Block Editor: Update packages with latest fixes for 5.8 RC2

Includes the following fixes: - Query Block: Type validation of `WP_Query` parameters. Props ntsekouras, stevehenty, peterwilsoncc, desrosj. Fixes #53397. git-svn-id: https://develop.svn.wordpress.org/trunk@51362 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 22:30:04 +00:00 · 2021-07-06 23:55:44 +00:00
parent 380f6976d5
commit b1f0971ee3
5 changed files with 72 additions and 40 deletions
--- a/package-lock.json
+++ b/package-lock.json
@@ -3259,9 +3259,9 @@
 			}
 		},
 		"@wordpress/block-directory": {
-			"version": "2.1.15",
-			"resolved": "https://registry.npmjs.org/@wordpress/block-directory/-/block-directory-2.1.15.tgz",
-			"integrity": "sha512-qIYuPyxJZIN9xk9+CL27bDUHKZXtuB5EWZjwom8ACBg/xKfb2ffun38Oz+B1tIO9rrk3QRP5QNWZmZu5z5YzNA==",
+			"version": "2.1.16",
+			"resolved": "https://registry.npmjs.org/@wordpress/block-directory/-/block-directory-2.1.16.tgz",
+			"integrity": "sha512-Rbtzf6RM+c/G5z8uujKdPxvd8SKggJSQROR1cb1bUqIKuHN1CwZ8sUO+bba0sQts7eJGwIXcQqgM4DqopShVVw==",
 			"requires": {
 				"@babel/runtime": "^7.13.10",
 				"@wordpress/a11y": "^3.1.1",
@@ -3273,7 +3273,7 @@
 				"@wordpress/core-data": "^3.1.9",
 				"@wordpress/data": "^5.1.3",
 				"@wordpress/data-controls": "^2.1.3",
-				"@wordpress/edit-post": "^4.1.15",
+				"@wordpress/edit-post": "^4.1.16",
 				"@wordpress/editor": "^10.1.12",
 				"@wordpress/element": "^3.1.1",
 				"@wordpress/hooks": "^3.1.1",
@@ -3332,9 +3332,9 @@
 			}
 		},
 		"@wordpress/block-library": {
-			"version": "3.2.13",
-			"resolved": "https://registry.npmjs.org/@wordpress/block-library/-/block-library-3.2.13.tgz",
-			"integrity": "sha512-yNIocJc/hvqSKn1Xq9Pge28OZ0rOm99crsQQiv/BdDdBW/h8GKNhqd4g/4LrbX2XUrw+X5Z7QsRPQaivhqcdWw==",
+			"version": "3.2.14",
+			"resolved": "https://registry.npmjs.org/@wordpress/block-library/-/block-library-3.2.14.tgz",
+			"integrity": "sha512-MBQJm07U5fxQgnEw09HV1zXbtM1qQ9yc4l3Tsxbl65v4rWyx3p/5BhuWhkO45bWx9+6ynLeQu1Hjxsqbax6zww==",
 			"requires": {
 				"@babel/runtime": "^7.13.10",
 				"@wordpress/a11y": "^3.1.1",
@@ -3512,14 +3512,14 @@
 			}
 		},
 		"@wordpress/customize-widgets": {
-			"version": "1.0.14",
-			"resolved": "https://registry.npmjs.org/@wordpress/customize-widgets/-/customize-widgets-1.0.14.tgz",
-			"integrity": "sha512-ESKa6VE3lYi7UhpQgjXw/Ty4gA5vKW6+Ojn5wVlQUWwiSh4vcVnz6nSbAADkILWW/F7VyqYzN4znZag0D3ooAA==",
+			"version": "1.0.15",
+			"resolved": "https://registry.npmjs.org/@wordpress/customize-widgets/-/customize-widgets-1.0.15.tgz",
+			"integrity": "sha512-8cn7cShujx2sJc/eWfB7LcMrG50KyFEyH/M5DlW2v23Rxh/hmcYyhqREFC0EaFPapUT5bYS9MYUnAFxQOmNlJA==",
 			"requires": {
 				"@babel/runtime": "^7.11.2",
 				"@wordpress/a11y": "^3.1.1",
 				"@wordpress/block-editor": "^6.1.9",
-				"@wordpress/block-library": "^3.2.13",
+				"@wordpress/block-library": "^3.2.14",
 				"@wordpress/blocks": "^9.1.5",
 				"@wordpress/components": "^14.1.6",
 				"@wordpress/compose": "^4.1.3",
@@ -3649,15 +3649,15 @@
 			}
 		},
 		"@wordpress/edit-post": {
-			"version": "4.1.15",
-			"resolved": "https://registry.npmjs.org/@wordpress/edit-post/-/edit-post-4.1.15.tgz",
-			"integrity": "sha512-AIy9z9uI8gdu3mupgip41ccuYiBXhj0Ssu2uWAvjvwcNQZR1aDc3cTK0YRDO8qwinF/ykiduSMPdmHtH8QwFsA==",
+			"version": "4.1.16",
+			"resolved": "https://registry.npmjs.org/@wordpress/edit-post/-/edit-post-4.1.16.tgz",
