WP_Theme_JSON_Gutenberg: preserve valid non-preset settings when KSES filters are active #73452
Conversation
andrewserong
left a comment
andrewserong
left a comment
There was a problem hiding this comment.
Nice, I like this approach and it gives room for adding additional settings further down the track. While there are other boolean values we could add, this addresses the issue with the lightbox which is that there is a user-facing feature that folks should be able to interact with, that currently doesn't work when KSES filters are active.
Whereas for other boolean settings like appearanceTools or useRootPAddingAwareAlignments, there isn't a UI for them, so it isn't as critical that we (yet) support them. But that could be something to look at further down the track.
For now, I'm in favour of going with this approach.
Arguably, it could be possible to extend the VALID_SETTINGS to include types instead of null as a value... but I like the approach you've gone with here of keeping them separate, which ensures that VALID_SETTINGS remains fairly simple, too.
I see this PR is still a draft (and that the Github action is complaining that there isn't a corresponding core PR), but IMO this is a good fix, so I'll give it the ✅ and it's working nicely for me in testing.
| // Validate the type. | ||
| $is_valid_type = false; | ||
| switch ( $type ) { | ||
| case 'boolean': | ||
| $is_valid_type = is_bool( $value ); | ||
| break; | ||
| } |
There was a problem hiding this comment.
I like this — it gives room for eventually adding settings that might be string values that need a particular kind of validation, too.
phpunit/class-wp-theme-json-test.php
Outdated
| public function test_safe_settings_paths_should_exist_in_valid_settings() { | ||
| // Verify all paths in SAFE_SETTINGS exist in VALID_SETTINGS. |
There was a problem hiding this comment.
Oh, nice, thanks for adding this in! I like that this ensures that SAFE_SETTINGS is always a subset of VALID_SETTINGS 👍
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message. To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
andrewserong
added
the
[Type] Bug
ramonjd
added
the
[Feature] Themes
|
Thanks for the speedy and thorough review, @andrewserong
I nearly went down that track, but baulked as I didn't want to cause more bugs given the way I wonder if |
Good question. I see that none of the other |
|
Flaky tests detected in 459384c. 🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/19608681254
|
mmtr
left a comment
mmtr
left a comment
There was a problem hiding this comment.
Thank you! This does solve the issue on my tests 🙂
ramonjd
force-pushed
the
try/theme-json-allow-valid-settings
branch
2 times, most recently
from
67e0fb1 to
59f898d
Compare
|
@t-hamano is this a candidate for RC as well? |
@ramonjd If I understand correctly, this issue has been around for quite some time, right? If so, it might be better to wait to ship to the core and aim for a more complete fix for the 7.0 release. |
Ah okay, I only heard about this bug last week, but you're right. Thanks for tip. |
| if ( is_array( $schema[ $key ] ) ) { | ||
| if ( ! is_array( $value ) ) { | ||
| unset( $tree[ $key ] ); | ||
| } elseif ( wp_is_numeric_array( $value ) ) { |
There was a problem hiding this comment.
The changes in WordPress/wordpress-develop@d1fafd8 were never backported to Gutenberg.
Just doing this for janitorial purposes and to make sure it doesn't affect these changes (it doesn't).
Removes the custom `WP_Theme_JSON::is_assoc()` method again in favor of the existing `wp_is_numeric_array()` helper function. Props mmaattiiaass, costdev, swissspidy, spacedmonkey. Fixes #60360. git-svn-id: https://develop.svn.wordpress.org/trunk@57751 602fd350-edb4-49c9-b593-d223f7449a82
…n valid settings while excluding presets and indirect properties. Update unit tests to verify preservation of valid block and top-level settings.
…mplementing O(1) lookups for preset and indirect property paths, improving performance during valid settings preservation.
… coalescing operator for improved readability.
… settings and enhance preserve_valid_settings method to validate and preserve safe settings. Add unit test to ensure safe settings are retained during property removal.
…FE_SETTINGS exist within VALID_SETTINGS, ensuring integrity of safe settings during validation.
…cumentation to streamline comments and focus on functionality.
…emoving the now redundant implementation and ensuring safe settings are preserved through direct validation, enhancing code clarity.
… internal use only, and update unit test to ensure removal of unsafe settings during validation.
…gs in the sanitize method, ensuring only valid boolean values are preserved. Update unit tests to verify behavior for boolean and non-boolean values in settings.
…ition to enhance code cleanliness.
ramonjd
force-pushed
the
try/theme-json-allow-valid-settings
branch
from
7c74bd1 to
a461b75
Compare
|
I think this is good to go. I've moved the type validation to the We can slowly add more settings as the need arises. I'll merge into Gutenberg, and if stable, then do the same for Core. |
Sounds good, and André gave us some good ideas for how we can support more validation types in the future, too 👍 |
Fixes: #73157
Problem
When KSES filters are active (via
add_action( 'init', 'kses_init_filters' )), valid non-preset settings in Global Styles are being incorrectly filtered out. Specifically:lightbox.enabledandlightbox.allowEditingfor Image blocksThe issue occurs because
remove_insecure_settings()only preserved:PRESETS_METADATA)INDIRECT_PROPERTIES_METADATA)All other valid settings were being stripped, even though they're defined in
VALID_SETTINGSand are safe scalar values or arrays.Solution
Extended
VALID_SETTINGSto also do type validation (as well as schema key validation) for the lightbox settings only (for now).The idea is that
VALID_SETTINGSvalues will act as type validation for further valid settings.Testing Instructions
Manual Testing
Enable KSES filters:
Add this to your theme's
functions.phpor a plugin.Test Image Block Lightbox Settings:
Test Other Valid Settings:
Automated Testing
Run the PHPUnit tests: