Add: Missing output escaping on some blocks. (#45045)

jorgefilipecosta · michalczaplinski · commit 9ad568e78a8c · 2022-10-17T19:22:49.000-05:00
diff --git a/packages/block-library/src/navigation/index.php b/packages/block-library/src/navigation/index.php
@@ -646,7 +646,7 @@ function render_block_core_navigation( $attributes, $content, $block ) {
 		$toggle_aria_label_close,
 		esc_attr( implode( ' ', $responsive_container_classes ) ),
 		esc_attr( implode( ' ', $open_button_classes ) ),
-		safecss_filter_attr( $colors['overlay_inline_styles'] ),
+		esc_attr( safecss_filter_attr( $colors['overlay_inline_styles'] ) ),
 		__( 'Menu' ),
 		$toggle_button_content,
 		$toggle_close_button_content
diff --git a/packages/block-library/src/rss/index.php b/packages/block-library/src/rss/index.php
@@ -20,7 +20,7 @@ function render_block_core_rss( $attributes ) {
 	$rss = fetch_feed( $attributes['feedURL'] );
 
 	if ( is_wp_error( $rss ) ) {
-		return '<div class="components-placeholder"><div class="notice notice-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . $rss->get_error_message() . '</div></div>';
+		return '<div class="components-placeholder"><div class="notice notice-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $rss->get_error_message() ) . '</div></div>';
 	}
 
 	if ( ! $rss->get_item_quantity() ) {
@@ -48,8 +48,8 @@ function render_block_core_rss( $attributes ) {
 			if ( $date ) {
 				$date = sprintf(
 					'<time datetime="%1$s" class="wp-block-rss__item-publish-date">%2$s</time> ',
-					date_i18n( get_option( 'c' ), $date ),
-					date_i18n( get_option( 'date_format' ), $date )
+					esc_attr( date_i18n( get_option( 'c' ), $date ) ),
+					esc_attr( date_i18n( get_option( 'date_format' ), $date ) )
 				);
 			}
 		}
diff --git a/packages/block-library/src/search/index.php b/packages/block-library/src/search/index.php
@@ -367,12 +367,12 @@ function styles_for_block_core_search( $attributes ) {
 	// Add color styles.
 	$has_text_color = ! empty( $attributes['style']['color']['text'] );
 	if ( $has_text_color ) {
-		$button_styles[] = sprintf( 'color: %s;', esc_attr( $attributes['style']['color']['text'] ) );
+		$button_styles[] = sprintf( 'color: %s;', $attributes['style']['color']['text'] );
 	}
 
 	$has_background_color = ! empty( $attributes['style']['color']['background'] );
 	if ( $has_background_color ) {
-		$button_styles[] = sprintf( 'background-color: %s;', esc_attr( $attributes['style']['color']['background'] ) );
+		$button_styles[] = sprintf( 'background-color: %s;', $attributes['style']['color']['background'] );
 	}
 
 	$has_custom_gradient = ! empty( $attributes['style']['color']['gradient'] );
@@ -399,9 +399,9 @@ function styles_for_block_core_search( $attributes ) {
 	}
 
 	return array(
-		'input'   => ! empty( $input_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $input_styles ) ) ) : '',
-		'button'  => ! empty( $button_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $button_styles ) ) ) : '',
-		'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) : '',
+		'input'   => ! empty( $input_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $input_styles ) ) ) ) : '',
+		'button'  => ! empty( $button_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $button_styles ) ) ) ) : '',
+		'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) ) : '',
 		'label'   => ! empty( $label_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $label_styles ) ) ) ) : '',
 	);
 }
diff --git a/packages/widgets/src/blocks/legacy-widget/index.php b/packages/widgets/src/blocks/legacy-widget/index.php
@@ -34,7 +34,7 @@ function render_block_core_legacy_widget( $attributes ) {
 
 	if ( isset( $attributes['instance']['encoded'], $attributes['instance']['hash'] ) ) {
 		$serialized_instance = base64_decode( $attributes['instance']['encoded'] );
-		if ( wp_hash( $serialized_instance ) !== $attributes['instance']['hash'] ) {
+		if ( ! hash_equals( wp_hash( $serialized_instance ), (string) $attributes['instance']['hash'] ) ) {
 			return '';
 		}
 		$instance = unserialize( $serialized_instance );
diff --git a/packages/widgets/src/blocks/widget-group/index.php b/packages/widgets/src/blocks/widget-group/index.php
@@ -28,7 +28,7 @@ function render_block_core_widget_group( $attributes, $content, $block ) {
 	$html = '';
 
 	if ( ! empty( $attributes['title'] ) ) {
-		$html .= $before_title . $attributes['title'] . $after_title;
+		$html .= $before_title . esc_html( $attributes['title'] ) . $after_title;
 	}
 
