Skip to content

Playlist: Use wp_kses for safer tag stripping#76093

Open
scruffian wants to merge 1 commit intotrunkfrom
scruffian/fix-tag-sanitization
Open

Playlist: Use wp_kses for safer tag stripping#76093
scruffian wants to merge 1 commit intotrunkfrom
scruffian/fix-tag-sanitization

Conversation

@scruffian
Copy link
Contributor

@scruffian scruffian commented Mar 3, 2026

What?

Replaces wp_strip_all_tags() with wp_kses() + wp_specialchars_decode() for sanitizing track metadata (title, artist, album, ariaLabel) in the playlist block's PHP render function.

Why?

This addresses a review comment from @tyxla on PR #75203:

Note that this may strip additional HTML entities like < or > - do we really want that?

wp_strip_all_tags() internally uses PHP's strip_tags(), which treats any < character as the start of an HTML tag. This means content like "I <3 Music" would have <3 Music stripped entirely, resulting in just "I ". While unusual for track titles, this is unnecessarily aggressive sanitization.

How?

The new approach:

  1. wp_kses( $text, array() ) - Strips all HTML tags but properly distinguishes between real HTML tags (like <br>, <script>) and non-tag content containing </>. Non-tag < is encoded as &lt; rather than being stripped.
  2. wp_specialchars_decode() - Decodes the HTML entities back to plain characters, since the data goes into JSON via wp_interactivity_state() and doesn't need HTML encoding.

This preserves the security properties (stripping actual HTML tags) while being more accurate about what constitutes a tag.

Testing Instructions

  1. Create a playlist block with tracks
  2. Manually edit a track title to contain < or > characters (e.g., "I <3 Music")
  3. View the post on the frontend
  4. Verify the track title displays correctly with the < character preserved

🤖 Generated with Claude Code

@scruffian @claude
Playlist: Use wp_kses for safer tag stripping in track metadata
f4bc725 
Replace wp_strip_all_tags() with wp_kses() + wp_specialchars_decode()
for sanitizing track metadata (title, artist, album, ariaLabel).

wp_strip_all_tags() internally uses strip_tags(), which treats any `<`
as the start of an HTML tag. This means content like "I <3 Music" would
incorrectly have "<3 Music" stripped, resulting in just "I ".

The new approach uses wp_kses( $text, array() ) which properly
distinguishes real HTML tags from non-tag content containing `<`/`>`,
followed by wp_specialchars_decode() to convert entities back to plain
text since the data is JSON-encoded via wp_interactivity_state().

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@scruffian scruffian added [Type] Bug An existing feature does not function as intended [Block] Playlist labels Mar 3, 2026
@github-actions github-actions bot added the [Package] Block library /packages/block-library label Mar 3, 2026
@github-actions
Copy link

github-actions bot commented Mar 3, 2026

Flaky tests detected in f4bc725.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/22631443077
📝 Reported issues:

@scruffian scruffian mentioned this pull request Mar 3, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ajitbohra ajitbohra Awaiting requested review from ajitbohra ajitbohra is a code owner

@fabiankaegy fabiankaegy Awaiting requested review from fabiankaegy fabiankaegy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

[Block] Playlist [Package] Block library /packages/block-library [Type] Bug An existing feature does not function as intended

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scruffian