Skip to content

Commit

Permalink
Change the URL query string for more safety (#51312)
Browse files Browse the repository at this point in the history
  • Loading branch information
okmttdhr authored Jun 8, 2023
1 parent 3cef94b commit bdf728b
Show file tree
Hide file tree
Showing 6 changed files with 19 additions and 15 deletions.
8 changes: 4 additions & 4 deletions lib/compat/wordpress-6.3/theme-previews.php
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ function gutenberg_get_theme_preview_path( $current_stylesheet = null ) {
return $current_stylesheet;
}

$preview_stylesheet = ! empty( $_GET['theme_preview'] ) ? $_GET['theme_preview'] : null;
$preview_stylesheet = ! empty( $_GET['gutenberg_theme_preview'] ) ? $_GET['gutenberg_theme_preview'] : null;
$wp_theme = wp_get_theme( $preview_stylesheet );
if ( ! is_wp_error( $wp_theme->errors() ) ) {
if ( current_filter() === 'template' ) {
Expand Down Expand Up @@ -45,7 +45,7 @@ function gutenberg_attach_theme_preview_middleware() {
'wp-api-fetch',
sprintf(
'wp.apiFetch.use( wp.apiFetch.createThemePreviewMiddleware( %s ) );',
wp_json_encode( sanitize_text_field( $_GET['theme_preview'] ) )
wp_json_encode( sanitize_text_field( $_GET['gutenberg_theme_preview'] ) )
),
'after'
);
Expand Down Expand Up @@ -88,7 +88,7 @@ function addLivePreviewButton() {
livePreviewButton.setAttribute('class', 'button button-primary');
livePreviewButton.setAttribute(
'href',
`/wp-admin/site-editor.php?theme_preview=${themePath}&return=themes.php`
`/wp-admin/site-editor.php?gutenberg_theme_preview=${themePath}&return=themes.php`
);
livePreviewButton.innerHTML = '<?php echo esc_html_e( 'Live Preview' ); ?>';
themeInfo.querySelector('.theme-actions').appendChild(livePreviewButton);
Expand Down Expand Up @@ -118,7 +118,7 @@ function block_theme_activate_nonce() {
/**
* Attaches filters to enable theme previews in the Site Editor.
*/
if ( ! empty( $_GET['theme_preview'] ) ) {
if ( ! empty( $_GET['gutenberg_theme_preview'] ) ) {
add_filter( 'stylesheet', 'gutenberg_get_theme_preview_path' );
add_filter( 'template', 'gutenberg_get_theme_preview_path' );
add_filter( 'init', 'gutenberg_attach_theme_preview_middleware' );
Expand Down
10 changes: 5 additions & 5 deletions packages/api-fetch/src/middlewares/theme-preview.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
import { addQueryArgs, hasQueryArg } from '@wordpress/url';

/**
* This appends a `theme_preview` parameter to the REST API request URL if
* This appends a `gutenberg_theme_preview` parameter to the REST API request URL if
* the admin URL contains a `theme` GET parameter.
*
* @param {Record<string, any>} themePath
Expand All @@ -13,19 +13,19 @@ import { addQueryArgs, hasQueryArg } from '@wordpress/url';
const createThemePreviewMiddleware = ( themePath ) => ( options, next ) => {
if (
typeof options.url === 'string' &&
! hasQueryArg( options.url, 'theme_preview' )
! hasQueryArg( options.url, 'gutenberg_theme_preview' )
) {
options.url = addQueryArgs( options.url, {
theme_preview: themePath,
gutenberg_theme_preview: themePath,
} );
}

if (
typeof options.path === 'string' &&
! hasQueryArg( options.path, 'theme_preview' )
! hasQueryArg( options.path, 'gutenberg_theme_preview' )
) {
options.path = addQueryArgs( options.path, {
theme_preview: themePath,
gutenberg_theme_preview: themePath,
} );
}

Expand Down
2 changes: 1 addition & 1 deletion packages/edit-site/src/components/routes/link.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ export function useLink( params = {}, state, shouldReplace = false ) {
if ( isPreviewingTheme() ) {
params = {
...params,
theme_preview: currentlyPreviewingTheme(),
gutenberg_theme_preview: currentlyPreviewingTheme(),
};
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ function NavigationMenuEditor( { navigationMenu } ) {
postType: attributes.type,
postId: attributes.id,
...( isPreviewingTheme() && {
theme_preview: currentlyPreviewingTheme(),
gutenberg_theme_preview: currentlyPreviewingTheme(),
} ),
} );
}
Expand All @@ -109,7 +109,7 @@ function NavigationMenuEditor( { navigationMenu } ) {
postType: 'page',
postId: attributes.id,
...( isPreviewingTheme() && {
theme_preview: currentlyPreviewingTheme(),
gutenberg_theme_preview: currentlyPreviewingTheme(),
} ),
} );
}
Expand Down
7 changes: 5 additions & 2 deletions packages/edit-site/src/utils/is-previewing-theme.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,15 @@
import { getQueryArg } from '@wordpress/url';

export function isPreviewingTheme() {
return getQueryArg( window.location.href, 'theme_preview' ) !== undefined;
return (
getQueryArg( window.location.href, 'gutenberg_theme_preview' ) !==
undefined
);
}

export function currentlyPreviewingTheme() {
if ( isPreviewingTheme() ) {
return getQueryArg( window.location.href, 'theme_preview' );
return getQueryArg( window.location.href, 'gutenberg_theme_preview' );
}
return null;
}
3 changes: 2 additions & 1 deletion packages/edit-site/src/utils/use-activate-theme.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,8 @@ export function useActivateTheme() {
'&_wpnonce=' +
window.BLOCK_THEME_ACTIVATE_NONCE;
await window.fetch( activationURL );
const { theme_preview: themePreview, ...params } = location.params;
const { gutenberg_theme_preview: themePreview, ...params } =
location.params;
history.replace( params );
}
};
Expand Down

1 comment on commit bdf728b

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Flaky tests detected in bdf728b.
Some tests passed with failed attempts. The failures may not be related to this commit but are still reported for visibility. See the documentation for more information.

🔍 Workflow run URL: https://github.com/WordPress/gutenberg/actions/runs/5208199086
📝 Reported issues:

Please sign in to comment.