vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-06-28 22:30:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

REST API: Respect unfiltered_html for HTML post fields.

Browse Source 
This necessitates a change to our slashing code as well. Ah slashing, the cause of, and solution to, all of life's problems.

Props jnylen0.
Fixes #38609.


git-svn-id: https://develop.svn.wordpress.org/trunk@39155 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Ryan McCue
2016-11-08 05:54:22 +00:00
parent f6e433b250
commit 074d204c12
4 changed files with 498 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
tests/phpunit/tests/rest-api/rest-attachments-controller.php
View File

@@ -10,12 +10,18 @@
* @group restapi
*/
class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Controller_Testcase {
protected static $superadmin_id;
protected static $editor_id;
protected static $author_id;
protected static $contributor_id;
protected static $uploader_id;
public static function wpSetUpBeforeClass( $factory ) {
self::$superadmin_id = $factory->user->create( array(
'role' => 'administrator',
'user_login' => 'superadmin',
) );
self::$editor_id = $factory->user->create( array(
'role' => 'editor',
) );
@@ -28,6 +34,10 @@ class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control
self::$uploader_id = $factory->user->create( array(
'role' => 'uploader',
) );
if ( is_multisite() ) {
update_site_option( 'site_admins', array( 'superadmin' ) );
}
}
public static function wpTearDownAfterClass() {
@@ -53,7 +63,6 @@ class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control
$orig_file2 = DIR_TESTDATA . '/images/codeispoetry.png';
$this->test_file2 = '/tmp/codeispoetry.png';
copy( $orig_file2, $this->test_file2 );
}
public function test_register_routes() {
@@ -723,6 +732,250 @@ class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Control
$this->assertErrorResponse( 'rest_invalid_param', $response, 400 );
}
public function verify_attachment_roundtrip( $input = array(), $expected_output = array() ) {
// Create the post
$request = new WP_REST_Request( 'POST', '/wp/v2/media' );
$request->set_header( 'Content-Type', 'image/jpeg' );
$request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
$request->set_body( file_get_contents( $this->test_file ) );
foreach ( $input as $name => $value ) {
$request->set_param( $name, $value );
}
$response = $this->server->dispatch( $request );
$this->assertEquals( 201, $response->get_status() );
$actual_output = $response->get_data();
// Remove <p class="attachment"> from rendered description
// see https://core.trac.wordpress.org/ticket/38679
$content = $actual_output['description']['rendered'];
$content = explode( "\n", trim( $content ) );
if ( preg_match( '/^<p class="attachment">/', $content[0] ) ) {
$content = implode( "\n", array_slice( $content, 1 ) );
$actual_output['description']['rendered'] = $content;
}
// Compare expected API output to actual API output
$this->assertEquals( $expected_output['title']['raw'] , $actual_output['title']['raw'] );
$this->assertEquals( $expected_output['title']['rendered'] , trim( $actual_output['title']['rendered'] ) );
$this->assertEquals( $expected_output['description']['raw'] , $actual_output['description']['raw'] );
$this->assertEquals( $expected_output['description']['rendered'], trim( $actual_output['description']['rendered'] ) );
$this->assertEquals( $expected_output['caption']['raw'] , $actual_output['caption']['raw'] );
$this->assertEquals( $expected_output['caption']['rendered'] , trim( $actual_output['caption']['rendered'] ) );
// Compare expected API output to WP internal values
$post = get_post( $actual_output['id'] );
$this->assertEquals( $expected_output['title']['raw'], $post->post_title );
$this->assertEquals( $expected_output['description']['raw'], $post->post_content );
$this->assertEquals( $expected_output['caption']['raw'], $post->post_excerpt );
// Update the post
$request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/media/%d', $actual_output['id'] ) );
foreach ( $input as $name => $value ) {
$request->set_param( $name, $value );
}
$response = $this->server->dispatch( $request );
$this->assertEquals( 200, $response->get_status() );
$actual_output = $response->get_data();
// Remove <p class="attachment"> from rendered description
// see https://core.trac.wordpress.org/ticket/38679
$content = $actual_output['description']['rendered'];
$content = explode( "\n", trim( $content ) );
if ( preg_match( '/^<p class="attachment">/', $content[0] ) ) {
$content = implode( "\n", array_slice( $content, 1 ) );
$actual_output['description']['rendered'] = $content;
}
// Compare expected API output to actual API output
$this->assertEquals( $expected_output['title']['raw'] , $actual_output['title']['raw'] );
$this->assertEquals( $expected_output['title']['rendered'] , trim( $actual_output['title']['rendered'] ) );
$this->assertEquals( $expected_output['description']['raw'] , $actual_output['description']['raw'] );
$this->assertEquals( $expected_output['description']['rendered'], trim( $actual_output['description']['rendered'] ) );
$this->assertEquals( $expected_output['caption']['raw'] , $actual_output['caption']['raw'] );
