Merge branch 'trunk' of https://github.com/WordPress/wordpress-develop into trac-48456-codemirror-v5-upgrade

Author: westonruter

src/wp-admin/includes/class-wp-comments-list-table.php

@@ -155,6 +155,7 @@ public function prepare_items() {
 			'number'                    => $number,
 			'post_id'                   => $post_id,
 			'type'                      => $comment_type,
+			'type__not_in'              => array( 'note' ),
 			'orderby'                   => $orderby,
 			'order'                     => $order,
 			'post_type'                 => $post_type,

src/wp-admin/includes/class-wp-list-table.php

@@ -80,14 +80,14 @@ class WP_List_Table {
 	protected $_column_headers;
 
 	/**
-	 * {@internal Missing Summary}
+	 * List of private properties made readable for backward compatibility.
 	 *
 	 * @var array
 	 */
 	protected $compat_fields = array( '_args', '_pagination_args', 'screen', '_actions', '_pagination' );
 
 	/**
-	 * {@internal Missing Summary}
+	 * List of private/protected methods made readable for backward compatibility.
 	 *
 	 * @var array
 	 */
@@ -280,7 +280,7 @@ public function __call( $name, $arguments ) {
 	}
 
 	/**
-	 * Checks the current user's permissions
+	 * Checks the current user's permissions.
 	 *
 	 * @since 3.1.0
 	 * @abstract

src/wp-includes/customize/class-wp-customize-custom-css-setting.php

@@ -153,6 +153,11 @@ public function value() {
 	 * @since 4.7.0
 	 * @since 4.9.0 Checking for balanced characters has been moved client-side via linting in code editor.
 	 * @since 5.9.0 Renamed `$css` to `$value` for PHP 8 named parameter support.
+	 * @since 7.0.0 Only restricts contents which risk prematurely closing the STYLE element,
+	 *              either through a STYLE end tag or a prefix of one which might become a
+	 *              full end tag when combined with the contents of other styles.
+	 *
+	 * @see WP_REST_Global_Styles_Controller::validate_custom_css()
 	 *
 	 * @param string $value CSS to validate.
 	 * @return true|WP_Error True if the input was validated, otherwise WP_Error.
@@ -163,8 +168,73 @@ public function validate( $value ) {
 
 		$validity = new WP_Error();
 
-		if ( preg_match( '#</?\w+#', $css ) ) {
-			$validity->add( 'illegal_markup', __( 'Markup is not allowed in CSS.' ) );
+		$length = strlen( $css );
+		for (
+			$at = strcspn( $css, '<' );
+			$at < $length;
+			$at += strcspn( $css, '<', ++$at )
+		) {
+			$remaining_strlen = $length - $at;
+			/**
+			 * Custom CSS text is expected to render inside an HTML STYLE element.
+			 * A STYLE closing tag must not appear within the CSS text because it
+			 * would close the element prematurely.
+			 *
+			 * The text must also *not* end with a partial closing tag (e.g., `<`,
+			 * `</`, … `</style`) because subsequent styles which are concatenated
+			 * could complete it, forming a valid `</style>` tag.
+			 *
+			 * Example:
+			 *
+			 *     $style_a = 'p { font-weight: bold; </sty';
+			 *     $style_b = 'le> gotcha!';
+			 *     $combined = "{$style_a}{$style_b}";
+			 *
+			 *     $style_a = 'p { font-weight: bold; </style';
+			 *     $style_b = 'p > b { color: red; }';
+			 *     $combined = "{$style_a}\n{$style_b}";
+			 *
+			 * Note how in the second example, both of the style contents are benign
+			 * when analyzed on their own. The first style was likely the result of
+			 * improper truncation, while the second is perfectly sound. It was only
+			 * through concatenation that these two styles combined to form content
+			 * that would have broken out of the containing STYLE element, thus
+			 * corrupting the page and potentially introducing security issues.
+			 *
+			 * @see https://html.spec.whatwg.org/multipage/parsing.html#rawtext-end-tag-name-state
+			 */
+			$possible_style_close_tag = 0 === substr_compare(
+				$css,
+				'</style',
+				$at,
+				min( 7, $remaining_strlen ),
+				true
+			);
+			if ( $possible_style_close_tag ) {
+				if ( $remaining_strlen < 8 ) {
+					$validity->add(
+						'illegal_markup',
+						sprintf(
+							/* translators: %s is the CSS that was provided. */
+							__( 'The CSS must not end in "%s".' ),
+							esc_html( substr( $css, $at ) )
+						)
+					);
+					break;
+				}
+
+				if ( 1 === strspn( $css, " \t\f\r\n/>", $at + 7, 1 ) ) {
+					$validity->add(
+						'illegal_markup',
+						sprintf(
+							/* translators: %s is the CSS that was provided. */
+							__( 'The CSS must not contain "%s".' ),
+							esc_html( substr( $css, $at, 8 ) )
+						)
+					);
+					break;
+				}
+			}
 		}
 
