From 34119e2c95be8b2084d92b1fbdfe3ac15ac8e27a Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Tue, 13 Jul 2021 05:59:01 +0000 Subject: [PATCH] Widgets: Validate HTML before saving block widgets. Props talldanwp, noisysocks, kevin940726, peterwilsoncc. Built from https://develop.svn.wordpress.org/trunk@51414 git-svn-id: http://core.svn.wordpress.org/trunk@51025 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-customize-widgets.php | 7 +++++++ wp-includes/version.php | 2 +- wp-includes/widgets/class-wp-widget-block.php | 9 +++++++-- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/wp-includes/class-wp-customize-widgets.php b/wp-includes/class-wp-customize-widgets.php index c1ed9c8e90..d5cae766b9 100644 --- a/wp-includes/class-wp-customize-widgets.php +++ b/wp-includes/class-wp-customize-widgets.php @@ -1419,6 +1419,13 @@ final class WP_Customize_Widgets { if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) { $widget_object = $wp_widget_factory->get_widget_object( $id_base ); if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) { + if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) { + // The content of the 'block' widget is not filtered on the + // fly while editing. Filter the content here to prevent + // vulnerabilities. + $value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] ); + } + return $value['raw_instance']; } } diff --git a/wp-includes/version.php b/wp-includes/version.php index af46fd94f1..33754d11b2 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.9-alpha-51413'; +$wp_version = '5.9-alpha-51414'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-includes/widgets/class-wp-widget-block.php b/wp-includes/widgets/class-wp-widget-block.php index 8d322ef4e7..bf63359e21 100644 --- a/wp-includes/widgets/class-wp-widget-block.php +++ b/wp-includes/widgets/class-wp-widget-block.php @@ -178,8 +178,13 @@ class WP_Widget_Block extends WP_Widget { * @return array Settings to save or bool false to cancel saving. */ public function update( $new_instance, $old_instance ) { - $instance = array_merge( $this->default_instance, $old_instance ); - $instance['content'] = $new_instance['content']; + $instance = array_merge( $this->default_instance, $old_instance ); + + if ( current_user_can( 'unfiltered_html' ) ) { + $instance['content'] = $new_instance['content']; + } else { + $instance['content'] = wp_kses_post( $new_instance['content'] ); + } return $instance; }