 	$html .= '<div class="wp-widget-group__inner-blocks">';

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ function render_block_core_rss( $attributes ) {`
`20`	`20`	`$rss = fetch_feed( $attributes['feedURL'] );`
`21`	`21`
`22`	`22`	`if ( is_wp_error( $rss ) ) {`
`23`		`- return '<div class="components-placeholder"><div class="notice notice-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . $rss->get_error_message() . '</div></div>';`
	`23`	`+ return '<div class="components-placeholder"><div class="notice notice-error"><strong>' . __( 'RSS Error:' ) . '</strong> ' . esc_html( $rss->get_error_message() ) . '</div></div>';`
`24`	`24`	`}`
`25`	`25`
`26`	`26`	`if ( ! $rss->get_item_quantity() ) {`
`@@ -48,8 +48,8 @@ function render_block_core_rss( $attributes ) {`
`48`	`48`	`if ( $date ) {`
`49`	`49`	`$date = sprintf(`
`50`	`50`	`'<time datetime="%1$s" class="wp-block-rss__item-publish-date">%2$s</time> ',`
`51`		`- date_i18n( get_option( 'c' ), $date ),`
`52`		`- date_i18n( get_option( 'date_format' ), $date )`
	`51`	`+ esc_attr( date_i18n( get_option( 'c' ), $date ) ),`
	`52`	`+ esc_attr( date_i18n( get_option( 'date_format' ), $date ) )`
`53`	`53`	`);`
`54`	`54`	`}`
`55`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -367,12 +367,12 @@ function styles_for_block_core_search( $attributes ) {`
`367`	`367`	`// Add color styles.`
`368`	`368`	`$has_text_color = ! empty( $attributes['style']['color']['text'] );`
`369`	`369`	`if ( $has_text_color ) {`
`370`		`- $button_styles[] = sprintf( 'color: %s;', esc_attr( $attributes['style']['color']['text'] ) );`
	`370`	`+ $button_styles[] = sprintf( 'color: %s;', $attributes['style']['color']['text'] );`
`371`	`371`	`}`
`372`	`372`
`373`	`373`	`$has_background_color = ! empty( $attributes['style']['color']['background'] );`
`374`	`374`	`if ( $has_background_color ) {`
`375`		`- $button_styles[] = sprintf( 'background-color: %s;', esc_attr( $attributes['style']['color']['background'] ) );`
	`375`	`+ $button_styles[] = sprintf( 'background-color: %s;', $attributes['style']['color']['background'] );`
`376`	`376`	`}`
`377`	`377`
`378`	`378`	`$has_custom_gradient = ! empty( $attributes['style']['color']['gradient'] );`
`@@ -399,9 +399,9 @@ function styles_for_block_core_search( $attributes ) {`
`399`	`399`	`}`
`400`	`400`
`401`	`401`	`return array(`
`402`		`- 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $input_styles ) ) ) : '',`
`403`		`- 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $button_styles ) ) ) : '',`
`404`		`- 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) : '',`
	`402`	`+ 'input' => ! empty( $input_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $input_styles ) ) ) ) : '',`
	`403`	`+ 'button' => ! empty( $button_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $button_styles ) ) ) ) : '',`
	`404`	`+ 'wrapper' => ! empty( $wrapper_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $wrapper_styles ) ) ) ) : '',`
`405`	`405`	`'label' => ! empty( $label_styles ) ? sprintf( ' style="%s"', esc_attr( safecss_filter_attr( implode( ' ', $label_styles ) ) ) ) : '',`
`406`	`406`	`);`
`407`	`407`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ function render_block_core_legacy_widget( $attributes ) {`
`34`	`34`
`35`	`35`	`if ( isset( $attributes['instance']['encoded'], $attributes['instance']['hash'] ) ) {`
`36`	`36`	`$serialized_instance = base64_decode( $attributes['instance']['encoded'] );`
`37`		`- if ( wp_hash( $serialized_instance ) !== $attributes['instance']['hash'] ) {`
	`37`	`+ if ( ! hash_equals( wp_hash( $serialized_instance ), (string) $attributes['instance']['hash'] ) ) {`
`38`	`38`	`return '';`
`39`	`39`	`}`
`40`	`40`	`$instance = unserialize( $serialized_instance );`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ function render_block_core_widget_group( $attributes, $content, $block ) {`
`28`	`28`	`$html = '';`
`29`	`29`
`30`	`30`	`if ( ! empty( $attributes['title'] ) ) {`
`31`		`- $html .= $before_title . $attributes['title'] . $after_title;`
	`31`	`+ $html .= $before_title . esc_html( $attributes['title'] ) . $after_title;`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`$html .= '<div class="wp-widget-group__inner-blocks">';`