 		if ( ! $validity->has_errors() ) {

src/wp-includes/rest-api/endpoints/class-wp-rest-global-styles-controller.php

@@ -674,6 +674,8 @@ public function get_theme_items( $request ) {
 	 *              either through a STYLE end tag or a prefix of one which might become a
 	 *              full end tag when combined with the contents of other styles.
 	 *
+	 * @see WP_Customize_Custom_CSS_Setting::validate()
+	 *
 	 * @param string $css CSS to validate.
 	 * @return true|WP_Error True if the input was validated, otherwise WP_Error.
 	 */
@@ -707,7 +709,7 @@ protected function validate_custom_css( $css ) {
 			 * Note how in the second example, both of the style contents are benign
 			 * when analyzed on their own. The first style was likely the result of
 			 * improper truncation, while the second is perfectly sound. It was only
-			 * through concatenation that these two scripts combined to form content
+			 * through concatenation that these two styles combined to form content
 			 * that would have broken out of the containing STYLE element, thus
 			 * corrupting the page and potentially introducing security issues.
 			 *

tests/phpunit/tests/admin/wpCommentsListTable.php

@@ -218,30 +218,61 @@ public function test_get_views_should_return_views_by_default() {
 	 * Verify that the comments table never shows the note comment_type.
 	 *
 	 * @ticket 64198
+	 * @ticket 64474
+	 *
+	 * @dataProvider data_comment_type
+	 *
+	 * @param string $comment_type The comment_type parameter value to test.
 	 */
-	public function test_comments_list_table_does_not_show_note_comment_type() {
-		$post_id    = self::factory()->post->create();
-		$note_id    = self::factory()->comment->create(
+	public function test_comments_list_table_does_not_show_note_comment_type( string $comment_type ) {
+		$post_id = self::factory()->post->create();
+		self::factory()->comment->create(
 			array(
 				'comment_post_ID'  => $post_id,
 				'comment_content'  => 'This is a note.',
 				'comment_type'     => 'note',
 				'comment_approved' => '1',
+				'comment_date'     => '2024-01-01 10:00:00',
+				'comment_date_gmt' => '2024-01-01 10:00:00',
 			)
 		);
-		$comment_id = self::factory()->comment->create(
+		$regular_comment_id       = self::factory()->comment->create(
 			array(
 				'comment_post_ID'  => $post_id,
 				'comment_content'  => 'This is a regular comment.',
 				'comment_type'     => '',
 				'comment_approved' => '1',
+				'comment_date'     => '2024-01-01 11:00:00',
+				'comment_date_gmt' => '2024-01-01 11:00:00',
+			)
+		);
+		$pingback_comment_id      = self::factory()->comment->create(
+			array(
+				'comment_post_ID'  => $post_id,
+				'comment_content'  => 'This is a pingback comment.',
+				'comment_type'     => '',
+				'comment_approved' => '1',
+				'comment_date'     => '2024-01-01 12:00:00',
+				'comment_date_gmt' => '2024-01-01 12:00:00',
 			)
 		);
-		// Request the note comment type.
-		$_REQUEST['comment_type'] = 'note';
+		$_REQUEST['comment_type'] = $comment_type;
 		$this->table->prepare_items();
 		$items = $this->table->items;
-		$this->assertCount( 1, $items );
-		$this->assertEquals( $comment_id, $items[0]->comment_ID );
+		$this->assertCount( 2, $items );
+		$this->assertEquals( $pingback_comment_id, $items[0]->comment_ID );
+		$this->assertEquals( $regular_comment_id, $items[1]->comment_ID );
+	}
+
+	/**
+	 * Data provider for test_comments_list_table_does_not_show_note_comment_type().
+	 *
+	 * @return array<string, string[]>
+	 */
+	public function data_comment_type(): array {
+		return array(
+			'note type explicitly requested' => array( 'note' ),
+			'all type requested'             => array( 'all' ),
+		);
 	}
 }

