Theme Customizer: Properly escape customize settings when sending values to JS. Add WP_Customize_Setting->js_value(). fixes #20687, see #19910.

git-svn-id: https://develop.svn.wordpress.org/trunk@20809 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2012-05-16 20:59:02 +00:00
parent c992db3d22
commit 621e3c1fc6
3 changed files with 18 additions and 2 deletions
--- a/wp-includes/class-wp-customize-setting.php
+++ b/wp-includes/class-wp-customize-setting.php
@@ -230,6 +230,22 @@ class WP_Customize_Setting {
 		return $this->multidimensional_get( $values, $this->id_data[ 'keys' ], $this->default );
 	}

+	/**
+	 * Escape the parameter's value for use in JavaScript.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @return mixed The requested escaped value.
+	 */
+	public function js_value() {
+		$value = $this->value();
+
+		if ( is_string( $value ) )
+			return html_entity_decode( $value, ENT_QUOTES, 'UTF-8');
+
+		return $value;
+	}
+
 	/**
 	 * Check if the theme supports the setting and check user capabilities.
 	 *