[wp-trac] [WordPress Trac] #50461: Sanitation breaking scripts in custom HTML block
WordPress Trac
noreply at wordpress.org
Tue Jun 23 23:32:48 UTC 2020
#50461: Sanitation breaking scripts in custom HTML block
--------------------------+-----------------------------
Reporter: claudiulodro | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Editor | Version: 5.4.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
In certain scenarios, some sort of (most likely regex-based) sanitization
in core WordPress converts `&&` elements into `&&` even when
placed within a custom HTML block and using a user with unfiltered_html
capabilities.
Here is a sample page content you can use to see the issue:
{{{
<!-- wp:html -->
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<!-- /wp:html -->
<!-- wp:html -->
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
alert('worked');
}
</script>
<!-- /wp:html -->
}}}
On the frontend, this will be output as:
{{{
<script>
This should work: &&
This doesn't: <= &&
> && After the "tag" is closed it works again
</script>
<script>
// Sample script that could be mangled.
var foo = 1 <= 2;
if ( foo && true ) {
alert('worked');
}
</script>
}}}
The reason I believe this is a regex issue is because only `&&` characters
after `<=` characters get converted to entities, and after a `>` character
the conversion stops and `&&` are output as normal. My theory is it's some
sort of regex-based sanitization for html attributes, but I haven't been
able to track down which one specifically.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50461>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list