WP_Theme_JSON::remove_insecure_properties( array $theme_json ): array

Removes insecure data from theme.json.

Contents

Parameters

$theme_json array Required
Structure to sanitize.

Top ↑

Return

array Sanitized structure.

Top ↑

Source

File: wp-includes/class-wp-theme-json.php. View all references 

public static function remove_insecure_properties( $theme_json ) {
	$sanitized = array();

	$theme_json = WP_Theme_JSON_Schema::migrate( $theme_json );

	$valid_block_names   = array_keys( static::get_blocks_metadata() );
	$valid_element_names = array_keys( static::ELEMENTS );
	$valid_variations    = array();
	foreach ( self::get_blocks_metadata() as $block_name => $block_meta ) {
		if ( ! isset( $block_meta['styleVariations'] ) ) {
			continue;
		}
		$valid_variations[ $block_name ] = array_keys( $block_meta['styleVariations'] );
	}

	$theme_json = static::sanitize( $theme_json, $valid_block_names, $valid_element_names, $valid_variations );

	$blocks_metadata = static::get_blocks_metadata();
	$style_nodes     = static::get_style_nodes( $theme_json, $blocks_metadata );

	foreach ( $style_nodes as $metadata ) {
		$input = _wp_array_get( $theme_json, $metadata['path'], array() );
		if ( empty( $input ) ) {
			continue;
		}

		// The global styles custom CSS is not sanitized, but can only be edited by users with 'edit_css' capability.
		if ( isset( $input['css'] ) && current_user_can( 'edit_css' ) ) {
			$output = $input;
		} else {
			$output = static::remove_insecure_styles( $input );
		}

		/*
		 * Get a reference to element name from path.
		 * $metadata['path'] = array( 'styles', 'elements', 'link' );
		 */
		$current_element = $metadata['path'][ count( $metadata['path'] ) - 1 ];

		/*
		 * $output is stripped of pseudo selectors. Re-add and process them
		 * or insecure styles here.
		 *
		 * TODO: Replace array_key_exists() with isset() check once WordPress drops
		 * support for PHP 5.6. See https://core.trac.wordpress.org/ticket/57067.
		 */
		if ( array_key_exists( $current_element, static::VALID_ELEMENT_PSEUDO_SELECTORS ) ) {
			foreach ( static::VALID_ELEMENT_PSEUDO_SELECTORS[ $current_element ] as $pseudo_selector ) {
				if ( isset( $input[ $pseudo_selector ] ) ) {
					$output[ $pseudo_selector ] = static::remove_insecure_styles( $input[ $pseudo_selector ] );
				}
			}
		}

		if ( ! empty( $output ) ) {
			_wp_array_set( $sanitized, $metadata['path'], $output );
		}
	}

	$setting_nodes = static::get_setting_nodes( $theme_json );
	foreach ( $setting_nodes as $metadata ) {
		$input = _wp_array_get( $theme_json, $metadata['path'], array() );
		if ( empty( $input ) ) {
			continue;
		}

		$output = static::remove_insecure_settings( $input );
		if ( ! empty( $output ) ) {
			_wp_array_set( $sanitized, $metadata['path'], $output );
		}
	}

	if ( empty( $sanitized['styles'] ) ) {
		unset( $theme_json['styles'] );
	} else {
		$theme_json['styles'] = $sanitized['styles'];
	}

	if ( empty( $sanitized['settings'] ) ) {
		unset( $theme_json['settings'] );
	} else {
		$theme_json['settings'] = $sanitized['settings'];
	}

	return $theme_json;
}

View on Trac View on GitHub

Top ↑

Top ↑

Uses

Uses
Uses Description
WP_Theme_JSON_Schema::migrate() wp-includes/class-wp-theme-json-schema.php

Function that migrates a given theme.json structure to the last version.
_wp_array_set() wp-includes/functions.php

Sets an array in depth based on a path of keys.
WP_Theme_JSON::get_blocks_metadata() wp-includes/class-wp-theme-json.php

Returns the metadata for each block.
_wp_array_get() wp-includes/functions.php

Accesses an array in depth based on a path of keys.
current_user_can() wp-includes/capabilities.php

Returns whether the current user has the specified capability.
Show 1 more use Hide more uses

Top ↑

Changelog

Changelog
Version Description
5.9.0 Introduced.

Top ↑

User Contributed Notes

You must log in before being able to contribute a note or feedback.