+			"integrity": "sha512-M2dhp6UVXdPS0axuqDLid9irT2y2cKoik7rRxRErD5mhqs+yBFAka0e2oJXeU/mWa2YUxh6WcuRP5ufxhzBbzw==",
 			"requires": {
 				"@babel/runtime": "^7.13.10",
 				"@wordpress/a11y": "^3.1.1",
 				"@wordpress/api-fetch": "^5.1.1",
 				"@wordpress/block-editor": "^6.1.9",
-				"@wordpress/block-library": "^3.2.13",
+				"@wordpress/block-library": "^3.2.14",
 				"@wordpress/blocks": "^9.1.5",
 				"@wordpress/components": "^14.1.6",
 				"@wordpress/compose": "^4.1.3",
@@ -3695,15 +3695,15 @@
 			}
 		},
 		"@wordpress/edit-widgets": {
-			"version": "2.1.15",
-			"resolved": "https://registry.npmjs.org/@wordpress/edit-widgets/-/edit-widgets-2.1.15.tgz",
-			"integrity": "sha512-5tmg4HJBhmtathIyro1xbHAU4F4numbjQ2pEksRFJTFZoEPvesgyRVIogt7/rVajI4QokCgV/R/7b6laE1VwMw==",
+			"version": "2.1.16",
+			"resolved": "https://registry.npmjs.org/@wordpress/edit-widgets/-/edit-widgets-2.1.16.tgz",
+			"integrity": "sha512-F+1hKhKFjMO5ZKLSU4bmnrC0bpgwX/qtlQsRshHSveyV6ZL2eMJZPE+BXN+x9JaM4VN2l2aGrlmo0wyhj6I37A==",
 			"requires": {
 				"@babel/runtime": "^7.13.10",
 				"@wordpress/a11y": "^3.1.1",
 				"@wordpress/api-fetch": "^5.1.1",
 				"@wordpress/block-editor": "^6.1.9",
-				"@wordpress/block-library": "^3.2.13",
+				"@wordpress/block-library": "^3.2.14",
 				"@wordpress/blocks": "^9.1.5",
 				"@wordpress/components": "^14.1.6",
 				"@wordpress/compose": "^4.1.3",
--- a/package.json
+++ b/package.json
@@ -82,23 +82,23 @@
 		"@wordpress/api-fetch": "5.1.1",
 		"@wordpress/autop": "3.1.1",
 		"@wordpress/blob": "3.1.1",
-		"@wordpress/block-directory": "2.1.15",
+		"@wordpress/block-directory": "2.1.16",
 		"@wordpress/block-editor": "6.1.9",
-		"@wordpress/block-library": "3.2.13",
+		"@wordpress/block-library": "3.2.14",
 		"@wordpress/block-serialization-default-parser": "4.1.1",
 		"@wordpress/blocks": "9.1.5",
 		"@wordpress/components": "14.1.6",
 		"@wordpress/compose": "4.1.3",
 		"@wordpress/core-data": "3.1.9",
-		"@wordpress/customize-widgets": "1.0.14",
+		"@wordpress/customize-widgets": "1.0.15",
 		"@wordpress/data": "5.1.3",
 		"@wordpress/data-controls": "2.1.3",
 		"@wordpress/date": "4.1.1",
 		"@wordpress/deprecated": "3.1.1",
 		"@wordpress/dom": "3.1.2",
 		"@wordpress/dom-ready": "3.1.1",
-		"@wordpress/edit-post": "4.1.15",
-		"@wordpress/edit-widgets": "2.1.15",
+		"@wordpress/edit-post": "4.1.16",
+		"@wordpress/edit-widgets": "2.1.16",
 		"@wordpress/editor": "10.1.12",
 		"@wordpress/element": "3.1.1",
 		"@wordpress/escape-html": "2.1.1",
--- a/src/wp-includes/assets/script-loader-packages.php
+++ b/src/wp-includes/assets/script-loader-packages.php
--- a/src/wp-includes/blocks.php
+++ b/src/wp-includes/blocks.php
@@ -1057,8 +1057,11 @@ function build_query_vars_from_query_block( $block, $page ) {
 	);

 	if ( isset( $block->context['query'] ) ) {
-		if ( isset( $block->context['query']['postType'] ) ) {
-			$query['post_type'] = $block->context['query']['postType'];
+		if ( ! empty( $block->context['query']['postType'] ) ) {
+			$post_type_param = $block->context['query']['postType'];
+			if ( is_post_type_viewable( $post_type_param ) ) {
+				$query['post_type'] = $post_type_param;
+			}
 		}
 		if ( isset( $block->context['query']['sticky'] ) && ! empty( $block->context['query']['sticky'] ) ) {
 			$sticky = get_option( 'sticky_posts' );
@@ -1068,29 +1071,54 @@ function build_query_vars_from_query_block( $block, $page ) {
