Changeset 61903

Timestamp:

03/10/2026 04:40:01 PM (3 days ago)

Author:

desrosj

Message:

Grouped backports for the 6.6 branch.

• XML-RPC: Switch to wp_safe_remote() when fetching a pingback URL.
• HTML API: Prevent WP_HTML_Tag_Processor instances being unserialized and add some extra logic for validating pattern and template file paths.
• KSES: Optimize PCRE pattern detecting numeric character references.
• Customize: Improve escaping approach used for nav menu attributes.
• Media: Ensure the attachment parent is accessible to the user before showing a link to it in the media manager.
• Interactivity API: Skip binding event handler attributes. The corresponding data-wp-on-- attribute should be used instead.
• Administration: Ensure client-side templates are only detected when they're correctly associated with a script tag.
• Filesystem API: Don't attempt to extract invalid files from a zip when using the PclZip library.
• Comments: Don't attempt to create a note if the user cannot edit the target post.
• Media: Disable XML entity substitution in getID3.

Merges [61879-61890] to the 6.6 branch.

Props johnbillion, xknown, dmsnell, jorbin, peterwilson, adamsilverstein, desrosj, luisherranz, ocean90, westonruter, jonsurrell, aurdasjb.

Location:

branches/6.6

Files:

• . (modified) (1 prop)
• src/js/_enqueues/wp/util.js (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-checklist.php (modified) (1 diff)
• src/wp-admin/includes/class-walker-nav-menu-edit.php (modified) (4 diffs)
• src/wp-admin/includes/file.php (modified) (1 diff)
• src/wp-includes/ID3/getid3.lib.php (modified) (1 diff)
• src/wp-includes/class-wp-block-patterns-registry.php (modified) (2 diffs)
• src/wp-includes/class-wp-http-ixr-client.php (modified) (1 diff)
• src/wp-includes/html-api/class-wp-html-tag-processor.php (modified) (1 diff)
• src/wp-includes/interactivity-api/class-wp-interactivity-api.php (modified) (1 diff)
• src/wp-includes/kses.php (modified) (1 diff)
• src/wp-includes/media.php (modified) (1 diff)
• src/wp-includes/nav-menu.php (modified) (1 diff)
• src/wp-includes/template-loader.php (modified) (1 diff)
• tests/phpunit/tests/post/nav-menu.php (modified) (2 diffs)

branches/6.6/src/js/_enqueues/wp/util.js

@@ -37 +37 @@
 
         return function ( data ) {
-            if ( ! document.getElementById( 'tmpl-' + id ) ) {
+            var el = document.querySelector( 'script#tmpl-' + id );
+            if ( ! el ) {
                 throw new Error( 'Template not found: ' + '#tmpl-' + id );
             }
-            compiled = compiled || _.template( $( '#tmpl-' + id ).html(),  options );
+            compiled = compiled || _.template( $( el ).html(), options );
             return compiled( data );
         };

branches/6.6/src/wp-admin/includes/class-walker-nav-menu-checklist.php

@@ -117 +117 @@
         $output .= '<input type="hidden" class="menu-item-parent-id" name="menu-item[' . $possible_object_id . '][menu-item-parent-id]" value="' . esc_attr( $menu_item->menu_item_parent ) . '" />';
         $output .= '<input type="hidden" class="menu-item-type" name="menu-item[' . $possible_object_id . '][menu-item-type]" value="' . esc_attr( $menu_item->type ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . esc_attr( $menu_item->title ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-title" name="menu-item[' . $possible_object_id . '][menu-item-title]" value="' . htmlspecialchars( $menu_item->title, ENT_QUOTES ) . '" />';
         $output .= '<input type="hidden" class="menu-item-url" name="menu-item[' . $possible_object_id . '][menu-item-url]" value="' . esc_attr( $menu_item->url ) . '" />';
         $output .= '<input type="hidden" class="menu-item-target" name="menu-item[' . $possible_object_id . '][menu-item-target]" value="' . esc_attr( $menu_item->target ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . esc_attr( $menu_item->attr_title ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . esc_attr( implode( ' ', $menu_item->classes ) ) . '" />';
-        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . esc_attr( $menu_item->xfn ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-attr-title" name="menu-item[' . $possible_object_id . '][menu-item-attr-title]" value="' . htmlspecialchars( $menu_item->attr_title, ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-classes" name="menu-item[' . $possible_object_id . '][menu-item-classes]" value="' . htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ) . '" />';
+        $output .= '<input type="hidden" class="menu-item-xfn" name="menu-item[' . $possible_object_id . '][menu-item-xfn]" value="' . htmlspecialchars( $menu_item->xfn, ENT_QUOTES ) . '" />';
     }
 }

