From 7296e5c3659cfb1e0e7d2026aee2e254ea796452 Mon Sep 17 00:00:00 2001 From: Dean Sas Date: Tue, 15 Aug 2023 14:16:01 +0100 Subject: [PATCH 1/2] Preserve block style variations when securing theme Valid and safe block style variations were being removed by `WP_Theme_JSON::remove_insecure_properties` when securing the theme.json. When this was a problem varied depending upon site configuration, but out-of-the-box it was a problem for administrators on multi-site installs. This change adds explicit processing of variations in `remove_insecure_properties` so that they won't get removed. --- src/wp-includes/class-wp-theme-json.php | 14 ++++ tests/phpunit/tests/theme/wpThemeJson.php | 79 +++++++++++++++++++++++ 2 files changed, 93 insertions(+) diff --git a/src/wp-includes/class-wp-theme-json.php b/src/wp-includes/class-wp-theme-json.php index dc297fa9b9578..9271781ada455 100644 --- a/src/wp-includes/class-wp-theme-json.php +++ b/src/wp-includes/class-wp-theme-json.php @@ -2879,6 +2879,20 @@ public static function remove_insecure_properties( $theme_json ) { if ( ! empty( $output ) ) { _wp_array_set( $sanitized, $metadata['path'], $output ); } + + if ( isset( $metadata['variations'] ) ) { + foreach ( $metadata['variations'] as $variation ) { + $variation_input = _wp_array_get( $theme_json, $variation['path'], array() ); + if ( empty( $variation_input ) ) { + continue; + } + + $variation_output = static::remove_insecure_styles( $variation_input ); + if ( ! empty( $variation_output ) ) { + _wp_array_set( $sanitized, $variation['path'], $variation_output ); + } + } + } } $setting_nodes = static::get_setting_nodes( $theme_json ); diff --git a/tests/phpunit/tests/theme/wpThemeJson.php b/tests/phpunit/tests/theme/wpThemeJson.php index 3388272a0b8e6..ae0f47624ed23 100644 --- a/tests/phpunit/tests/theme/wpThemeJson.php +++ b/tests/phpunit/tests/theme/wpThemeJson.php @@ -3869,6 +3869,85 @@ public function data_get_styles_for_block_with_style_variations() { ); } + public function test_block_style_variations() { + wp_set_current_user( static::$administrator_id ); + + $expected = array( + 'version' => WP_Theme_JSON::LATEST_SCHEMA, + 'styles' => array( + 'blocks' => array( + 'core/button' => array( + 'color' => array( + 'background' => 'blue', + ), + 'variations' => array( + 'outline' => array( + 'color' => array( + 'background' => 'purple', + ), + ), + ), + ), + ), + ), + ); + + $actual = WP_Theme_JSON::remove_insecure_properties( $expected ); + + $this->assertSameSetsWithIndex( $expected, $actual ); + } + + public function test_block_style_variations_with_invalid_properties() { + wp_set_current_user( static::$administrator_id ); + + $partially_invalid_variation = array( + 'version' => WP_Theme_JSON::LATEST_SCHEMA, + 'styles' => array( + 'blocks' => array( + 'core/button' => array( + 'color' => array( + 'background' => 'blue', + ), + 'variations' => array( + 'outline' => array( + 'color' => array( + 'background' => 'purple', + ), + 'invalid' => array( + 'value' => 'should be stripped', + ), + ), + ), + ), + ), + ), + ); + + $expected = array( + 'version' => WP_Theme_JSON::LATEST_SCHEMA, + 'styles' => array( + 'blocks' => array( + 'core/button' => array( + 'color' => array( + 'background' => 'blue', + ), + 'variations' => array( + 'outline' => array( + 'color' => array( + 'background' => 'purple', + ), + ), + ), + ), + ), + ), + ); + + $actual = WP_Theme_JSON::remove_insecure_properties( $partially_invalid_variation ); + + $this->assertSameSetsWithIndex( $expected, $actual ); + } + /** * @ticket 56611 * @ticket 58548 From 2be5e378cef0ec4b31269f7a54fd375fecbaea5e Mon Sep 17 00:00:00 2001 From: Dean Sas Date: Wed, 16 Aug 2023 16:31:26 +0100 Subject: [PATCH 2/2] Add @since --- src/wp-includes/class-wp-theme-json.php | 1 + 1 file changed, 1 insertion(+) diff --git a/src/wp-includes/class-wp-theme-json.php b/src/wp-includes/class-wp-theme-json.php index 9271781ada455..cd9fb9bd182ca 100644 --- a/src/wp-includes/class-wp-theme-json.php +++ b/src/wp-includes/class-wp-theme-json.php @@ -2821,6 +2821,7 @@ protected static function filter_slugs( $node, $slugs ) { * Removes insecure data from theme.json. * * @since 5.9.0 + * @since 6.3.1 Preserves global styles block variations when securing styles. * * @param array $theme_json Structure to sanitize. * @return array Sanitized structure.