanced-gt-lt-regex branch from c7387de to 42b81ea Compare May 19, 2024 13:07
jamieblomerus
jamieblomerus approved these changes May 19, 2024
View reviewed changes
Copy link

@jamieblomerus jamieblomerus left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

I have taken a look at this and it seems to generally achieve its purpose making sure commented out code remains commented out. Good job!

Yet, I think this PR may benefit from one more set of eyes as I am still quite a new Core contributor.
@kkmuffme kkmuffme marked this pull request as ready for review May 19, 2024 20:19
@github-actions GitHub Actions
Copy link

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

Core Committers: Use this line as a base for the props when committing in SVN:

Props kkmuffme, jamieblomerus.

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
2 participants
@kkmuffme @jamieblomerus