[wp-trac] [WordPress Trac] #50997: Block Editor showing blank in WordPress 5.5
WordPress Trac
noreply at wordpress.org
Sat Jul 16 08:50:04 UTC 2022
#50997: Block Editor showing blank in WordPress 5.5
--------------------------+-----------------------
Reporter: david-woakes | Owner: (none)
Type: defect (bug) | Status: reopened
Priority: normal | Milestone:
Component: Editor | Version: 5.5
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+-----------------------
Comment (by jornfranke):
Sorry, I meant of course Function (capital F) object. Examples:
* https://github.com/WordPress/WordPress/blob/master/wp-
includes/js/dist/data.js#L346
* https://github.com/WordPress/WordPress/blob/master/wp-includes/js/dist
/block-editor.js
As you see it is the same as eval and thus bad.
It is also in a couple of other places, but luckily not in as many as
above.
Unfortunately, the concept of having a Function object as parameter is in
nearly all JS files mentioned above meaning it will be more work to update
it. For example (there are more):
* https://github.com/WordPress/WordPress/blob/master/wp-includes/js/dist
/rich-text.js#L1061
* https://github.com/WordPress/WordPress/blob/master/wp-includes/js/dist
/format-library.js#L786
* https://github.com/WordPress/WordPress/blob/master/wp-
includes/js/dist/notices.js#L75
* https://github.com/WordPress/WordPress/blob/master/wp-
includes/js/dist/notices.js#L176
However, from a security point of view a must from my point of view.
While the use itself it is insecure, also we cannot use CSPs to prevent
that it is used by accident or on purpose in plugins that may then also
introduce security problems.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50997#comment:9>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list