-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple denylist patterns are not applied to CDATA validation #4319
Labels
Bug
Something isn't working
Changelogged
Whether the issue/PR has been added to release notes.
CSS
P2
Low priority
Validation
WS:Core
Work stream for Plugin core
Milestone
Comments
This was referenced Apr 8, 2020
This is being fixed as part of #4548. |
OK, thanks! |
westonruter
added
the
Changelogged
Whether the issue/PR has been added to release notes.
label
Jul 17, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Bug
Something isn't working
Changelogged
Whether the issue/PR has been added to release notes.
CSS
P2
Low priority
Validation
WS:Core
Work stream for Plugin core
Bug Description
It turns out that CDATA can have multiple
blacklisted_cdata_regex
constraints, for example:However, the Python spec parser is only capturing one:
amp-wp/includes/sanitizers/class-amp-allowed-tags-generated.php
Lines 15398 to 15403 in b059e63
And the sanitizer is only expecting one:
amp-wp/includes/sanitizers/class-amp-tag-and-attribute-sanitizer.php
Lines 902 to 918 in b059e63
This means at present CSS selectors that contain
i-amphtml-*
will not get caught by the sanitizer, even though they are invalid. Related: #771.We need to fix how the spec is parsed for
blacklisted_cdata_regex
. We should also check to see if this same thing is happening for other properties. At first I thoughtblacklisted_value_regex
would be a candidate, but it seems to already be changed to concatenate all denied patterns into a single regex.Expected Behaviour
Multiple
blacklisted_cdata_regex
constraints should be captured and applied during sanitization/validation.Steps to reproduce
Screenshots
Additional context
Do not alter or remove anything below. The following sections will be managed by moderators only.
Acceptance criteria
Implementation brief
QA testing instructions
Demo
Changelog entry
The text was updated successfully, but these errors were encountered: