From 1aa7dda52430abf8d3078f9d8860d7271ecdc4fd Mon Sep 17 00:00:00 2001
From: Konstantin Kovshenin <kovshenin@git.wordpress.org>
Date: Sun, 6 Dec 2015 20:28:26 +0000
Subject: [PATCH] Allow usage of angle brackets in a site title or tagline.

The whole string is escaped with `esc_html()` anyway, so we don't
need to `wp_kses_post()`. This is a better experience for users who
want to use angle brackets in their site title or description.
Does not allow any HTML, adds unit tests.

props BandonRandon, pauldewouters.
fixes #27942.


git-svn-id: https://develop.svn.wordpress.org/trunk@35788 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/formatting.php              |  1 -
 tests/phpunit/tests/formatting/BlogInfo.php | 39 +++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
index e0b45fd0a3..2fa1c523a0 100644
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@@ -3706,7 +3706,6 @@ function sanitize_option( $option, $value ) {
 			if ( is_wp_error( $value ) ) {
 				$error = $value->get_error_message();
 			} else {
-				$value = wp_kses_post( $value );
 				$value = esc_html( $value );
 			}
 			break;
diff --git a/tests/phpunit/tests/formatting/BlogInfo.php b/tests/phpunit/tests/formatting/BlogInfo.php
index 9611bc635b..4f7febb5a5 100644
--- a/tests/phpunit/tests/formatting/BlogInfo.php
+++ b/tests/phpunit/tests/formatting/BlogInfo.php
@@ -31,4 +31,43 @@ class Tests_Formatting_BlogInfo extends WP_UnitTestCase {
 			array( 'pt_PT_ao1990', 'pt-PT-ao1990' ),
 		);
 	}
+
+	/**
+	 * @ticket 27942
+	 */
+	function test_bloginfo_sanitize_option() {
+		$old_values = array(
+			'blogname'        => get_option( 'blogname' ),
+			'blogdescription' => get_option( 'blogdescription' ),
+		);
+
+		$values = array(
+			'foo'                  => 'foo',
+			'<em>foo</em>'         => '&lt;em&gt;foo&lt;/em&gt;',
+			'<script>foo</script>' => '&lt;script&gt;foo&lt;/script&gt;',
+			'&lt;foo&gt;'          => '&lt;foo&gt;',
+			'<foo'                 => '&lt;foo',
+		);
+
+		foreach ( $values as $value => $expected ) {
+			$sanitized_value = sanitize_option( 'blogname', $value );
+			update_option( 'blogname', $sanitized_value );
+
+			$this->assertEquals( $expected, $sanitized_value );
+			$this->assertEquals( $expected, get_bloginfo( 'name' ) );
+			$this->assertEquals( $expected, get_bloginfo( 'name', 'display' ) );
+
+			$sanitized_value = sanitize_option( 'blogdescription', $value );
+			update_option( 'blogdescription', $sanitized_value );
+
+			$this->assertEquals( $expected, $sanitized_value );
+			$this->assertEquals( $expected, get_bloginfo( 'description' ) );
+			$this->assertEquals( $expected, get_bloginfo( 'description', 'display' ) );
+		}
+
+		// Restore old values.
+		foreach ( $old_values as $option_name => $value ) {
+			update_option( $option_name, $value );
+		}
+	}
 }