Harden emoji KSES to only allow local emoji images

- Add Emoji::get_kses_allowed_html() with strict validation:
  - Requires class="emoji" attribute
  - Validates src URL points to local emoji uploads directory
  - Requires standard emoji dimensions (20x20)
- Update Interactions::allowed_comment_html() to use strict KSES
- Update Comment::unescape_emoji() to use strict KSES
- Only replace emoji shortcodes when local import succeeds
- Add activitypub_pre_import_emoji filter for test mocking
- Non-emoji img tags are now stripped from incoming content

Author: obenland

includes/class-attachments.php

@@ -183,6 +183,21 @@ public static function import_emoji( $emoji_url, $updated = null ) {
 			return false;
 		}
 
+		/**
+		 * Filters the result of emoji import before processing.
+		 *
+		 * Allows short-circuiting the emoji import, useful for testing.
+		 *
+		 * @param string|false|null $result    The import result. Return a URL string to short-circuit,
+		 *                                     false to indicate failure, or null to proceed normally.
+		 * @param string            $emoji_url The remote emoji URL being imported.
+		 * @param string|null       $updated   The remote emoji's updated timestamp.
+		 */
+		$pre_import = \apply_filters( 'activitypub_pre_import_emoji', null, $emoji_url, $updated );
+		if ( null !== $pre_import ) {
+			return $pre_import;
+		}
+
 		// Check if already cached.
 		$cached_url = self::get_emoji_url( $emoji_url );
 		if ( $cached_url ) {

includes/class-comment.php

@@ -881,11 +881,15 @@ public static function render_emoji( $author, $comment_id ) {
 	 * @return string The comment author name with emoji images unescaped.
 	 */
 	public static function unescape_emoji( $author ) {
-		// Only unescape if there are emoji images present.
-		if ( false !== strpos( $author, 'class="emoji"' ) ) {
-			$author = \html_entity_decode( $author, ENT_QUOTES | ENT_HTML5, 'UTF-8' );
+		// Only attempt to unescape if there are emoji images present in the escaped string.
+		if ( false === \strpos( $author, 'class="emoji"' ) ) {
+			return $author;
 		}
 
-		return $author;
+		// Decode entities so we can selectively restore emoji <img> tags.
+		$decoded = \html_entity_decode( $author, ENT_QUOTES | ENT_HTML5, 'UTF-8' );
+
+		// Use strict KSES validation to only allow valid emoji img tags.
+		return \wp_kses( $decoded, Emoji::get_kses_allowed_html() );
 	}
 }

includes/class-emoji.php

@@ -12,6 +12,61 @@
  */
 class Emoji {
 
+	/**
+	 * Get the allowed HTML structure for emoji img tags.
+	 *
+	 * Uses WordPress KSES features (WP 5.9+) to strictly validate emoji images:
+	 * - Requires class="emoji"
+	 * - Validates src URL points to local emoji directory
+	 * - Requires standard emoji dimensions
+	 *
+	 * @return array The allowed HTML structure for use with wp_kses.
+	 */
+	public static function get_kses_allowed_html() {
+		return array(
+			'img' => array(
+				'class'     => array(
+					'required' => true,
+					'values'   => array( 'emoji' ),
+				),
+				'src'       => array(
+					'required'       => true,
+					'value_callback' => array( self::class, 'validate_emoji_src' ),
+				),
+				'alt'       => array( 'required' => true ),
+				'title'     => array( 'required' => true ),
+				'height'    => array(
+					'required' => true,
+					'values'   => array( '20' ),
+				),
+				'width'     => array(
+					'required' => true,
+					'values'   => array( '20' ),
+				),
+				'draggable' => array(
+					'required' => true,
+					'values'   => array( 'false' ),
+				),
+			),
+		);
+	}
+
+	/**
+	 * Validate emoji src attribute for wp_kses.
+	 *
+	 * Only allows emoji URLs from local uploads directory.
+	 *
+	 * @param string $value The src attribute value.
+	 *
+	 * @return bool True if the src is valid, false otherwise.
+	 */
+	public static function validate_emoji_src( $value ) {
+		$upload_dir = \wp_upload_dir();
+		$emoji_base = $upload_dir['baseurl'] . Attachments::$emoji_dir;
+
+		return \str_starts_with( $value, $emoji_base );
+	}
+
 	/**
 	 * Prepare comment data with emoji handling.
 	 *
@@ -94,8 +149,11 @@ public static function replace_custom_emoji( $text, $activity ) {
 