$this->assertEquals( $expected_output['caption']['rendered'] , trim( $actual_output['caption']['rendered'] ) );
// Compare expected API output to WP internal values
$post = get_post( $actual_output['id'] );
$this->assertEquals( $expected_output['title']['raw'] , $post->post_title );
$this->assertEquals( $expected_output['description']['raw'], $post->post_content );
$this->assertEquals( $expected_output['caption']['raw'], $post->post_excerpt );
}
public static function attachment_roundtrip_provider() {
return array(
array(
// Raw values.
array(
'title' => '\o/ ¯\_(ツ)_/¯ 🚢',
'description' => '\o/ ¯\_(ツ)_/¯ 🚢',
'caption' => '\o/ ¯\_(ツ)_/¯ 🚢',
),
// Expected returned values.
array(
'title' => array(
'raw' => '\o/ ¯\_(ツ)_/¯ 🚢',
'rendered' => '\o/ ¯\_(ツ)_/¯ 🚢',
),
'description' => array(
'raw' => '\o/ ¯\_(ツ)_/¯ 🚢',
'rendered' => '<p>\o/ ¯\_(ツ)_/¯ 🚢</p>',
),
'caption' => array(
'raw' => '\o/ ¯\_(ツ)_/¯ 🚢',
'rendered' => '<p>\o/ ¯\_(ツ)_/¯ 🚢</p>',
),
)
),
array(
// Raw values.
array(
'title' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
'description' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
'caption' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
),
// Expected returned values.
array(
'title' => array(
'raw' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
'rendered' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
),
'description' => array(
'raw' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
'rendered' => '<p>\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;</p>',
),
'caption' => array(
'raw' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
'rendered' => '<p>\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;</p>',
),
),
),
array(
// Raw values.
array(
'title' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'caption' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
),
// Expected returned values.
array(
'title' => array(
'raw' => 'div <strong>strong</strong> oh noes',
'rendered' => 'div <strong>strong</strong> oh noes',
),
'description' => array(
'raw' => '<div>div</div> <strong>strong</strong> oh noes',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
),
'caption' => array(
'raw' => '<div>div</div> <strong>strong</strong> oh noes',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
),
)
),
array(
// Raw values.
array(
'title' => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
'description' => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
'caption' => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
),
// Expected returned values.
array(
'title' => array(
'raw' => '<a href="#">link</a>',
'rendered' => '<a href="#">link</a>',
),
'description' => array(
'raw' => '<a href="#" target="_blank">link</a>',
'rendered' => '<p><a href="#" target="_blank">link</a></p>',
),
'caption' => array(
'raw' => '<a href="#" target="_blank">link</a>',
'rendered' => '<p><a href="#" target="_blank">link</a></p>',
),
)
),
);
}
/**
* @dataProvider attachment_roundtrip_provider
*/
public function test_post_roundtrip_as_author( $raw, $expected ) {
wp_set_current_user( self::$author_id );
$this->assertFalse( current_user_can( 'unfiltered_html' ) );
$this->verify_attachment_roundtrip( $raw, $expected );
}
public function test_attachment_roundtrip_as_editor_unfiltered_html() {
wp_set_current_user( self::$editor_id );
if ( is_multisite() ) {
$this->assertFalse( current_user_can( 'unfiltered_html' ) );
$this->verify_attachment_roundtrip( array(
'title' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'caption' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
), array(
'title' => array(
'raw' => 'div <strong>strong</strong> oh noes',
'rendered' => 'div <strong>strong</strong> oh noes',
),
'description' => array(
'raw' => '<div>div</div> <strong>strong</strong> oh noes',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
),
'caption' => array(
'raw' => '<div>div</div> <strong>strong</strong> oh noes',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
),
) );
} else {
$this->assertTrue( current_user_can( 'unfiltered_html' ) );
$this->verify_attachment_roundtrip( array(
'title' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'caption' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
), array(
'title' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
),
'description' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
),
'caption' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
),
) );
}
}
public function test_attachment_roundtrip_as_superadmin_unfiltered_html() {
wp_set_current_user( self::$superadmin_id );
$this->assertTrue( current_user_can( 'unfiltered_html' ) );
$this->verify_attachment_roundtrip( array(
'title' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'caption' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
), array(
'title' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
),
'description' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
),
'caption' => array(
'raw' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
),
) );
}
public function test_delete_item() {
wp_set_current_user( self::$editor_id );
$attachment_id = $this->factory->attachment->create_object( $this->test_file, 0, array(