From a20cb28d147b7090175c10a5f6ed6fdc49f347d2 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Fri, 29 Sep 2023 19:47:21 +0000 Subject: [PATCH] Script Loader: Harden removal of script tag wrappers. * Add `wp_remove_surrounding_empty_script_tags()` to more precisely remove script tag wrappers and warn when doing it wrong. * Add clarifying comments for XML escaping logic in `wp_get_inline_script_tag()`. * Leverage `WP_HTML_Tag_Processor` in `test_remove_frameless_preview_messenger_channel`. * Reuse `assertEqualMarkup` in `test_blocking_dependent_with_delayed_dependency`. * Normalize whitespace in `parse_markup_fragment` for `assertEqualMarkup`. Follow-up to [56687]. Props dmsnell, westonruter, flixos90. See #58664. Built from https://develop.svn.wordpress.org/trunk@56748 git-svn-id: http://core.svn.wordpress.org/trunk@56260 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-customize-manager.php | 8 +- wp-includes/functions.php | 2 +- wp-includes/script-loader.php | 86 ++++++++++++++++++- wp-includes/theme-templates.php | 2 +- wp-includes/theme.php | 2 +- wp-includes/version.php | 2 +- .../widgets/class-wp-widget-archives.php | 2 +- .../widgets/class-wp-widget-categories.php | 2 +- wp-login.php | 10 +-- 9 files changed, 99 insertions(+), 17 deletions(-) diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index aebcfeb892..c1cf81f142 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -474,7 +474,7 @@ final class WP_Customize_Manager { } )( wp.customize, ); ', '' ), '', ob_get_clean() ) ); + $message .= wp_get_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } wp_die( $message ); @@ -2109,7 +2109,7 @@ final class WP_Customize_Manager { } )(); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -2230,7 +2230,7 @@ final class WP_Customize_Manager { })( _wpCustomizeSettings.values ); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -5019,7 +5019,7 @@ final class WP_Customize_Manager { ?> ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** diff --git a/wp-includes/functions.php b/wp-includes/functions.php index d7c0a9bbdf..d070c1695a 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -7619,7 +7619,7 @@ function wp_post_preview_js() { }()); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** diff --git a/wp-includes/script-loader.php b/wp-includes/script-loader.php index 4f17461752..1527c69819 100644 --- a/wp-includes/script-loader.php +++ b/wp-includes/script-loader.php @@ -2853,9 +2853,43 @@ function wp_get_inline_script_tag( $javascript, $attributes = array() ) { ); } - // Ensure markup is XHTML compatible if not HTML5. + /* + * XHTML extracts the contents of the SCRIPT element and then the XML parser + * decodes character references and other syntax elements. This can lead to + * misinterpretation of the script contents or invalid XHTML documents. + * + * Wrapping the contents in a CDATA section instructs the XML parser not to + * transform the contents of the SCRIPT element before passing them to the + * JavaScript engine. + * + * Example: + * + * + * + * In an HTML document this would print "…" to the console, + * but in an XHTML document it would print "…" to the console. + * + * + * + * In an HTML document this would print "An image is in HTML", + * but it's an invalid XHTML document because it interprets the `` + * as an empty tag missing its closing `/`. + * + * @see https://www.w3.org/TR/xhtml1/#h-4.8 + */ if ( ! $is_html5 ) { - $javascript = str_replace( ']]>', ']]]]>', $javascript ); // Escape any existing CDATA section. + /* + * If the string `]]>` exists within the JavaScript it would break + * out of any wrapping CDATA section added here, so to start, it's + * necessary to escape that sequence which requires splitting the + * content into two CDATA sections wherever it's found. + * + * Note: it's only necessary to escape the closing `]]>` because + * an additional `', ']]]]>', $javascript ); + + // Wrap the entire escaped script inside a CDATA section. $javascript = sprintf( "/* */", $javascript ); } @@ -3299,3 +3333,51 @@ function wp_add_editor_classic_theme_styles( $editor_settings ) { return $editor_settings; } + +/** + * Removes leading and trailing _empty_ script tags. + * + * This is a helper meant to be used for literal script tag construction + * within `wp_get_inline_script_tag()` or `wp_print_inline_script_tag()`. + * It removes the literal