-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML API: Guard against non-string attribute values. #55368
base: trunk
Are you sure you want to change the base?
Conversation
Because there are three ways for an attribute in HTML to exist, the HTML API reports three kinds of values for `get_attribute()` calls: - `null` means that no attribute exists of the given name - `true` means that the attribute exists but there is no value, e.g. '<input checked>'. - a string value means that the attribute exists and has a value, e.g. '<img src="test">'. When operating on the value returned by `get_attribute()` then it's important to ensure that it's a string value before treating it as one. A call to `empty()` is not enough because a boolean attribute, being `true`, does not return `false` for `empty()`. In this patch blocks that read and then use attribute values as strings have been updated in order to guard against cases where the attribute might not be the string the code expects.
This pull request has changed or added PHP files. Please confirm whether these changes need to be synced to WordPress Core, and therefore featured in the next release of WordPress. If so, it is recommended to create a new Trac ticket and submit a pull request to the WordPress Core Github repository soon after this pull request is merged. If you're unsure, you can always ask for help in the #core-editor channel in WordPress Slack. Thank you! ❤️ View changed files❔ lib/experimental/interactivity-api/directive-processing.php ❔ lib/experimental/interactivity-api/directives/wp-bind.php ❔ lib/experimental/interactivity-api/directives/wp-class.php ❔ lib/experimental/interactivity-api/directives/wp-context.php ❔ lib/experimental/interactivity-api/directives/wp-style.php ❔ lib/experimental/interactivity-api/directives/wp-text.php |
Flaky tests detected in 79a58a1. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/6521295210
|
Is this still a work in progress? While reviewing it, I noticed that I didn't fix this problem completely: I'll do another PR to address that. Once that one is merged, you can rebase this into |
@luisherranz I don't remember intentionally setting it to draft. thank you. it needs review, especially since I'm not fully aware of all the nuances of the code I'm changing here. |
Ok, thanks Dennis. If it's ok, I'm going to wait until we merge this PR, and then resolve the conflicts here and review it 🙂 |
What?
For existing uses of the HTML API, guards against treating possibly-non-string attribute values as strings. This existing use exposes a risk of crashing.
Why?
Crashing is bad 😄
Also this is part of ongoing efforts to establish proper example usage of the HTML API throughout all of Core.
How?
Because there are three ways for an attribute in HTML to exist, the HTML API reports three kinds of values for
get_attribute()
calls:null
means that no attribute exists of the given nametrue
means that the attribute exists but there is no value, e.g.<input checked>
.<img src="test">
.When operating on the value returned by
get_attribute()
then it's important to ensure that it's a string value before treating it as one. A call toempty()
is not enough because a boolean attribute, beingtrue
, does not returnfalse
forempty()
.In this patch, blocks that read and then use attribute values as strings have been updated in order to guard against cases where the attribute might not be the string the code expects.
Testing Instructions
There should be no functional or visual changes in this patch except where previously a site may have encountered unexpected HTML attribute values.
E.g. For the cover block, this is how it renders with no
style
attribute on the tag.By manually adding
style
without a value, it's possible to trigger the bug.This leads to an unwanted
style
attribute in the page render, becausetrue
was coerced to a string.With this patch applied these cases should all disappear.