Add: Global styles user content escaping

[jorgefilipecosta]

This PR adds global styles user content escaping porting the logic we had on the Gutenberg plugin implemented on WordPress/gutenberg#28061 to the core.

The logic tries to follow what was done for normal post content.

Testing

With an admin user with unfiltered HTML capability I tested I was able to pass store unsafe content on global styles by storing an SVG as background using the gradient property:

await wp.apiFetch({path: 'wp/v2/global-styles/33301', method: 'POST', data: { styles: { color: { text: 'blue', gradient:"url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0naHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmcnIHdpZHRoPScxMCcgaGVpZ2h0PScxMCc+PHNjcmlwdD5hbGVydCgnb2snKTwvc2NyaXB0PjxsaW5lYXJHcmFkaWVudCBpZD0nZ3JhZGllbnQnPjxzdG9wIG9mZnNldD0nMTAlJyBzdG9wLWNvbG9yPScjRjAwJy8+PHN0b3Agb2Zmc2V0PSc5MCUnIHN0b3AtY29sb3I9JyNmY2MnLz4gPC9saW5lYXJHcmFkaWVudD48cmVjdCBmaWxsPSd1cmwoI2dyYWRpZW50KScgeD0nMCcgeT0nMCcgd2lkdGg9JzEwMCUnIGhlaWdodD0nMTAwJScvPjwvc3ZnPg==')" }  } } } );

I reloaded the post editor and frontend and verified an SVG was being used as background.

I removed the unfiltered HTML capability from the admin, by adding the following code in a file that is executed everywhere on WordPress.

$administrator = get_role( 'administrator' );
$administrator->remove_cap( 'unfiltered_html' );

I issued the same request:

await wp.apiFetch({path: 'wp/v2/global-styles/33301', method: 'POST', data: { styles: { color: { text: 'blue', gradient:"url('data:image/svg+xml;base64,PHN2ZyB4bWxucz0naHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmcnIHdpZHRoPScxMCcgaGVpZ2h0PScxMCc+PHNjcmlwdD5hbGVydCgnb2snKTwvc2NyaXB0PjxsaW5lYXJHcmFkaWVudCBpZD0nZ3JhZGllbnQnPjxzdG9wIG9mZnNldD0nMTAlJyBzdG9wLWNvbG9yPScjRjAwJy8+PHN0b3Agb2Zmc2V0PSc5MCUnIHN0b3AtY29sb3I9JyNmY2MnLz4gPC9saW5lYXJHcmFkaWVudD48cmVjdCBmaWxsPSd1cmwoI2dyYWRpZW50KScgeD0nMCcgeT0nMCcgd2lkdGg9JzEwMCUnIGhlaWdodD0nMTAwJScvPjwvc3ZnPg==')" }  } } } );

I verified the text color style was applied but the unsafe gradient rule was discarded.

I readded the unfiltered_html to adding by adding the following code in a file that is executed everywhere on WordPress:

$administrator = get_role( 'administrator' );
$administrator->add_cap( 'unfiltered_html' );

Questions:

Why use this mechanism instead of filtering and escaping the content on the endpoints?

There are other situations where a user may write a global styles CPT without using the endpoint. For example during a site import. A user without unfiltered_html capability may import a website and in that case, it makes sense to import the styles. If there is unsafe content on the styles we want to remove it. We may have other situations that we may not even be aware so trying to replicate what happens for HTML seems like a good option.

[oandregal]

Works as advertised and code looks good.

[jorgefilipecosta]

Committed on 872b818.