From c9f2113224159c747b61be332a79cbd4b8bd62bc Mon Sep 17 00:00:00 2001 From: Kelly Dwan Date: Tue, 29 Mar 2022 16:34:46 -0400 Subject: [PATCH 1/2] Decode greater-than angle brackets in CSS --- .../jetpack-tweaks/css-sanitization.php | 14 +++++ .../tests/test-jetpack-css-sanitization.php | 55 +++++++++++++++++++ 2 files changed, 69 insertions(+) create mode 100644 public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php diff --git a/public_html/wp-content/mu-plugins/jetpack-tweaks/css-sanitization.php b/public_html/wp-content/mu-plugins/jetpack-tweaks/css-sanitization.php index 9e4b26a3ef..583c224d10 100644 --- a/public_html/wp-content/mu-plugins/jetpack-tweaks/css-sanitization.php +++ b/public_html/wp-content/mu-plugins/jetpack-tweaks/css-sanitization.php @@ -12,6 +12,7 @@ add_action( 'admin_notices', __NAMESPACE__ . '\notify_import_rules_stripped' ); add_action( 'csstidy_optimize_subvalue', __NAMESPACE__ . '\sanitize_csstidy_subvalues' ); add_action( 'safecss_parse_pre', __NAMESPACE__ . '\update_csstidy_safelist', 0 ); +add_filter( 'wp_get_custom_css', __NAMESPACE__ . '\filter_custom_css' ); /** * Sanitize CSS saved through the Core/Jetpack editor inside the Customizer @@ -222,3 +223,16 @@ function update_csstidy_safelist() { $GLOBALS['csstidy']['all_properties'] = array_merge( $GLOBALS['csstidy']['all_properties'], $properties_for_csstidy ); } } + +/** + * Replace encoded > in CSS with a > so that CSS rules are valid. + * + * Remove this once the root issue is fixed in https://github.com/Automattic/jetpack/issues/21603. + * + * @param string $css CSS pulled in from the Custom CSS post type. + * + * @return string + */ +function filter_custom_css( $css ) { + return str_replace( '>', '>', $css ); +} diff --git a/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php b/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php new file mode 100644 index 0000000000..eff503446e --- /dev/null +++ b/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php @@ -0,0 +1,55 @@ + p { + color: lightcoral; +} +CSS; + + $post = wp_update_custom_css_post( $input ); + $this->assertNotWPError( $post ); + + $output = wp_get_custom_css(); + $this->assertEquals( $input, $output ); + } + + /** + * Test that HTML code is correcly stripped. + */ + public function test_html_not_allowed() { + $input = << p { + color: lightcoral; +} +CSS; + + $post = wp_update_custom_css_post( $input ); + $this->assertNotWPError( $post ); + + $output = wp_get_custom_css(); + $this->assertNotEquals( $input, $output ); + } +} From 0e8ec726802e333c90beabe781fa8b624fc4478f Mon Sep 17 00:00:00 2001 From: Kelly Dwan Date: Tue, 29 Mar 2022 19:06:03 -0400 Subject: [PATCH 2/2] Update test to check against all selector characters --- .../tests/test-jetpack-css-sanitization.php | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php b/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php index eff503446e..2b506bae48 100644 --- a/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php +++ b/public_html/wp-content/mu-plugins/tests/test-jetpack-css-sanitization.php @@ -18,12 +18,21 @@ class Test_Jetpack_CSS_Sanitization extends WP_UnitTestCase { /** - * Test that the angle bracket is not encoded. + * Test that no selector characters are encoded. */ - public function test_gt_not_encoded() { + public function test_selectors_not_encoded() { $input = << p { +.class > p, +p ~ span, +h2 + p, +col || td, +.pseudo:visited, +.pseudo::before, +[title], +a[href="https://example.org"], +a[title*='an example'], +span[data-emoji~=πŸˆβ€β¬›] +span[attr$="ν•œκΈ€"] { color: lightcoral; } CSS;