[ CTA ] エスケープ処置&テスト調整 #1167
Merged
[ CTA ] エスケープ処置&テスト調整 #1167
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kurudrive
commented
Feb 6, 2025
| @@ -478,9 +478,6 @@ public static function render_cta_content( $id ) { | |||
| // リセットしないと$postが改変されたままでコメント欄が表示されなくなるなどの弊害が発生する. | |||
| wp_reset_postdata(); | |||
|
|
|||
| // wp_kses_post でエスケープすると outerブロックが出力するstyle属性を無効化されるので使わないように. | |||
| // 出力時にエスケープしたいが、wp_kses_post だと style属性が無効化される / wp_kses でも allow_html で opacity を許可しても無視・削除される。 | |||
| // 結局本文欄はどのみち HTML ブロックで <script>alert(0)</script> 入れられ標準でXSSは実行可能なので、ここでは処理していない。 | |||
| return self::safe_kses_post( do_blocks( do_shortcode( $content ) ) ); | |||
Comment on lines
+775
to
+777
| $tags['style'] = array( | ||
| 'type' => true, | ||
| ); |
Comment on lines
+301
to
+319
| array( | ||
| 'name' => 'class and style', | ||
| 'input' => '<div class="class-name" style="margin-bottom:3rem">CTA</div>', | ||
| 'expected' => '<div class="class-name" style="margin-bottom:3rem">CTA</div>', | ||
| ), | ||
| array( | ||
| 'name' => 'allow style tag', | ||
| 'input' => '<div>CTA</div><style>.target-class { background-image: url(http://localhost:8888/image.jpg);}</style>', | ||
| 'expected' => '<div>CTA</div><style>.target-class { background-image: url(http://localhost:8888/image.jpg);}</style>', | ||
| ), | ||
| array( | ||
| 'name' => 'allow style tag with media query', | ||
| 'input' => '<div>CTA</div><style>@media screen and (max-width: 575.98px) {.target-class { | ||
| background-image: url(http://localhost:8888/image.jpg); | ||
| background-position: 50% 50%!important;}}</style>', | ||
| 'expected' => '<div>CTA</div><style>@media screen and (max-width: 575.98px) {.target-class { | ||
| background-image: url(http://localhost:8888/image.jpg); | ||
| background-position: 50% 50%!important;}}</style>', | ||
| ), |
There was a problem hiding this comment.
@mtdkei クラス名、スタイルの直書き、styleタグがエスケープされてしまわないかのテスト追加
| ); | ||
|
|
||
| foreach ( $test_cases as $case ) { | ||
| $actual = Vk_Call_To_Action::safe_kses_post( $case['input'] ); | ||
| $this->assertEquals( $case['expected'], $actual ); | ||
| $this->assertEquals( $case['expected'], $actual, $case['name'] ); |
There was a problem hiding this comment.
@mtdkei テストがコケた時にコケた場所がわかりやすいようにテスト項目名追加
|
@kurudrive |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
チケットへのリンク / 変更の理由(元のissueがあればリンクを貼り付ければOK)
@mtdkei 軽くコメントだけ確認しておいてくださいー。