Improve Posts block output sanitization

Soare-Robert-Daniel commented 2 months ago

Closes https://github.com/Codeinwp/otter-internals/issues/165

Summary

Added better sanitation function for titleTag attribute.

Test instructions

Create a new post.
Use Code Editor instead of Visual Editor.
Paste the code below into the page and check if the alert starts when you hover the mouse over the title. If the alert start, the issue was not fixed.

<!-- wp:themeisle-blocks/posts-grid {"id":"wp-block-themeisle-blocks-posts-grid-dce24f89","template":["title","category","meta","description"],"titleTag":"h1 onmouseover=alert(123)","className":""} /-->

On the page, you should see this HTML output:

This means sanitation succeeded, and somebody tried to create an XSS attack from a compromised account.

Checklist before the final review

[X] Included E2E or unit tests for the changes in this PR.
[X] Visual elements are not affected by independent changes.
[X] It is at least compatible with the minimum WordPress version.
[X] It loads additional script in frontend only if it is required.
[X] Does not impact the Core Web Vitals.
[X] In case of deprecation, old blocks are safely migrated.
[X] It is usable in Widgets and FSE.
[X] Copy/Paste is working if the attributes are modified.
[X] PR is following [the best practices]()

pirate-bot commented 2 months ago

Bundle Size Diff

Package	Old Size	New Size	Diff
Animations	239.1 KB	239.1 KB	0 B (0.00%)
Blocks	1.5 MB	1.5 MB	61 B (0.00%)
CSS	93.17 KB	93.17 KB	0 B (0.00%)
Dashboard	201.53 KB	201.53 KB	0 B (0.00%)
Onboarding	154.18 KB	154.18 KB	0 B (0.00%)
Export Import	90.95 KB	90.95 KB	0 B (0.00%)
Pro	355.91 KB	355.91 KB	0 B (0.00%)

pirate-bot commented 2 months ago

Plugin build for 0c514e641a1f3bd85e3e41488a08d20420c4f217 is ready :bellhop_bell:!

Download Otter – Page Builder Blocks & Extensions for Gutenberg - Production ~ Development
Download Otter Pro - Production ~ Development
Download Blocks Animation - Production ~ Development
Download Blocks CSS - Production ~ Development
Download Blocks Export Import - Production ~ Development

pirate-bot commented 2 months ago

E2E Tests

Playwright Test Status:

Performance Results

serverResponse: 215.8, firstPaint: 542.9, domContentLoaded: 1532.2, loaded: 1532.7, firstContentfulPaint: 3548.2, firstBlock: 5454.2, type: 12.19, minType: 10.37, maxType: 13.61, typeContainer: 7.96, minTypeContainer: 6.87, maxTypeContainer: 10.82, focus: 40.85, minFocus: 34.34, maxFocus: 45.96, inserterOpen: 30.34, minInserterOpen: 25.69, maxInserterOpen: 44.96, inserterSearch: 6.53, minInserterSearch: 6.12, maxInserterSearch: 7.34, inserterHover: 3.24, minInserterHover: 2.72, maxInserterHover: 4.53, listViewOpen: 151.67, minListViewOpen: 133.72, maxListViewOpen: 188.45

pirate-bot commented 2 months ago

:tada: This PR is included in version 2.6.10 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

Codeinwp / otter-blocks