From ce2c261c5bf0b8c09738cb2891cfcfa4ceb5d5db Mon Sep 17 00:00:00 2001 From: ArkaPrabhaChowdhury Date: Thu, 28 May 2026 21:25:30 +0530 Subject: [PATCH 1/4] Administration: Escape custom background page output --- .../includes/class-custom-background.php | 26 +++--- .../phpunit/tests/admin/customBackground.php | 88 +++++++++++++++++++ 2 files changed, 101 insertions(+), 13 deletions(-) create mode 100644 tests/phpunit/tests/admin/customBackground.php diff --git a/src/wp-admin/includes/class-custom-background.php b/src/wp-admin/includes/class-custom-background.php index e42a38f4eb689..4d100a1414075 100644 --- a/src/wp-admin/includes/class-custom-background.php +++ b/src/wp-admin/includes/class-custom-background.php @@ -247,7 +247,7 @@ public function admin_page() { $message = sprintf( /* translators: %s: URL to background image configuration in Customizer. */ __( 'You can now manage and live-preview Custom Backgrounds in the Customizer.' ), - admin_url( 'customize.php?autofocus[control]=background_image' ) + esc_url( admin_url( 'customize.php?autofocus[control]=background_image' ) ) ); wp_admin_notice( $message, @@ -308,7 +308,7 @@ public function admin_page() { . " background-attachment: $background_attachment;"; } ?> -
+

@@ -431,8 +431,8 @@ public function admin_page() { ); ?> - -
+ +
@@ -440,7 +440,7 @@ public function admin_page() {
@@ -451,8 +451,8 @@ public function admin_page() { - -
+ +
@@ -472,8 +472,8 @@ public function admin_page() { - -
+ +
@@ -487,10 +487,10 @@ public function admin_page() { -> + data-default-color="#">
diff --git a/tests/phpunit/tests/admin/customBackground.php b/tests/phpunit/tests/admin/customBackground.php new file mode 100644 index 0000000000000..804c21773fc39 --- /dev/null +++ b/tests/phpunit/tests/admin/customBackground.php @@ -0,0 +1,88 @@ +user->create( + array( + 'role' => 'administrator', + ) + ); + } + + public function set_up() { + parent::set_up(); + + wp_set_current_user( self::$admin_id ); + set_current_screen( 'appearance_page_custom-background' ); + + remove_theme_support( 'custom-background' ); + add_theme_support( + 'custom-background', + array( + 'default-position-x' => 'left', + 'default-position-y' => 'top', + 'default-size' => 'auto', + 'default-repeat' => 'repeat', + 'default-attachment' => 'scroll', + ) + ); + } + + public function tear_down() { + remove_filter( 'theme_mod_background_position_x', array( $this, 'filter_background_position_x' ) ); + remove_theme_mod( 'background_image' ); + remove_theme_mod( 'background_image_thumb' ); + remove_theme_support( 'custom-background' ); + set_current_screen(); + wp_set_current_user( 0 ); + + parent::tear_down(); + } + + /** + * @ticket 57268 + */ + public function test_admin_page_escapes_background_styles() { + set_theme_mod( 'background_image', 'https://example.org/background.jpg' ); + set_theme_mod( 'background_image_thumb', 'https://example.org/background.jpg' ); + set_theme_mod( 'background_size', 'cover' ); + set_theme_mod( 'background_repeat', 'repeat' ); + set_theme_mod( 'background_attachment', 'scroll' ); + + add_filter( 'theme_mod_background_position_x', array( $this, 'filter_background_position_x' ) ); + + $custom_background = new Custom_Background(); + + ob_start(); + $custom_background->admin_page(); + $output = ob_get_clean(); + + $dom = new DOMDocument(); + + libxml_use_internal_errors( true ); + $dom->loadHTML( '' . $output . '' ); + libxml_clear_errors(); + + $image = $dom->getElementById( 'custom-background-image' ); + + $this->assertInstanceOf( DOMElement::class, $image ); + $this->assertFalse( $image->hasAttribute( 'onmouseover' ) ); + } + + public function filter_background_position_x() { + return 'left" onmouseover="alert(1)'; + } +} From f3c725610e08f160e024de77a730ee8e7a8441b4 Mon Sep 17 00:00:00 2001 From: ArkaPrabhaChowdhury Date: Fri, 29 May 2026 14:14:28 +0530 Subject: [PATCH 2/4] Administration: Fix custom background PHPCS formatting --- src/wp-admin/includes/class-custom-background.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/class-custom-background.php b/src/wp-admin/includes/class-custom-background.php index 4d100a1414075..2d3d9357c30fc 100644 --- a/src/wp-admin/includes/class-custom-background.php +++ b/src/wp-admin/includes/class-custom-background.php @@ -490,7 +490,8 @@ public function admin_page() { $default_color = get_theme_support( 'custom-background', 'default-color' ); } ?> - data-default-color="#"> + + data-default-color="#">
From 852276e2b2089697a2e69d0a8468117804d05580 Mon Sep 17 00:00:00 2001 From: ArkaPrabhaChowdhury Date: Fri, 29 May 2026 14:20:51 +0530 Subject: [PATCH 3/4] Build/Test Tools: Skip DB check during local env config creation --- tools/local-env/scripts/install.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/local-env/scripts/install.js b/tools/local-env/scripts/install.js index 038ecc3a67d5e..cba7f1169e3ad 100644 --- a/tools/local-env/scripts/install.js +++ b/tools/local-env/scripts/install.js @@ -9,8 +9,8 @@ const local_env_utils = require( './utils' ); dotenvExpand.expand( dotenv.config() ); -// Create wp-config.php. -wp_cli( `config create --dbname=wordpress_develop --dbuser=root --dbpass=password --dbhost=mysql --force --config-file="wp-config.php"` ); +// Create wp-config.php without waiting on the database to accept connections. +wp_cli( `config create --dbname=wordpress_develop --dbuser=root --dbpass=password --dbhost=mysql --skip-check --force --config-file="wp-config.php"` ); // Add the debug settings to wp-config.php. // Windows requires this to be done as an additional step, rather than using the --extra-php option in the previous step. From aa83e7aadf38a703957ec369be7fc4cfb8ceb7d7 Mon Sep 17 00:00:00 2001 From: ArkaPrabhaChowdhury Date: Fri, 29 May 2026 14:30:42 +0530 Subject: [PATCH 4/4] Revert "Build/Test Tools: Skip DB check during local env config creation" This reverts commit 852276e2b2089697a2e69d0a8468117804d05580. --- tools/local-env/scripts/install.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/local-env/scripts/install.js b/tools/local-env/scripts/install.js index cba7f1169e3ad..038ecc3a67d5e 100644 --- a/tools/local-env/scripts/install.js +++ b/tools/local-env/scripts/install.js @@ -9,8 +9,8 @@ const local_env_utils = require( './utils' ); dotenvExpand.expand( dotenv.config() ); -// Create wp-config.php without waiting on the database to accept connections. -wp_cli( `config create --dbname=wordpress_develop --dbuser=root --dbpass=password --dbhost=mysql --skip-check --force --config-file="wp-config.php"` ); +// Create wp-config.php. +wp_cli( `config create --dbname=wordpress_develop --dbuser=root --dbpass=password --dbhost=mysql --force --config-file="wp-config.php"` ); // Add the debug settings to wp-config.php. // Windows requires this to be done as an additional step, rather than using the --extra-php option in the previous step.