Skip to content

Ensure block editor preloading middleware JSON is correctly escaped #8145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sirreal wants to merge 14 commits into from
Closed

Ensure block editor preloading middleware JSON is correctly escaped #8145

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
0230b1d
Add test with assertEqualHTML
sirreal Jun 11, 2025
97d3098
Update or fix tests
sirreal May 30, 2025
7e5d18a
Clean up test function name and documentation
sirreal Jun 11, 2025
af03c20
Revert test/data provider rename
sirreal Jun 11, 2025
38dfe96
Simplify test
sirreal Jun 11, 2025
5bf2ebf
Fix issue with other site urls in tests
sirreal Jun 11, 2025
5f10fb6
Fix json encode that may break enclosing script tag
sirreal Jan 17, 2025
e5b04e4
Always use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags
sirreal Jun 11, 2025
554080b
Revert "Always use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags"
sirreal Jul 16, 2025
3f4f86d
Revert "Fix json encode that may break enclosing script tag"
sirreal Jul 16, 2025
495e938
Reapply "Fix json encode that may break enclosing script tag"
sirreal Jul 16, 2025
f060cd4
Reapply "Always use JSON_HEX_TAG | JSON_UNESCAPED_SLASHES flags"
sirreal Jul 16, 2025
3927310
Fix typo and improve test description
sirreal Aug 19, 2025
1b41f43
Fix test
sirreal Aug 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/wp-includes/block-editor.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -766,7 +766,7 @@ function block_editor_rest_api_preload( array $preload_paths, $block_editor_cont
'wp-api-fetch',
sprintf(
'wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( %s ) );',
wp_json_encode( $preload_data )
wp_json_encode( $preload_data, JSON_HEX_TAG | JSON_UNESCAPED_SLASHES )
),
'after'
);
Expand Down
62 changes: 54 additions & 8 deletions tests/phpunit/tests/blocks/editor.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
* @group blocks
*/
class Tests_Blocks_Editor extends WP_UnitTestCase {

/**
* Sets up each test method.
*/
Expand Down Expand Up @@ -631,8 +630,8 @@ function filter_add_preload_paths( $preload_paths, WP_Block_Editor_Context $cont

$after = implode( '', wp_scripts()->registered['wp-api-fetch']->extra['after'] );
$this->assertStringContainsString( 'wp.apiFetch.createPreloadingMiddleware', $after );
$this->assertStringContainsString( '"\/wp\/v2\/blocks"', $after );
$this->assertStringContainsString( '"\/wp\/v2\/types"', $after );
$this->assertStringContainsString( '"/wp/v2/blocks"', $after );
$this->assertStringContainsString( '"/wp/v2/types"', $after );
}

/**
Expand Down Expand Up @@ -697,28 +696,75 @@ public function data_block_editor_rest_api_preload_adds_missing_leading_slash()
return array(
'a string without a slash' => array(
'preload_paths' => array( 'wp/v2/blocks' ),
'expected' => '\/wp\/v2\/blocks',
'expected' => '/wp/v2/blocks',
),
'a string with a slash' => array(
'preload_paths' => array( '/wp/v2/blocks' ),
'expected' => '\/wp\/v2\/blocks',
'expected' => '/wp/v2/blocks',
),
'a string starting with a question mark' => array(
'preload_paths' => array( '?context=edit' ),
'expected' => '/?context=edit',
),
'an array with a string without a slash' => array(
'preload_paths' => array( array( 'wp/v2/blocks', 'OPTIONS' ) ),
'expected' => '\/wp\/v2\/blocks',
'expected' => '/wp/v2/blocks',
),
'an array with a string with a slash' => array(
'preload_paths' => array( array( '/wp/v2/blocks', 'OPTIONS' ) ),
'expected' => '\/wp\/v2\/blocks',
'expected' => '/wp/v2/blocks',
),
'an array with a string starting with a question mark' => array(
'preload_paths' => array( array( '?context=edit', 'OPTIONS' ) ),
'expected' => '\/?context=edit',
'expected' => '/?context=edit',
),
);
}

/**
* @ticket 62797
*
* @covers ::block_editor_rest_api_preload
*
* Some valid JSON-encoded data is dangerous to embed in HTML without appropriate
* escaping. This test includes an example of data that would prevent the enclosing
* `<script></script>` tag from closing on its apparent closer and remain open.
*/
public function test_ensure_preload_data_script_tag_closes() {
add_theme_support( 'html5', array( 'script' ) );
register_rest_route(
'test/v0',
'test-62797',
array(
'methods' => 'GET',
'callback' => function () {
return 'Unclosed comment and a script open tag <!--<script>';
},
'permission_callback' => '__return_true',
)
);

// Prevent a bunch of noisy or unstable data from being included in the test output.
wp_scripts()->registered['wp-api-fetch']->ver = 'test';
wp_scripts()->registered['wp-api-fetch']->extra['after'] = array();

block_editor_rest_api_preload(
array( '/test/v0/test-62797' ),
new WP_Block_Editor_Context()
);

ob_start();
wp_scripts()->do_item( 'wp-api-fetch' );
$output = ob_get_clean();

$baseurl = site_url();
$expected = <<<HTML
<script src="{$baseurl}/wp-includes/js/dist/api-fetch.min.js?ver=test" id="wp-api-fetch-js"></script>
<script id="wp-api-fetch-js-after">
wp.apiFetch.use( wp.apiFetch.createPreloadingMiddleware( {"/test/v0/test-62797":{"body":["Unclosed comment and a script open tag \\u003C!--\\u003Cscript\\u003E"],"headers":{"Allow":"GET"}}} ) );
</script>

HTML;
$this->assertEqualHTML( $expected, $output );
}
}
Loading