Changeset 60708

Timestamp:

09/04/2025 06:30:56 PM (6 weeks ago)

Author:

jonsurrell

Message:

Editor: Use Unicode escape encoding for "\" characters in block attributes.

Corrects an issue with block attribute encoding where JSON strings ending in the \ character would be misencoded and cause block attributes to be lost.

Client-side block serialization was updated with matching logic in ​https://github.com/WordPress/gutenberg/commit/10453ab3a4e665b8403a0cb466dba64689b4b491.

Developed in ​https://github.com/WordPress/wordpress-develop/pull/9558.

Props jonsurrell, westonruter, mamaduka, dmsnell, shailu25.
Fixes #63917.

Location:

trunk

Files:

• src/wp-includes/blocks.php (modified) (1 diff)
• tests/phpunit/tests/blocks/serialize.php (modified) (3 diffs)

trunk/src/wp-includes/blocks.php

@@ -1613 +1613 @@
 function serialize_block_attributes( $block_attributes ) {
     $encoded_attributes = wp_json_encode( $block_attributes, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE );
-    $encoded_attributes = preg_replace( '/--/', '\\u002d\\u002d', $encoded_attributes );
-    $encoded_attributes = preg_replace( '/</', '\\u003c', $encoded_attributes );
-    $encoded_attributes = preg_replace( '/>/', '\\u003e', $encoded_attributes );
-    $encoded_attributes = preg_replace( '/&/', '\\u0026', $encoded_attributes );
-    // Regex: /\\"/
-    $encoded_attributes = preg_replace( '/\\\\"/', '\\u0022', $encoded_attributes );
-
-    return $encoded_attributes;
+
+    return strtr(
+        $encoded_attributes,
+        array(
+            '\\\\' => '\\u005c',
+            '--'   => '\\u002d\\u002d',
+            '<'    => '\\u003c',
+            '>'    => '\\u003e',
+            '&'    => '\\u0026',
+            '\\"'  => '\\u0022',
+        )
+    );
 }
 

trunk/tests/phpunit/tests/blocks/serialize.php

@@ -11 +11 @@
  */
 class Tests_Blocks_Serialize extends WP_UnitTestCase {
+    /**
+     * Ensure there are no issues with special character encoding.
+     *
+     * @ticket 63917
+     */
+    public function test_attribute_encoding() {
+        $block = array(
+            'blockName'    => 'test',
+            'attrs'        => array(
+                'lt'         => '<',
+                'gt'         => '>',
+                'amp'        => '&',
+                'bs'         => '\\',
+                'quot'       => '"',
+                'bs-bs-quot' => '\\\\"',
+            ),
+            'innerBlocks'  => array(),
+            'innerHTML'    => '',
+            'innerContent' => array(),
+        );
+
+        $expected = '<!-- wp:test {"lt":"\\u003c","gt":"\\u003e","amp":"\\u0026","bs":"\\u005c","quot":"\\u0022","bs-bs-quot":"\\u005c\\u005c\\u0022"} /-->';
+        $this->assertSame( $expected, serialize_block( $block ) );
+    }
 
     /**
@@ -16 +40 @@
      *
      * @param string $original Original block markup.
+     *
+     * @ticket 63917
      */
     public function test_serialize_identity_from_parsed( $original ) {
@@ -25 +51 @@
     }
 
