[wp-trac] [WordPress Trac] #50997: Block Editor showing blank in WordPress 5.5

WordPress Trac noreply at wordpress.org
Fri Jul 15 18:44:13 UTC 2022

#50997: Block Editor showing blank in WordPress 5.5
 Reporter:  david-woakes  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:
Component:  Editor        |     Version:  5.5
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
Changes (by jornfranke):

 * status:  closed => reopened
 * resolution:  invalid =>


 I still see it in the latest WP6 version.
 Please note that unsafe-eval is not only about eval, but also about
 Function() etc. (see here: https://developer.mozilla.org/en-

  You need to edit any post in the Block editor and in/related to the
 following scripts (or scripts these scripts are calling) - most of them
 are related to the use of Function():
 * /wp-includes/js/dist/data.min.js
 * /wp-includes/js/dist/core-data.min.js
 *  wp-includes/js/dist/reusable-blocks.min.js
 * wp-includes/js/dist/notices.min.js
 *  wp-includes/js/dist/keyboard-shortcuts.min.js
 * wp-includes/js/dist/rich-text.min.js
 * wp-includes/js/dist/viewport.min.js?
 *  wp-includes/js/dist/block-editor.min.js
 *  wp-includes/js/dist/preferences.min.js
 *  wp-includes/js/dist/editor.min.js
 * wp-includes/js/dist/edit-post.min.js
 *  wp-includes/js/dist/format-library.min.js
 *  wp-includes/js/dist/dom-ready.min.js
 * wp-content/themes/twentytwentyone/assets/js/editor.js
 * ... in fact many more (because they dont get called, I think all js
 files in dist are affected)

 See here for examples for problematic statements:
 * https://github.com/WordPress/WordPress/blob/master/wp-
 * https://github.com/WordPress/WordPress/blob/master/wp-
 * https://github.com/WordPress/WordPress/blob/master/wp-
 * https://github.com/WordPress/WordPress/blob/master/wp-
 * https://github.com/WordPress/WordPress/blob/master/wp-

 Note: those are just some examples, the files even contain much more
 instances of function (see https://developer.mozilla.org/en-

 Those are as said before mostly related to function() {} and thus they
 prevent setting a secure CSP on any WordPress instance.

 All this prevents to remove unsafe-eval from the CSPs and they introduce
 significant security risks.

 I do not know why WP does it this way, so I cannot estimate the efforts.
 However, the security benefits of having a safe CSP outweights this
 probably. Looking forward to test any fix to this.

Ticket URL: <https://core.trac.wordpress.org/ticket/50997#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list