WordPress.org
Get WordPress

Make WordPress Core

Opened 2 weeks ago

Last modified 2 weeks ago

#64848 new defect (bug)

WP_Theme_JSON: Prevent implicit coercion in to_ruleset

Reported by: ramonopoly's profile ramonopoly Owned by:
Milestone: 7.1 Priority: normal
Severity: minor Version: 5.8
Component: Themes Keywords: has-patch gutenberg-merge has-unit-tests
Focuses: Cc:

Description

WP_Theme_JSON::to_ruleset used string concatenation ($element['name'] . ': ' . $element['value'] . ';'), so PHP implicitly coerced non-string values (e.g. booleans → '1'/'', arrays → 'Array'). That could emit invalid or misleading CSS.

I caught this while debugging the test_get_styles_with_appearance_tools() test, which was outputting values like gap: 1 where 1 was the result of coercing a bool.

The bool was the block support value, not a gap value.

Change History (4)

This ticket was mentioned in PR #11236 on WordPress/wordpress-develop by @ramonopoly.
2 weeks ago #1

Brings over changes from:

to_ruleset used string concatenation ($element['name'] . ': ' . $element['value'] . ';'), so PHP implicitly coerced non-string values (e.g. booleans → '1'/'', arrays → 'Array'). That could emit invalid or misleading CSS.

At the same time, pass a style theme.json path in test_get_styles_with_appearance_tools() to simulate a style node. Before it was settings.

## The fix

  • Cast numeric values to string explicitly.
  • Skip declarations whose value is not a string or number (booleans, arrays, objects).

## Testing

Tests should pass!

Trac ticket: https://core.trac.wordpress.org/ticket/64848

## Use of AI Tools

Diagnostics

@isabel_brison commented on PR #11236:
2 weeks ago #2

This LGTM but if we're aiming for 7.1 we'll have to wait until the 7.0 release branch is created at RC1 to commit it to trunk.

@isabel_brison commented on PR #11236:
2 weeks ago #3

Also, PHP tests seem to be complaining about your use of setAccessible()

There was 1 error:

1) Tests_Theme_wpThemeJson::test_to_ruleset_skips_non_scalar_values_and_casts_numerics
Method ReflectionMethod::setAccessible() is deprecated since 8.5, as it has no effect since PHP 8.1

/var/www/tests/phpunit/tests/theme/wpThemeJson.php:7066
/var/www/vendor/bin/phpunit:122

@ramonopoly commented on PR #11236:
2 weeks ago #4

PHP tests seem to be complaining about your use of setAccessible()

Argh, < 8.5 wants it, > 8.5 hates it. 🤣

This LGTM but if we're aiming for 7.1 we'll have to wait until the 7.0 release branch is created at RC1 to commit it to trunk.

Thanks for the heads up. I'll leave it brewing until then.

Note: See TracTickets for help on using tickets.