-    public function data_serialize_identity_from_parsed() {
+    public static function data_serialize_identity_from_parsed(): array {
         return array(
-            // Void block.
-            array( '<!-- wp:void /-->' ),
-
-            // Freeform content ($block_name = null).
-            array( 'Example.' ),
-
-            // Block with content.
-            array( '<!-- wp:content -->Example.<!-- /wp:content -->' ),
-
-            // Block with attributes.
-            array( '<!-- wp:attributes {"key":"value"} /-->' ),
-
-            // Block with inner blocks.
-            array( "<!-- wp:outer --><!-- wp:inner {\"key\":\"value\"} -->Example.<!-- /wp:inner -->\n\nExample.\n\n<!-- wp:void /--><!-- /wp:outer -->" ),
-
-            // Block with attribute values that may conflict with HTML comment.
-            array( '<!-- wp:attributes {"key":"\\u002d\\u002d\\u003c\\u003e\\u0026\\u0022"} /-->' ),
-
-            // Block with attribute values that should not be escaped.
-            array( '<!-- wp:attributes {"key":"€1.00 / 3 for €2.00"} /-->' ),
+            'Void block'                                  =>
+                array( '<!-- wp:void /-->' ),
+
+            'Freeform content ($block_name = null)'       =>
+                array( 'Example.' ),
+
+            'Block with content'                          =>
+                array( '<!-- wp:content -->Example.<!-- /wp:content -->' ),
+
+            'Block with attributes'                       =>
+                array( '<!-- wp:attributes {"key":"value"} /-->' ),
+
+            'Block with inner blocks'                     =>
+                array( "<!-- wp:outer --><!-- wp:inner {\"key\":\"value\"} -->Example.<!-- /wp:inner -->\n\nExample.\n\n<!-- wp:void /--><!-- /wp:outer -->" ),
+
+            'Block with attribute values that may conflict with HTML comment' =>
+                array( '<!-- wp:attributes {"key":"\\u002d\\u002d\\u003c\\u003e\\u0026\\u0022"} /-->' ),
+
+            'Block with attribute values that should not be escaped' =>
+                array( '<!-- wp:attributes {"key":"€1.00 / 3 for €2.00"} /-->' ),
+
+            'Backslashes in attributes, Gutenberg #16508' =>
+                array( '<!-- wp:attributes {"bs":"\\u005c","bsQuote":"\\u005c\\u0022","bsQuoteBs":"\\u005c\\u0022\\u005c"} /-->' ),
+
+            'Tricky backslashes'                          =>
+                array( '<!-- wp:attributes {"bsbsQbsbsbsQ":"\\u005c\\u005c\\u0022\\u005c\\u005c\\u005c\\u005c\\u0022"} /-->' ),
+        );
+    }
+
+    /**
+     * The serialization was adjusted to use unicode escapes sequences for escaped `\` and `"`
+     * characters inside JSON strings.
+     *
+     * Ensure that the previous escape form can be parsed compatibly and serialized back to
+     * the new form.
+     *
+     * @see https://github.com/WordPress/wordpress-develop/pull/9558
+     * @see https://github.com/WordPress/gutenberg/pull/71291
+     *
+     * @ticket 63917
+     *
+     * @dataProvider data_serialize_compatible_forms
+     *
+     * @param string $before Previous serialization form.
+     * @param string $after  New serialization form.
+     */
+    public function test_older_serialization_is_compatible( string $before, string $after ) {
+        $this->assertNotSame( $before, $after, 'The same serialization should not be provided for before and after.' );
+        $blocks = parse_blocks( $before );
+        $actual = serialize_blocks( $blocks );
+        $this->assertSame( $after, $actual );
+    }
+
+    public static function data_serialize_compatible_forms(): array {
+        return array(
+            'Special characters' => array(
+                '<!-- wp:attributes {"lt":"\\u003c","gt":"\\u003e","amp":"\\u0026","bs":"\\\\","quot":"\\u0022"} /-->',
+                '<!-- wp:attributes {"lt":"\\u003c","gt":"\\u003e","amp":"\\u0026","bs":"\\u005c","quot":"\\u0022"} /-->',
+            ),
+
+            'Backslashes'        => array(
+                '<!-- wp:attributes {"bs":"\\\\","bsQuote":"\\\\\\u0022","bsQuoteBs":"\\\\\\u0022\\\\"} /-->',
+                '<!-- wp:attributes {"bs":"\\u005c","bsQuote":"\\u005c\\u0022","bsQuoteBs":"\\u005c\\u0022\\u005c"} /-->',
+            ),
         );
     }