Strip PHP execution tags from pattern body content#851
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens exported block pattern/template .php files by stripping PHP execution tags from user-supplied body content before it’s interpolated into generated pattern files, closing the “body field” injection vector (complementing prior docblock sanitization work from #817).
Changes:
- Add
CBT_Theme_Patterns::strip_php_tags()and apply it towp_blockpattern bodies before heredoc construction. - Apply the same sanitization at the start of
CBT_Theme_Templates::prepare_template_for_export()(before trusted localization PHP injection). - Add a dedicated PHPUnit test suite covering open-tag variants and template export behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
tests/test-theme-patterns.php |
Adds unit tests covering PHP tag stripping in pattern/template export pipelines and on-disk output. |
includes/create-theme/theme-templates.php |
Sanitizes raw template content early in the export pipeline to prevent body injection while preserving trusted localization markers. |
includes/create-theme/theme-patterns.php |
Introduces strip_php_tags() and uses it when building exported pattern file bodies from wp_block content. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
scruffian
reviewed
Jun 16, 2026
Co-authored-by: Ben Dwyer <ben@scruffian.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
The previous `<?xml` carve-out caused fatal parse errors on hosts with short_open_tag=1: the exported `.php` pattern file would treat `<?xml` as a short PHP open tag, parsing `xml version="1.0"...` as PHP code. Block patterns are HTML/block markup and have no legitimate use for an XML declaration, so it is stripped along with the other open tags.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Two follow-ups to Copilot suggestions: - e05bc1f ("Update docblock") dropped the closing `*/` of the strip_php_tags() docblock, so PHP swallowed the function declaration as part of an unterminated comment and tests fatally errored with "Call to undefined method CBT_Theme_Patterns::strip_php_tags()". - Applies scruffian/Copilot suggestion to drop the unused $post stdClass stub in test_strip_php_tags_handles_non_string_input — $real_post is the variable the test actually exercises.
add_patterns_to_theme() doesn't only write the pattern file. Via replace_local_pattern_references() it also touches existing template files and calls clear_user_templates_customizations() / clear_user_template_parts_customizations() which delete user-template posts from the DB. Those side effects on the active theme could contaminate subsequent tests in the suite. Wrap the end-to-end test in create_blank_theme() / uninstall_theme() so all writes and DB mutations happen inside a throwaway theme that gets fully torn down at the end. Helpers mirror the ones in Test_Create_Block_Theme_Fonts.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Strip PHP open tags from user-supplied pattern body content before it's interpolated into exported
.phppattern files. Builds on #817, which closed the docblock-breakout vector in the title/categories/slug fields. This PR closes the equivalent vector in the body field.To test, ensure these tests pass: