vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2026-04-04 12:44:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Widgets: Validate HTML before saving block widgets.

Browse Source 
Props talldanwp, noisysocks, kevin940726, peterwilsoncc.


git-svn-id: https://develop.svn.wordpress.org/trunk@51414 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Peter Wilson
2021-07-13 05:57:04 +00:00
parent 7447f866f7
commit 4d616c6665
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/wp-includes/class-wp-customize-widgets.php
View File

@@ -1419,6 +1419,13 @@ final class WP_Customize_Widgets {
if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) {
$widget_object = $wp_widget_factory->get_widget_object( $id_base );
if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
// The content of the 'block' widget is not filtered on the
// fly while editing. Filter the content here to prevent
// vulnerabilities.
$value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
}
return $value['raw_instance'];
}
}