branches/6.6/src/wp-admin/includes/class-walker-nav-menu-edit.php

@@ -204 +204 @@
                     <label for="edit-menu-item-title-<?php echo $item_id; ?>">
                         <?php _e( 'Navigation Label' ); ?><br />
-                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->title ); ?>" />
+                        <input type="text" id="edit-menu-item-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-title" name="menu-item-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->title, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -210 +210 @@
                     <label for="edit-menu-item-attr-title-<?php echo $item_id; ?>">
                         <?php _e( 'Title Attribute' ); ?><br />
-                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->post_excerpt ); ?>" />
+                        <input type="text" id="edit-menu-item-attr-title-<?php echo $item_id; ?>" class="widefat edit-menu-item-attr-title" name="menu-item-attr-title[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->post_excerpt, ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -222 +222 @@
                     <label for="edit-menu-item-classes-<?php echo $item_id; ?>">
                         <?php _e( 'CSS Classes (optional)' ); ?><br />
-                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo esc_attr( implode( ' ', $menu_item->classes ) ); ?>" />
+                        <input type="text" id="edit-menu-item-classes-<?php echo $item_id; ?>" class="widefat code edit-menu-item-classes" name="menu-item-classes[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( implode( ' ', $menu_item->classes ), ENT_QUOTES ); ?>" />
                     </label>
                 </p>
@@ -228 +228 @@
                     <label for="edit-menu-item-xfn-<?php echo $item_id; ?>">
                         <?php _e( 'Link Relationship (XFN)' ); ?><br />
-                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo esc_attr( $menu_item->xfn ); ?>" />
+                        <input type="text" id="edit-menu-item-xfn-<?php echo $item_id; ?>" class="widefat code edit-menu-item-xfn" name="menu-item-xfn[<?php echo $item_id; ?>]" value="<?php echo htmlspecialchars( $menu_item->xfn, ENT_QUOTES ); ?>" />
                     </label>
                 </p>

branches/6.6/src/wp-admin/includes/file.php

@@ -1908 +1908 @@
         }
 
+        // Don't extract invalid files:
+        if ( 0 !== validate_file( $file['filename'] ) ) {
+            continue;
+        }
+
         $uncompressed_size += $file['size'];
 

branches/6.6/src/wp-includes/ID3/getid3.lib.php

@@ -14 +14 @@
 if(!defined('GETID3_LIBXML_OPTIONS') && defined('LIBXML_VERSION')) {
     if(LIBXML_VERSION >= 20621) {
-        define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
+        define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING | LIBXML_COMPACT);
     } else {
-        define('GETID3_LIBXML_OPTIONS', LIBXML_NOENT | LIBXML_NONET | LIBXML_NOWARNING);
+        define('GETID3_LIBXML_OPTIONS', LIBXML_NONET | LIBXML_NOWARNING);
     }
 }

branches/6.6/src/wp-includes/class-wp-block-patterns-registry.php

@@ -199 +199 @@
             $patterns = &$this->registered_patterns;
         }
-        if ( ! isset( $patterns[ $pattern_name ]['content'] ) && isset( $patterns[ $pattern_name ]['filePath'] ) ) {
+
+        $pattern_path = realpath( $patterns[ $pattern_name ]['filePath'] ?? '' );
+        if (
+            ! isset( $patterns[ $pattern_name ]['content'] ) &&
+            is_string( $pattern_path ) &&
+            ( str_ends_with( $pattern_path, '.php' ) || str_ends_with( $pattern_path, '.html' ) ) &&
+            is_file( $pattern_path ) &&
+            is_readable( $pattern_path )
+        ) {
             ob_start();
             include $patterns[ $pattern_name ]['filePath'];
@@ -205 +213 @@
             unset( $patterns[ $pattern_name ]['filePath'] );
         }
+
         return $patterns[ $pattern_name ]['content'];
     }

