validate postId in the site-editor.php #7188
Conversation
|
The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the Core Committers: Use this line as a base for the props when committing in SVN: To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook. |
Test using WordPress PlaygroundThe changes in this pull request can previewed and tested using a WordPress Playground instance. WordPress Playground is an experimental project that creates a full WordPress instance entirely within the browser. Some things to be aware of
For more details about these limitations and more, check out the Limitations page in the WordPress Playground documentation. |
mi5t4n
force-pushed
the
fix/61796
branch
2 times, most recently
from
01c46f2 to
d01e1e6
Compare
Added validation for the `postId` parameter in `site-editor.php` to ensure that the post exists before proceeding. If the post ID is invalid or the post does not exist, the script will now terminate with an error message, preventing potential errors or unintended behavior.
There was a problem hiding this comment.
I've added a couple of notes inline.
While testing I noticed that going to wp-admin/site-editor.php?postType=page&canvas=edit ignores the postType parameter and loads the Blog Home template.
It suggests that further validation of the user input via the URL is required
|
Though it's probably beyond the scope of the original ticket, I see a lot of duplication of Wondering if we could have something like a default Could probably move the early bails a bit higher in the file as well, to save some unnecessary code running when it's not needed? Just based off a brief look, unless I am missing something, I don't see anything between lines 76 and 118 that is in any way dependent on any of the code running above. |
|
would be nice to have an error message for various post statuses as in #7215 |
Co-authored-by: Peter Wilson <[email protected]>
Co-authored-by: Peter Wilson <[email protected]>
…quest. Co-authored-by: Peter Wilson <[email protected]>
…ary code does not run.
|
@dream-encode @peterwilsoncc Thank you for the suggestions. I have made the changes. |
Additional reuse of `$post_type_param` and to avoid a potential PHP error if the value is not set. Co-authored-by: Peter Wilson <[email protected]>
|
Before 6.6.0, it redirected to Why My concern is two-fold:
I'm wondering: Could a lighter approach might be a better user experience? "lighter" meaning -> retain the previous behavior to keep the user in the Site Editor, while also displaying a message to inform the user why their requested page did not show. @dream-encode @peterwilsoncc What do you think? |
|
@hellofromtonya How about passing Untested: wp_die(
__( 'Invalid page ID.' ),
'',
array(
'link_url' => admin_url( 'site-editor.php' ),
'link_text' => 'Return to site editor'
)
);I think hitting these error messages will require some degree of messing around with the URLs so it's safe to assume a certain amount of advanced user knowledge. |
| break; | ||
|
|
||
| case 'wp_template': | ||
| $block_template = get_block_template( $_GET['postId'] ); |
There was a problem hiding this comment.
Noting that $_GET['postId'] isn't sanitized here or in the next case.
That works in my testing. It mitigates one of my concerns:
Let's adding that to each of the new |
src/wp-admin/site-editor.php
Outdated
| $post = get_post( (int) $_GET['postId'] ); | ||
|
|
||
| if ( null === $post || 'page' !== get_post_type( $post ) ) { | ||
| wp_die( __( 'Invalid page ID.' ) ); |
There was a problem hiding this comment.
To help with the user's experience, please add the following as suggested by @peterwilsoncc :
| wp_die( __( 'Invalid page ID.' ) ); | |
| wp_die( | |
| __( 'Invalid page ID.' ), | |
| '', | |
| array( | |
| 'link_url' => admin_url( 'site-editor.php' ), | |
| 'link_text' => 'Return to site editor', | |
| ) | |
| ); | |
src/wp-admin/site-editor.php
Outdated
| $post = get_post( (int) $_GET['postId'] ); | ||
|
|
||
| if ( null === $post || 'wp_block' !== get_post_type( $post ) ) { | ||
| wp_die( __( 'Invalid pattern ID.' ) ); |
There was a problem hiding this comment.
Same here, but maybe should link to the Patterns page.
src/wp-admin/site-editor.php
Outdated
| $block_template = get_block_template( $_GET['postId'] ); | ||
|
|
||
| if ( null === $block_template ) { | ||
| wp_die( __( 'Invalid template ID.' ) ); |
There was a problem hiding this comment.
Same here, but maybe should link to the Templates page.
src/wp-admin/site-editor.php
Outdated
| $block_template = get_block_template( $_GET['postId'], 'wp_template_part' ); | ||
|
|
||
| if ( null === $block_template ) { | ||
| wp_die( __( 'Invalid template part ID.' ) ); |
There was a problem hiding this comment.
Same here, but maybe should link to the Templates page.
… part does not exist.
|
@costdev @hellofromtonya Thanks a lot for the feedback. I have implemented the requested changes. |
|
Hi @mi5t4n, thanks for the ping! My contributions to WordPress Core are currently on hold. I am therefore unable to perform a follow-up review at this time. Please drop a comment on the ticket to ask if other contributors are able to perform a follow-up review. |
Added validation for the
postIdparameter insite-editor.phpto ensure that the post exists before proceeding. If the post ID is invalid or the post does not exist, the script will now terminate with an error message, preventing potential errors or unintended behavior.Trac ticket: https://core.trac.wordpress.org/ticket/61796
This Pull Request is for code review only. Please keep all other discussion in the Trac ticket. Do not merge this Pull Request. See GitHub Pull Requests for Code Review in the Core Handbook for more details.