tests/phpunit/tests/customize/custom-css-setting.php

@@ -374,6 +374,31 @@ public function filter_update_custom_css_data( $data, $args ) {
 		return $data;
 	}
 
+	/**
+	 * Ensure that dangerous STYLE tag contents do not break HTML output.
+	 *
+	 * @ticket 64418
+	 * @covers ::wp_update_custom_css_post
+	 * @covers ::wp_custom_css_cb
+	 */
+	public function test_wp_custom_css_cb_escapes_dangerous_html() {
+		wp_update_custom_css_post(
+			'*::before { content: "</style><script>alert(1)</script>"; }',
+			array(
+				'stylesheet' => $this->setting->stylesheet,
+			)
+		);
+		$output   = get_echo( 'wp_custom_css_cb' );
+		$expected =
+			<<<'HTML'
+			<style id="wp-custom-css">
+			*::before { content: "\3c\2fstyle><script>alert(1)</script>"; }
+			</style>
+
+			HTML;
+		$this->assertEqualHTML( $expected, $output );
+	}
+
 	/**
 	 * Tests that validation errors are caught appropriately.
 	 *
@@ -382,8 +407,7 @@ public function filter_update_custom_css_data( $data, $args ) {
 	 *
 	 * @covers WP_Customize_Custom_CSS_Setting::validate
 	 */
-	public function test_validate() {
-
+	public function test_validate_basic_css() {
 		// Empty CSS throws no errors.
 		$result = $this->setting->validate( '' );
 		$this->assertTrue( $result );
@@ -393,9 +417,84 @@ public function test_validate() {
 		$result    = $this->setting->validate( $basic_css );
 		$this->assertTrue( $result );
 
