Add: Global styles user content escaping.

This commit adds global styles user content escaping. In addition, it ports the logic on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core. The logic tries to follow what was done for standard post content. See #54336. Props oandregal. git-svn-id: https://develop.svn.wordpress.org/trunk@52052 602fd350-edb4-49c9-b593-d223f7449a82
WordPress · Nov 8, 2021 · 872b818 · 872b818
1 parent 5ca3347
commit 872b818
Showing 1 changed file with 29 additions and 0 deletions.
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
@@ -2081,6 +2081,31 @@ function wp_filter_post_kses( $data ) {
 	return addslashes( wp_kses( stripslashes( $data ), 'post' ) );
 }
 
+/**
+ * Sanitizes global styles user content removing unsafe rules.
+ *
+ * @param string $data Post content to filter.
+ * @return string Filtered post content with unsafe rules removed.
+ */
+function wp_filter_global_styles_post( $data ) {
+	$decoded_data        = json_decode( wp_unslash( $data ), true );
+	$json_decoding_error = json_last_error();
+	if (
+		JSON_ERROR_NONE === $json_decoding_error &&
+		is_array( $decoded_data ) &&
+		isset( $decoded_data['isGlobalStylesUserThemeJSON'] ) &&
+		$decoded_data['isGlobalStylesUserThemeJSON']
+	) {
+		unset( $decoded_data['isGlobalStylesUserThemeJSON'] );
+
+		$data_to_encode = WP_Theme_JSON::remove_insecure_properties( $decoded_data );
+
+		$data_to_encode['isGlobalStylesUserThemeJSON'] = true;
+		return wp_slash( wp_json_encode( $data_to_encode ) );
+	}
+	return $data;
+}
+
 /**
  * Sanitizes content for allowed HTML tags for post content.
  *
@@ -2151,8 +2176,10 @@ function kses_init_filters() {
 
 	// Post filtering.
 	add_filter( 'content_save_pre', 'wp_filter_post_kses' );
+	add_filter( 'content_save_pre', 'wp_filter_global_styles_post' );
 	add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
 	add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
+	add_filter( 'content_filtered_save_pre', 'wp_filter_global_styles_post' );
 }
 
 /**
@@ -2177,8 +2204,10 @@ function kses_remove_filters() {
 
 	// Post filtering.
 	remove_filter( 'content_save_pre', 'wp_filter_post_kses' );
+	remove_filter( 'content_save_pre', 'wp_filter_global_styles_post' );
 	remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' );
 	remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' );
+	remove_filter( 'content_filtered_save_pre', 'wp_filter_global_styles_post' );
 }
 
 /**