 				$query['post__not_in'] = array_merge( $query['post__not_in'], $sticky );
 			}
 		}
-		if ( isset( $block->context['query']['exclude'] ) ) {
-			$query['post__not_in'] = array_merge( $query['post__not_in'], $block->context['query']['exclude'] );
+		if ( ! empty( $block->context['query']['exclude'] ) ) {
+			$excluded_post_ids     = array_map( 'intval', $block->context['query']['exclude'] );
+			$excluded_post_ids     = array_filter( $excluded_post_ids );
+			$query['post__not_in'] = array_merge( $query['post__not_in'], $excluded_post_ids );
 		}
-		if ( isset( $block->context['query']['perPage'] ) ) {
-			$query['offset']         = ( $block->context['query']['perPage'] * ( $page - 1 ) ) + $block->context['query']['offset'];
-			$query['posts_per_page'] = $block->context['query']['perPage'];
+		if (
+			isset( $block->context['query']['perPage'] ) &&
+			is_numeric( $block->context['query']['perPage'] )
+		) {
+			$per_page = absint( $block->context['query']['perPage'] );
+			$offset   = 0;
+
+			if (
+				isset( $block->context['query']['offset'] ) &&
+				is_numeric( $block->context['query']['offset'] )
+			) {
+				$offset = absint( $block->context['query']['offset'] );
+			}
+
+			$query['offset']         = ( $per_page * ( $page - 1 ) ) + $offset;
+			$query['posts_per_page'] = $per_page;
 		}
-		if ( isset( $block->context['query']['categoryIds'] ) ) {
-			$query['category__in'] = $block->context['query']['categoryIds'];
+		if ( ! empty( $block->context['query']['categoryIds'] ) ) {
+			$term_ids              = array_map( 'intval', $block->context['query']['categoryIds'] );
+			$term_ids              = array_filter( $term_ids );
+			$query['category__in'] = $term_ids;
 		}
-		if ( isset( $block->context['query']['tagIds'] ) ) {
-			$query['tag__in'] = $block->context['query']['tagIds'];
+		if ( ! empty( $block->context['query']['tagIds'] ) ) {
+			$term_ids         = array_map( 'intval', $block->context['query']['tagIds'] );
+			$term_ids         = array_filter( $term_ids );
+			$query['tag__in'] = $term_ids;
 		}
-		if ( isset( $block->context['query']['order'] ) ) {
+		if (
+			isset( $block->context['query']['order'] ) &&
+				in_array( strtoupper( $block->context['query']['order'] ), array( 'ASC', 'DESC' ), true )
+		) {
 			$query['order'] = strtoupper( $block->context['query']['order'] );
 		}
 		if ( isset( $block->context['query']['orderBy'] ) ) {
 			$query['orderby'] = $block->context['query']['orderBy'];
 		}
-		if ( isset( $block->context['query']['author'] ) ) {
-			$query['author'] = $block->context['query']['author'];
+		if (
+			isset( $block->context['query']['author'] ) &&
+			(int) $block->context['query']['author'] > 0
+		) {
+			$query['author'] = (int) $block->context['query']['author'];
 		}
-		if ( isset( $block->context['query']['search'] ) ) {
+		if ( ! empty( $block->context['query']['search'] ) ) {
 			$query['s'] = $block->context['query']['search'];
 		}
 	}
--- a/src/wp-includes/blocks/post-terms.php
+++ b/src/wp-includes/blocks/post-terms.php
@@ -18,6 +18,10 @@ function render_block_core_post_terms( $attributes, $content, $block ) {
 		return '';
 	}

+	if ( ! is_taxonomy_viewable( $attributes['term'] ) ) {
+		return '';
+	}
+
 	$post_terms = get_the_terms( $block->context['postId'], $attributes['term'] );
 	if ( is_wp_error( $post_terms ) ) {
 		return '';