[wp-trac] [WordPress Trac] #61828: Global Styles: Refactor wp_add_inline_style() to use HTML API

WordPress Trac noreply at wordpress.org
Tue Aug 6 05:46:52 UTC 2024 

#61828: Global Styles: Refactor wp_add_inline_style() to use HTML API
---------------------------+-----------------------------
 Reporter:  ramonopoly     |      Owner:  (none)
     Type:  defect (bug)   |     Status:  new
 Priority:  normal         |  Milestone:  Awaiting Review
Component:  Script Loader  |    Version:  trunk
 Severity:  normal         |   Keywords:
  Focuses:  css            |
---------------------------+-----------------------------
 The current implementation of `wp_add_inline_style` strips matching
 `<style />` tags in the incoming data, and removes them, preserving the
 nested content.

 The function's `preg_replace` regex assumes balanced tags, e.g.,
 `<style>...content</style>`.

 It cannot however detect when incoming data contains a closing style tag
 `</style>`.

 The consequence is that the style tag generated by WordPress in
 `WP_Styles()` can be short circuited.

 Furthermore:

 - the `stripos` won't detect closing style tags with attributes (which is
 allowed)


 Example:


 {{{
 <?php

 function like_wp_add_inline_style( $data ) {
     if ( false !== stripos( $data, '</style>' ) ) {
         return trim( preg_replace( '#<style[^>]*>(.*)</style>#is', '$1',
 $data ) );
     }
     return 'yay';
 }

 //  ## Do what wp_add_inline_style expects:
 $result = like_wp_add_inline_style( ".captain {<style><p>Do it to me one
 more time...</p></style>}");

 /*
 Output in frontend:
 <style id='my-inline-css' type='text/css'>
 .captain {<p>Do it to me one more time...</p>}
 </style>
 */

 // -------------------------------------------------

 // ## Do what wp_add_inline_style doesn't expect:
 $result = like_wp_add_inline_style( ".captain {</style><p>Do it to me one
 more time...</p><style>}");


 /*
 Output in frontend:
 <style id='my-inline-css' type='text/css'>
 .captain {</style><p>Do it to me one more time...</p><style>}
 </style>
 */

 }}}

 `wp_add_inline_style` should be updated to escape closing style tags,
 except in the case of balanced tags, where it should match existing
 functionality.

 Props to @dmsnell, @peterwilsoncc and @costdev for helping diagnose and
 address this issue

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61828>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list