Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag Processor: throw when supplied unacceptible attribute names. #44431

Merged
merged 7 commits into from
Sep 30, 2022

Conversation

dmsnell
Copy link
Member

@dmsnell dmsnell commented Sep 23, 2022

Part of #44410

What

The WP_HTML_Tag_Processor allows setting new HTML attributes with a given name and value. Previously this has allowed any string input for the attribute name, but we have to be careful not to print output that might break the HTML we're modifying.

In this patch we're adding a check against the given attribute name and rejecting invalid or unacceptible names. WordPress here is more restrictive than HTML5.

Why?

We don't want to allow setting attributes whose names could break the HTML syntax or open new vulnerabilities in code that parses post content.

How?

Validate the given attribute name with a PCRE pattern that looks for unalloyed characters.

Testing Instructions

Please audit the code and review the new unit tests.
Review with an eye towards security.

cc: @azaozz

@dmsnell dmsnell force-pushed the update/tag-processor-validate-attribute-names branch 2 times, most recently from d1fc120 to 8c7344d Compare September 23, 2022 23:01
The `WP_HTML_Tag_Processor` allows setting new HTML attributes with
a given name and value. Previously this has allowed any string input
for the attribute name, but we have to be careful not to print output
that might break the HTML we're modifying.

In this patch we're adding a check against the given attribute name
and rejecting invalid or unacceptible names. WordPress here is more
restrictive than HTML5.
@dmsnell dmsnell force-pushed the update/tag-processor-validate-attribute-names branch from 8c7344d to c284114 Compare September 23, 2022 23:04
@dmsnell dmsnell mentioned this pull request Sep 23, 2022
26 tasks
@adamziel
Copy link
Contributor

adamziel commented Sep 24, 2022

Would you please add a docstring link to the docs section where these characters are specified? It was there, I just missed it!

@adamziel
Copy link
Contributor

adamziel commented Sep 26, 2022

I needed to manually set WP_DEBUG to true to make the tests pass as the exception is only thrown conditionally.

throw new Exception( 'Invalid attribute name' );
}

return;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return new WP_Error perhaps?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should return an object as devs won't check the return value anyway.

The special case in the debug mode looks like a reasonable approach. I'm curious whether there is any standardized way of logging those issues.

Maybe we could call _doing_it_wrong. We use that in several places when registering blocks or similar stuff for the block editor, for example:

https://github.com/WordPress/wordpress-develop/blob/2b1febd20d77898eb81439a688ea5597da00172a/src/wp-includes/class-wp-block-type-registry.php#L55L62

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the big point about this patch that I'm unsure of. my only goal is to quickly bail if someone submits the wrong attribute, as I don't think it's likely people will send user-input attribute names here. if they do do that then I don't want it to crash the full render.

I'll ask around and see if anyone else has experience with this kind of failure.

Copy link
Contributor

@azaozz azaozz Sep 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my only goal is to quickly bail if someone submits the wrong attribute

Yes, think this is the best approach here. If a plugin allows user input for attribute names (very unlikely as usually these are not random), it will have to make sure the input is valid, or the attribute will be skipped.

Copy link
Contributor

@azaozz azaozz Sep 26, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm curious whether there is any standardized way of logging those issues.

Think there isn't one, unfortunately. Has been discussed few times afaik but a decision on how to implement it was not reached. Thinking it is time for this to be added to core. Perhaps another constant: WP_DEV_MODE or similar, then be much bolder about throwing errors and exceptions (with backtrace?) and writing in logs.

Using WP_DEBUG seems proper here imho. doing_it_wrong doesn't seem as good because it is targeted more at developers that try to use some function/method improperly (when there are better ways).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@azaozz, great feedback! Thank you so much for clarifying where given options fit best.

Copy link
Contributor

@adamziel adamziel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I left a few comments, but my only substantial point is about the test cases.

dmsnell and others added 4 commits September 26, 2022 14:48
The tests verifying behaviors dependent on whether `WP_DEBUG` is
set need to run in an isolated environment so that the constant's
definition doesn't bleed into other tests. The isolated runner is
very slow in comparison to the non-isolated runner so only those
tests dependent on the constant are moved over.
@adamziel
Copy link
Contributor

I added some positive test cases in ff9da88.

@dmsnell dmsnell merged commit 1ab25e5 into trunk Sep 30, 2022
@dmsnell dmsnell deleted the update/tag-processor-validate-attribute-names branch September 30, 2022 20:09
@github-actions github-actions bot added this to the Gutenberg 14.3 milestone Sep 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants