Use correct wp_kses arguments in inline-save error paths#943
Merged
Use correct wp_kses arguments in inline-save error paths#943
Conversation
Three inline-save AJAX handlers (custom-status, editorial-metadata and user-groups) built their "could not update" error message with sprintf and then passed it through wp_kses() with the wrong second argument. Two sites passed the string 'strong', which wp_kses treats as a context name via wp_kses_allowed_html(); the third passed nothing at all, which produces a TypeError on PHP 8 because $allowed_html is a required parameter. The latter turns a benign error path into a fatal. Each call now passes an explicit array( 'strong' => array() ), so only the intended bold wrapper survives. The user-supplied term name that is interpolated into the message is run through esc_html() first, so a name containing HTML cannot break out of the wrapper even if the translated string is ever tampered with. This is the same belt-and- braces shape used for the adjacent wp_die error paths in the same handlers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Three inline-save AJAX handlers — for custom statuses, editorial metadata terms and user groups — built their "could not update" error message with
sprintfand then ran it throughwp_kses()with the wrong second argument. Two of them passed the string'strong', whichwp_kses_allowed_html()does not recognise as a context and so silently collapses to the small default inline-tag allowlist. The third passed nothing at all, which produces aTypeErroron PHP 8 because$allowed_htmlis a required parameter; reaching the error branch on a modern install thus turns a benign "term could not be updated" path into a fatal.Each site now passes an explicit
array( 'strong' => array() )so only the intended bold wrapper survives kses, and the user-supplied term name interpolated into the message is first run throughesc_html(). The belt-and-braces shape matches the otherwp_die()error paths in the same handlers — even if a translation file is ever tampered with, the inserted name cannot break out of the wrapper.No behaviour change on a happy path: the message still renders the same for the administrator who hits it. The PHP 8 fatal is the only user-visible difference, and that was already latent in
editorial-metadata.phpbefore this PR.Test plan
composer test:integration— existing tests continue to passhandle_ajax_inline_save_term(e.g. by temporarily makingupdate_editorial_metadata_termreturn aWP_Error); confirm the response is a formatted error rather than aTypeError