wordpress-develop
wordpress-develop copied to clipboard
WordPress
Theme: Harden WP_Theme_JSON methods against CSS injection
Adds comprehensive sanitization to WP_Theme_JSON::compute_theme_vars() and WP_Theme_JSON::to_ruleset() to treat theme.json as user-supplied content.
Security improvements:
- Sanitizes CSS variable names (alphanumeric + hyphens only)
- Sanitizes CSS selectors to prevent selector injection
- Sanitizes CSS property names and values
- Quote-aware parsing preserves legitimate CSS syntax
- Blocks CSS structure characters (;, {, }) outside quotes
- Blocks dangerous URL protocols (javascript:, data:, vbscript:)
- Blocks CSS at-rules (@import, @charset, @namespace)
- Blocks legacy browser attacks (expression, behavior, -moz-binding)
- Enforces length limits to prevent DoS attacks
New sanitization methods in WP_Theme_JSON:
- sanitize_css_selector() - Validates CSS selectors
- sanitize_css_property_name() - Validates property names
- sanitize_css_property_value() - Validates property values
Test coverage:
- tests/phpunit/tests/theme/wpThemeJsonComputeThemeVars.php (23 tests)
- tests/phpunit/tests/theme/wpThemeJsonToRuleset.php (27 tests)
- Total: 50 test methods, all passing
Props: villu164 Fixes #62224
Trac ticket: https://core.trac.wordpress.org/ticket/62224
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.
