Theme: Harden WP_Theme_JSON methods against CSS injection #10715
Conversation
|
Hi @Jaysinh146! 👋 Thank you for your contribution to WordPress! 💖 It looks like this is your first pull request to No one monitors this repository for new pull requests. Pull requests must be attached to a Trac ticket to be considered for inclusion in WordPress Core. To attach a pull request to a Trac ticket, please include the ticket's full URL in your pull request description. Pull requests are never merged on GitHub. The WordPress codebase continues to be managed through the SVN repository that this GitHub repository mirrors. Please feel free to open pull requests to work on any contribution you are making. More information about how GitHub pull requests can be used to contribute to WordPress can be found in the Core Handbook. Please include automated tests. Including tests in your pull request is one way to help your patch be considered faster. To learn about WordPress' test suites, visit the Automated Testing page in the handbook. If you have not had a chance, please review the Contribute with Code page in the WordPress Core Handbook. The Developer Hub also documents the various coding standards that are followed:
Thank you, |
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Unlinked AccountsThe following contributors have not linked their GitHub and WordPress.org accounts: @patankararyan7@gmail.com. Contributors, please read how to link your accounts to ensure your work is properly credited in WordPress releases. Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Jaysinh146
force-pushed
the
fix/62224-harden-theme-json-methods
branch
from
6abfc93 to
99f9dbf
Compare
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
Jaysinh146
force-pushed
the
fix/62224-harden-theme-json-methods
branch
from
0d77d02 to
a209fbd
Compare
Adds comprehensive sanitization to WP_Theme_JSON::compute_theme_vars()
and WP_Theme_JSON::to_ruleset() to treat theme.json as user-supplied content.
Security improvements:
- Sanitizes CSS variable names (alphanumeric + hyphens only)
- Sanitizes CSS selectors to prevent selector injection
- Sanitizes CSS property names and values
- Quote-aware parsing preserves legitimate CSS syntax
- Blocks CSS structure characters (;, {, }) outside quotes
- Blocks dangerous URL protocols (javascript:, data:, vbscript:)
- Blocks CSS at-rules (@import, @charset, @namespace)
- Blocks legacy browser attacks (expression, behavior, -moz-binding)
- Enforces length limits to prevent DoS attacks
New sanitization methods in WP_Theme_JSON:
- sanitize_css_selector() - Validates CSS selectors
- sanitize_css_property_name() - Validates property names
- sanitize_css_property_value() - Validates property values
Test coverage:
- tests/phpunit/tests/theme/wpThemeJsonComputeThemeVars.php (23 tests)
- tests/phpunit/tests/theme/wpThemeJsonToRuleset.php (27 tests)
- Total: 50 test methods, all passing
Props: villu164
Fixes #62224
Jaysinh146
force-pushed
the
fix/62224-harden-theme-json-methods
branch
from
0aeec2a to
859bda2
Compare
|
@mukeshpanchal27 Thank you for the review! I've updated the Regarding the 174 PHPUnit Test "Failures"These test runs are showing 17 pre-existing WordPress Core test failures across 174 different PHP/database environment combinations. The same 17 tests fail in every environment - these are not caused by this PR. Test Results Breakdown:
Example Pre-existing Failure:This test requires PHP 8.1+ but runs on PHP 8.0 in some test matrices - unrelated to theme.json security hardening. All Quality Checks Passing:
The 174 "failing" check items are simply the same 17 failing tests repeated across all PHP/database combinations (PHP 7.4-8.5 × MariaDB/MySQL variants × single/multisite). Our changes introduce zero new test failures and zero regressions. Ready for final review and merge. ✓ |
westonruter
left a comment
westonruter
left a comment
There was a problem hiding this comment.
I noticed several areas where str_contains() is being replaced with strpos(). This should be undone. WordPress includes polyfills for str_contains() for older PHP versions.
- Revert strpos() back to str_contains() (WordPress has polyfills) - Restore deleted @SInCE 5.8.0 tag - Fix duplicate @SInCE entries - Addresses review feedback from @westonruter
Jaysinh146
force-pushed
the
fix/62224-harden-theme-json-methods
branch
from
4c302d2 to
231229c
Compare
|
@westonruter Thank you for the thorough review! You're absolutely right - I apologize for those changes. I'm reverting all the str_contains() to strpos() replacements (WordPress has polyfills, so the modern function should be used) and restoring the deleted @SInCE tags. Will push the fixes shortly. |
…er westonruter review
Jaysinh146
force-pushed
the
fix/62224-harden-theme-json-methods
branch
from
b00ccd6 to
461c91b
Compare
|
@westonruter All changes reverted as requested. |
3 participants
Adds comprehensive sanitization to WP_Theme_JSON::compute_theme_vars() and WP_Theme_JSON::to_ruleset() to treat theme.json as user-supplied content.
Security improvements:
New sanitization methods in WP_Theme_JSON:
Test coverage:
Props: villu164
Fixes #62224
Trac ticket: https://core.trac.wordpress.org/ticket/62224
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.