-		// Check for markup.
+		// Check for illegal closing STYLE tag.
 		$unclosed_comment = $basic_css . '</style>';
 		$result           = $this->setting->validate( $unclosed_comment );
 		$this->assertArrayHasKey( 'illegal_markup', $result->errors );
 	}
+
+	/**
+	 * @ticket 64418
+	 * @covers WP_Customize_Custom_CSS_Setting::validate
+	 */
+	public function test_validate_accepts_css_property_at_rule() {
+		$css =
+			<<<'CSS'
+			@property --animate {
+				syntax: "<custom-ident>";
+				inherits: true;
+				initial-value: false;
+			}
+			CSS;
+		$this->assertTrue( $this->setting->validate( $css ) );
+	}
+
+	/**
+	 * @ticket 64418
+	 * @covers ::wp_update_custom_css_post
+	 * @covers ::wp_custom_css_cb
+	 */
+	public function test_save_and_print_property_at_rule() {
+		$css =
+			<<<'CSS'
+			@property --animate {
+				syntax: "<custom-ident>";
+				inherits: true;
+				initial-value: false;
+			}
+			CSS;
+		wp_update_custom_css_post( $css, array( 'stylesheet' => $this->setting->stylesheet ) );
+		$output   = get_echo( 'wp_custom_css_cb' );
+		$expected = "<style id='wp-custom-css'>\n{$css}\n</style>\n";
+		$this->assertEqualHTML( $expected, $output );
+	}
+
+	/**
+	 * @dataProvider data_custom_css_disallowed
+	 *
+	 * @ticket 64418
+	 * @covers WP_Customize_Custom_CSS_Setting::validate
+	 */
+	public function test_validate_prevents( $css, $expected_error_message ) {
+		$result = $this->setting->validate( $css );
+		$this->assertWPError( $result );
+		$this->assertSame( $expected_error_message, $result->get_error_message() );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array<string, string[]>
+	 */
+	public static function data_custom_css_disallowed(): array {
+		return array(
+			'style close tag'            => array( 'css…</style>…css', 'The CSS must not contain "&lt;/style&gt;".' ),
+			'style close tag upper case' => array( '</STYLE>', 'The CSS must not contain "&lt;/STYLE&gt;".' ),
+			'style close tag mixed case' => array( '</sTyLe>', 'The CSS must not contain "&lt;/sTyLe&gt;".' ),
+			'style close tag in comment' => array( '/*</style>*/', 'The CSS must not contain "&lt;/style&gt;".' ),
+			'style close tag (/)'        => array( '</style/', 'The CSS must not contain "&lt;/style/".' ),
+			'style close tag (\t)'       => array( "</style\t", "The CSS must not contain \"&lt;/style\t\"." ),
+			'style close tag (\f)'       => array( "</style\f", "The CSS must not contain \"&lt;/style\f\"." ),
+			'style close tag (\r)'       => array( "</style\r", "The CSS must not contain \"&lt;/style\r\"." ),
+			'style close tag (\n)'       => array( "</style\n", "The CSS must not contain \"&lt;/style\n\"." ),
+			'style close tag (" ")'      => array( '</style ', 'The CSS must not contain "&lt;/style ".' ),
+			'truncated "<"'              => array( '<', 'The CSS must not end in "&lt;".' ),
+			'truncated "</"'             => array( '</', 'The CSS must not end in "&lt;/".' ),
+			'truncated "</s"'            => array( '</s', 'The CSS must not end in "&lt;/s".' ),
+			'truncated "</ST"'           => array( '</ST', 'The CSS must not end in "&lt;/ST".' ),
+			'truncated "</sty"'          => array( '</sty', 'The CSS must not end in "&lt;/sty".' ),
+			'truncated "</STYL"'         => array( '</STYL', 'The CSS must not end in "&lt;/STYL".' ),
+			'truncated "</stYle"'        => array( '</stYle', 'The CSS must not end in "&lt;/stYle".' ),
+		);
+	}
 }

tests/phpunit/tests/dependencies/scripts.php

@@ -1878,22 +1878,6 @@ public function test_concatenate_with_blocking_script_before_and_after_script_wi
 		$this->assertEqualHTML( $expected, $print_scripts, '<body>', 'Scripts are being incorrectly concatenated when a main script is registered as deferred after other blocking scripts are registered. Deferred scripts should not be part of the script concat loader query string. ' );
 	}
 
-	/**
-	 * @ticket 42804
-	 */
-	public function test_wp_enqueue_script_with_html5_support_does_not_contain_type_attribute() {
-		global $wp_version;
-
-		$GLOBALS['wp_scripts']                  = new WP_Scripts();
-		$GLOBALS['wp_scripts']->default_version = get_bloginfo( 'version' );
-
-		wp_enqueue_script( 'empty-deps-no-version', 'example.com' );
-
-		$expected = "<script src='http://example.com?ver={$wp_version}' id='empty-deps-no-version-js'></script>\n";
-
-		$this->assertEqualHTML( $expected, get_echo( 'wp_print_scripts' ) );
-	}
-
 	/**
 	 * Test the different protocol references in wp_enqueue_script
 	 *

tests/phpunit/tests/dependencies/wpLocalizeScript.php

@@ -46,8 +46,6 @@ public function test_wp_localize_script_works_before_enqueue_script() {
 	 * @covers ::wp_localize_script
 	 */
 	public function test_wp_localize_script_outputs_safe_json() {
-		add_theme_support( 'html5', array( 'script' ) );
-
 		$path     = '/test.js';
 		$base_url = site_url( $path );