values of "" from + * around an inline script after trimming whitespace. Typlically this + * is used in conjunction with output buffering, where `ob_get_clean()` + * is passed as the `$contents` argument. + * + * Example: + * + * // Strips exact literal empty SCRIPT tags. + * $js = '; + * 'sayHello();' === wp_remove_surrounding_empty_script_tags( $js ); + * + * // Otherwise if anything is different it warns in the JS console. + * $js = ''; + * 'console.error( ... )' === wp_remove_surrounding_empty_script_tags( $js ); + * + * @private + * @since 6.4.0 + * + * @see wp_print_inline_script_tag() + * @see wp_get_inline_script_tag() + * + * @param string $contents Script body with manually created SCRIPT tag literals. + * @return string Script body without surrounding script tag literals, or + * original contents if both exact literals aren't present. + */ +function wp_remove_surrounding_empty_script_tags( $contents ) { + $contents = trim( $contents ); + $opener = ''; + + if ( + strlen( $contents ) > strlen( $opener ) + strlen( $closer ) && + strtoupper( substr( $contents, 0, strlen( $opener ) ) ) === $opener && + strtoupper( substr( $contents, -strlen( $closer ) ) ) === $closer + ) { + return substr( $contents, strlen( $opener ), -strlen( $closer ) ); + } else { + $error_message = __( 'Expected string to start with script tag (without attributes) and end with script tag, with optional whitespace.' ); + _doing_it_wrong( __FUNCTION__, $error_message, '6.4' ); + return sprintf( 'console.error(%s)', wp_json_encode( __( 'Function wp_remove_surrounding_empty_script_tags() used incorrectly in PHP.' ) . ' ' . $error_message ) ); + } +} diff --git a/wp-includes/theme-templates.php b/wp-includes/theme-templates.php index 8f0ee9a69f..cc4b19ecce 100644 --- a/wp-includes/theme-templates.php +++ b/wp-includes/theme-templates.php @@ -205,7 +205,7 @@ function the_block_template_skip_link() { }() ); ', '' ), '', ob_get_clean() ); + $skip_link_script = wp_remove_surrounding_empty_script_tags( ob_get_clean() ); $script_handle = 'wp-block-template-skip-link'; wp_register_script( $script_handle, false ); wp_add_inline_script( $script_handle, $skip_link_script ); diff --git a/wp-includes/theme.php b/wp-includes/theme.php index 087d563352..1eccd460b1 100644 --- a/wp-includes/theme.php +++ b/wp-includes/theme.php @@ -3800,7 +3800,7 @@ function wp_customize_support_script() { }()); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** diff --git a/wp-includes/version.php b/wp-includes/version.php index cc38f4f2b6..f20a44fb47 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.4-beta1-56747'; +$wp_version = '6.4-beta1-56748'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-includes/widgets/class-wp-widget-archives.php b/wp-includes/widgets/class-wp-widget-archives.php index 21d3a7b672..7457244833 100644 --- a/wp-includes/widgets/class-wp-widget-archives.php +++ b/wp-includes/widgets/class-wp-widget-archives.php @@ -120,7 +120,7 @@ class WP_Widget_Archives extends WP_Widget { })(); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } else { $format = current_theme_supports( 'html5', 'navigation-widgets' ) ? 'html5' : 'xhtml'; diff --git a/wp-includes/widgets/class-wp-widget-categories.php b/wp-includes/widgets/class-wp-widget-categories.php index e00ce7f960..b79881e752 100644 --- a/wp-includes/widgets/class-wp-widget-categories.php +++ b/wp-includes/widgets/class-wp-widget-categories.php @@ -108,7 +108,7 @@ class WP_Widget_Categories extends WP_Widget { ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } else { $format = current_theme_supports( 'html5', 'navigation-widgets' ) ? 'html5' : 'xhtml'; diff --git a/wp-login.php b/wp-login.php index 80887f0420..f03eea3636 100644 --- a/wp-login.php +++ b/wp-login.php @@ -105,7 +105,7 @@ function login_header( $title = 'Log In', $message = '', $wp_error = null ) { ?> ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -419,12 +419,12 @@ function login_footer( $input_id = '' ) { if ( ! empty( $input_id ) ) { ob_start(); ?> - ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } /** @@ -1362,7 +1362,7 @@ switch ( $action ) { ?> ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } ?> @@ -1627,7 +1627,7 @@ switch ( $action ) { }()); ', '' ), '', ob_get_clean() ) ); + wp_print_inline_script_tag( wp_remove_surrounding_empty_script_tags( ob_get_clean() ) ); } login_footer();