Fix decode_range() slow path leaking invalid UTF-8 bytes by Copilot · Pull Request #231 · WordPress/php-toolkit

Copilot · 2026-04-08T16:12:38Z

In decode_range(), the slow path (triggered by \, \r, \f, or \x00) skipped wp_scrub_utf8() on normal text segments and on decode_escape_at() output — inconsistent with the fast path. This means invalid UTF-8 bytes adjacent to backslash escapes would pass through unscrubb ed.

Fix

Normal segments (slow path): wrap substr(...) with wp_scrub_utf8(), matching the fast path
Escape output: wrap decode_escape_at() return value with wp_scrub_utf8() — its "anything else" path can return raw invalid bytes when the escaped character is itself an invalid byte sequence

Tests

Two regression tests added to CSSProcessorTest:

// Invalid byte in normal segment before a hex escape — slow path triggered by
// the backslash, but 0xF1 sits in the preceding segment that was not scrubbed.
$css = ".test\xF1\\41name";
// Expected ident value: "test\u{FFFD}Aname"

// Invalid byte as the escaped character itself — decode_escape_at() returns
// the raw byte, which must be scrubbed at the call site.
$css = ".a\\\xF1b";
// Expected ident value: "a\u{FFFD}b"

…ression tests Agent-Logs-Url: https://github.com/WordPress/php-toolkit/sessions/dfb66115-27c5-4e30-8fce-1e7e013da2fb Co-authored-by: adamziel <205419+adamziel@users.noreply.github.com>

Copilot · 2026-04-08T16:46:05Z

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/repos/PHPCSStandards/PHP_CodeSniffer/zipball/8da41e9a9fe4cc14d23cf7fcef3b80476f54e511
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/PHPCSStandards/composer-installer/zipball/e9cf5e4bbf7eeaf9ef5db34938942602838fc2b1
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/PHPCompatibility/PHPCompatibility/zipball/9fb324479acf6f39452e0655d2429cc0d3914243
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/doctrine/instantiator/zipball/0daa7cfba7b009aa3c95ae585322fb596a4ca2ae
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/myclabs/DeepCopy/zipball/07d290f0c47959fd5eed98c95ee5602db07e0b6a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/phar-io/manifest/zipball/65f90285728eae4eae313b8b6ba11b2f5436038e
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/phar-io/version/zipball/4f7fd7836c6f332bb2933569e566a0d6c4cbed74
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/phpstan/phpstan/zipball/fcf8b71aeab4e1a1131d1783cef97b23a51b87a9
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/oLikmP /usr/bin/composer install (http block)
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/ENGYkI /usr/bin/composer install --no-interaction r.git com-PHPCSStandargit (http block)
https://api.github.com/repos/sebastianbergmann/code-unit-reverse-lookup/zipball/ac91f01ccec49fb77bdc6fd1e548bc70f7faa3e5
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
https://api.github.com/repos/sebastianbergmann/complexity/zipball/25f207c40d62b8b7aa32f5ab026c53561964053a
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
https://api.github.com/repos/sebastianbergmann/environment/zipball/830c43a844f1f8d5b7a1f6d6076b784454d8b7ed
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/0448d60087a382392a1b2a1abe434466e03dcc87
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/38b24367e1b340aa78b96d7cab042942d917bb84
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)
https://api.github.com/repos/sebastianbergmann/php-text-template/zipball/5da5f67fc95621df9ff4c4e5a84d6a8a2acf7c28
- Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/lhouf9 /usr/bin/composer install --quiet (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Agent-Logs-Url: https://github.com/WordPress/php-toolkit/sessions/892f6cca-d936-43dc-9f63-27739478ddbd Co-authored-by: sirreal <841763+sirreal@users.noreply.github.com>

sirreal · 2026-04-08T19:31:23Z

Superseded by #229.

Initial plan

305870e

Copilot AI assigned Copilot and adamziel Apr 8, 2026

Copilot AI mentioned this pull request Apr 8, 2026

CSS: Improve $string_escapes documentation clarity #227

Open

Copilot started work on behalf of adamziel April 8, 2026 16:12 View session

Fix decode_range() slow path to scrub invalid UTF-8 bytes and add reg…

ca7f55f

…ression tests Agent-Logs-Url: https://github.com/WordPress/php-toolkit/sessions/dfb66115-27c5-4e30-8fce-1e7e013da2fb Co-authored-by: adamziel <205419+adamziel@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] [WIP] Address feedback: Add fix and test for special string escapes in CSS~~ Fix decode_range() slow path leaking invalid UTF-8 bytes Apr 8, 2026

Copilot AI requested a review from adamziel April 8, 2026 16:46

Copilot finished work on behalf of adamziel April 8, 2026 16:46

sirreal mentioned this pull request Apr 8, 2026

CSS: Fix inconsistent UTF-8 scrubbing in decode_string_or_url slow path #229

Open

sirreal closed this Apr 8, 2026

sirreal deleted the copilot/sub-pr-227 branch April 8, 2026 19:31

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix decode_range() slow path leaking invalid UTF-8 bytes#231

Fix decode_range() slow path leaking invalid UTF-8 bytes#231
Copilot wants to merge 2 commits intofix/css-string-token-backslash-newline-misparsefrom
copilot/sub-pr-227

Copilot AI commented Apr 8, 2026 •

edited

Loading

Uh oh!

Copilot AI commented Apr 8, 2026

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

sirreal commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Fix

Tests

Uh oh!

Copilot AI commented Apr 8, 2026

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

sirreal commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Apr 8, 2026 •

edited

Loading