 		foreach ( $emoji_data as $emoji ) {
 			$local_url = Attachments::import_emoji( $emoji['url'], $emoji['updated'] ?? null );
-			$emoji_url = $local_url ? $local_url : $emoji['url'];
-			$text      = self::replace_emoji_in_text( $text, $emoji['name'], $emoji_url );
+
+			// Only replace if the emoji was successfully uploaded locally.
+			if ( $local_url ) {
+				$text = self::replace_emoji_in_text( $text, $emoji['name'], $local_url );
+			}
 		}
 
 		return $text;

includes/collection/class-interactions.php

@@ -313,17 +313,10 @@ public static function allowed_comment_html( $allowed_tags, $context = '' ) {
 			$allowed_tags['p'] = array();
 		}
 
-		// Add `img` for custom emoji support.
+		// Add `img` for custom emoji support with strict validation.
+		$emoji_html = Emoji::get_kses_allowed_html();
 		if ( ! array_key_exists( 'img', $allowed_tags ) ) {
-			$allowed_tags['img'] = array(
-				'src'       => true,
-				'alt'       => true,
-				'title'     => true,
-				'class'     => true,
-				'width'     => true,
-				'height'    => true,
-				'draggable' => true,
-			);
+			$allowed_tags['img'] = $emoji_html['img'];
 		}
 
 		return $allowed_tags;

tests/phpunit/tests/includes/class-test-emoji.php

@@ -16,6 +16,44 @@
  */
 class Test_Emoji extends \WP_UnitTestCase {
 
+	/**
+	 * Set up each test.
+	 */
+	public function set_up() {
+		parent::set_up();
+
+		// Mock emoji imports to return a local URL.
+		\add_filter( 'activitypub_pre_import_emoji', array( $this, 'mock_emoji_import' ), 10, 2 );
+	}
+
+	/**
+	 * Tear down each test.
+	 */
+	public function tear_down() {
+		\remove_filter( 'activitypub_pre_import_emoji', array( $this, 'mock_emoji_import' ), 10 );
+
+		parent::tear_down();
+	}
+
+	/**
+	 * Mock emoji import to return a local URL.
+	 *
+	 * @param string|false|null $result    The import result.
+	 * @param string            $emoji_url The remote emoji URL.
+	 *
+	 * @return string Mocked local URL based on the remote URL.
+	 */
+	public function mock_emoji_import( $result, $emoji_url ) {
+		// Only mock emoji URLs from example.com.
+		if ( false === \strpos( $emoji_url, 'example.com/emoji/' ) ) {
+			return $result;
+		}
+
+		// Return a mock local URL that preserves the filename.
+		$filename = \basename( $emoji_url );
+		return 'http://example.org/wp-content/uploads/activitypub/emoji/example.com/' . $filename;
+	}
+
 	/**
 	 * Test replacing multiple emoji in a string.
 	 *

tests/phpunit/tests/includes/collection/class-test-interactions.php

@@ -236,14 +236,14 @@ public function test_handle_create_rich() {
 		$rich_comment_id = Interactions::add_comment( $this->create_test_rich_object() );
 		$rich_comment    = get_comment( $rich_comment_id, ARRAY_A );
 
-		// img tags are allowed for emoji support.
-		$this->assertEquals( 'Hello<br />example<p>example</p><img src="https://example.com/image.jpg" alt="" />', $rich_comment['comment_content'] );
+		// Non-emoji img tags are stripped. Only local emoji images with class="emoji" are allowed.
+		$this->assertEquals( 'Hello<br />example<p>example</p>', $rich_comment['comment_content'] );
 
 		$rich_comment_array = array(
 			'comment_post_ID'      => self::$post_id,
 			'comment_author'       => 'Example User',
 			'comment_author_url'   => self::$user_url,
-			'comment_content'      => 'Hello<br />example<p>example</p><img src="https://example.com/image.jpg" alt="" />',
+			'comment_content'      => 'Hello<br />example<p>example</p>',
 			'comment_type'         => 'comment',
 			'comment_author_email' => '',
 			'comment_parent'       => 0,