branches/6.6/src/wp-includes/class-wp-http-ixr-client.php

@@ -90 +90 @@
         }
 
-        $response = wp_remote_post( $url, $args );
+        $response = wp_safe_remote_post( $url, $args );
 
         if ( is_wp_error( $response ) ) {

branches/6.6/src/wp-includes/html-api/class-wp-html-tag-processor.php

@@ -3563 +3563 @@
      */
     const COMMENT_AS_INVALID_HTML = 'COMMENT_AS_INVALID_HTML';
+
+    /**
+     * Wakeup magic method.
+     *
+     * @since 6.9.2
+     */
+    public function __wakeup() {
+        throw new \LogicException( __CLASS__ . ' should never be unserialized' );
+    }
 }

branches/6.6/src/wp-includes/interactivity-api/class-wp-interactivity-api.php

@@ -790 +790 @@
                 }
 
+                // Skip if the bound attribute is an event handler.
+                if ( str_starts_with( $bound_attribute, 'on' ) ) {
+                    _doing_it_wrong(
+                        __METHOD__,
+                        sprintf(
+                            /* translators: %s: The directive, e.g. data-wp-on--click. */
+                            __( 'Binding event handler attributes is not supported. Please use "%s" instead.' ),
+                            esc_attr( 'data-wp-on--' . substr( $bound_attribute, 2 ) )
+                        ),
+                        'x.y.z'
+                    );
+                    continue;
+                }
+
                 $attribute_value = $p->get_attribute( $attribute_name );
                 $result          = $this->evaluate( $attribute_value );

branches/6.6/src/wp-includes/kses.php

@@ -1963 +1963 @@
         $content = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $content );
     }
-    $content = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $content );
-    $content = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $content );
+    $content = preg_replace_callback( '/&#(0*[1-9][0-9]{0,6});/', 'wp_kses_normalize_entities2', $content );
+    $content = preg_replace_callback( '/&#[Xx](0*[1-9A-Fa-f][0-9A-Fa-f]{0,5});/', 'wp_kses_normalize_entities3', $content );
 
     return $content;

branches/6.6/src/wp-includes/media.php

@@ -4381 +4381 @@
     if ( $attachment->post_parent ) {
         $post_parent = get_post( $attachment->post_parent );
-        if ( $post_parent ) {
+        if ( $post_parent && current_user_can( 'read_post', $attachment->post_parent ) ) {
             $response['uploadedToTitle'] = $post_parent->post_title ? $post_parent->post_title : __( '(no title)' );
             $response['uploadedToLink']  = get_edit_post_link( $attachment->post_parent, 'raw' );

branches/6.6/src/wp-includes/nav-menu.php

@@ -507 +507 @@
         }
 
-        if ( wp_unslash( $args['menu-item-title'] ) === wp_specialchars_decode( $original_title ) ) {
+        if ( wp_unslash( $args['menu-item-title'] ) === $original_title ) {
             $args['menu-item-title'] = '';
         }

branches/6.6/src/wp-includes/template-loader.php

@@ -103 +103 @@
      */
     $template = apply_filters( 'template_include', $template );
-    if ( $template ) {
+    $template = is_string( $template ) ? realpath( $template ) : null;
+    if (
+        is_string( $template ) &&
+        ( str_ends_with( $template, '.php' ) || str_ends_with( $template, '.html' ) ) &&
+        is_file( $template ) &&
+        is_readable( $template )
+    ) {
         include $template;
     } elseif ( current_user_can( 'switch_themes' ) ) {

branches/6.6/tests/phpunit/tests/post/nav-menu.php

@@ -1189 +1189 @@
         );
 
+        $this->assertSame( 'Test Cat - "Pre-Slashed" Cat Name & >', $category->name );
+
         $category_item_id = wp_update_nav_menu_item(
             $this->menu_id,
@@ -1197 +1199 @@
                 'menu-item-object-id' => $category->term_id,
                 'menu-item-status'    => 'publish',
-                /*
-                 * Interestingly enough, if we use `$cat->name` for the menu item title,
-                 * we won't be able to replicate the bug because it's in htmlentities form.
-                 */
-                'menu-item-title'     => $category_name,
+                'menu-item-title'     => $category->name,
             )
         );