From c957e2573e7911c772ec85eb9f339ee34a9fd470 Mon Sep 17 00:00:00 2001 From: Jake Spurlock Date: Wed, 4 Sep 2019 17:11:22 +0000 Subject: [PATCH] Update wp.a11y.speak() to sanitize HTML before display. Props iandunn, adamsilverstein, sstoqnov, peterwilsoncc git-svn-id: https://develop.svn.wordpress.org/trunk@45979 602fd350-edb4-49c9-b593-d223f7449a82 --- src/js/_enqueues/admin/post.js | 4 +++- src/js/_enqueues/wp/a11y.js | 4 ++-- src/js/_enqueues/wp/customize/nav-menus.js | 2 +- src/js/_enqueues/wp/sanitize.js | 20 +++++++++++++++----- src/js/_enqueues/wp/updates.js | 3 ++- src/wp-includes/script-loader.php | 10 ++++++---- tests/phpunit/tests/dependencies/scripts.php | 2 +- tests/qunit/index.html | 1 + 8 files changed, 31 insertions(+), 15 deletions(-) diff --git a/src/js/_enqueues/admin/post.js b/src/js/_enqueues/admin/post.js index 3168fec886..ec1a0d718a 100644 --- a/src/js/_enqueues/admin/post.js +++ b/src/js/_enqueues/admin/post.js @@ -795,7 +795,9 @@ jQuery(document).ready( function($) { } // Update "Status:" to currently selected status. - $('#post-status-display').html($('option:selected', postStatus).text()); + $('#post-status-display').text( + wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text. + ); // Show or hide the "Save Draft" button. if ( $('option:selected', postStatus).val() == 'private' || $('option:selected', postStatus).val() == 'publish' ) { diff --git a/src/js/_enqueues/wp/a11y.js b/src/js/_enqueues/wp/a11y.js index 503c62142b..648b629d37 100644 --- a/src/js/_enqueues/wp/a11y.js +++ b/src/js/_enqueues/wp/a11y.js @@ -27,8 +27,8 @@ window.wp = window.wp || {}; // Clear previous messages to allow repeated strings being read out. clear(); - // Ensure only text is sent to screen readers. - message = $( '

' ).html( message ).text(); + // Remove HTML tags, ensuring only text is sent to screen readers. + message = wp.sanitize.stripTagsAndEncodeText( message ); /* * Safari 10+VoiceOver don't announce repeated, identical strings. We use diff --git a/src/js/_enqueues/wp/customize/nav-menus.js b/src/js/_enqueues/wp/customize/nav-menus.js index 69067706b3..19962019a7 100644 --- a/src/js/_enqueues/wp/customize/nav-menus.js +++ b/src/js/_enqueues/wp/customize/nav-menus.js @@ -3456,7 +3456,7 @@ */ function displayNavMenuName( name ) { name = name || ''; - name = $( '

' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php. + name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name. name = $.trim( name ); return name || api.Menus.data.l10n.unnamed; } diff --git a/src/js/_enqueues/wp/sanitize.js b/src/js/_enqueues/wp/sanitize.js index 76b587ba74..6082b1912d 100644 --- a/src/js/_enqueues/wp/sanitize.js +++ b/src/js/_enqueues/wp/sanitize.js @@ -23,10 +23,20 @@ stripTags: function( text ) { text = text || ''; - return text - .replace( /|$)/g, '' ) - .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' ) - .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' ); + // Do the replacement. + var _text = text + .replace( /|$)/g, '' ) + .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' ) + .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' ); + + // If the initial text is not equal to the modified text, + // do the search-replace again, until there is nothing to be replaced. + if ( _text !== text ) { + return wp.sanitize.stripTags( _text ); + } + + // Return the text with stripped tags. + return _text; }, /** @@ -41,7 +51,7 @@ textarea = document.createElement( 'textarea' ); try { - textarea.innerHTML = _text; + textarea.textContent = _text; _text = wp.sanitize.stripTags( textarea.value ); } catch ( er ) {} diff --git a/src/js/_enqueues/wp/updates.js b/src/js/_enqueues/wp/updates.js index dfc4547ecb..367bdf0284 100644 --- a/src/js/_enqueues/wp/updates.js +++ b/src/js/_enqueues/wp/updates.js @@ -262,7 +262,8 @@ if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) { _.map( response.debug, function( message ) { - window.console.log( $( '

' ).html( message ).text() ); + // Remove all HTML tags and write a message to the console. + window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) ); } ); } }; diff --git a/src/wp-includes/script-loader.php b/src/wp-includes/script-loader.php index 7a30e73efd..1ec63c5178 100644 --- a/src/wp-includes/script-loader.php +++ b/src/wp-includes/script-loader.php @@ -880,7 +880,9 @@ function wp_default_scripts( &$scripts ) { ) ); - $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 ); + $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 ); + + $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 ); $scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 ); @@ -1487,7 +1489,7 @@ function wp_default_scripts( &$scripts ) { $scripts->add( 'customize-widgets', "/wp-admin/js/customize-widgets$suffix.js", array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-droppable', 'wp-backbone', 'customize-controls' ), false, 1 ); $scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 ); - $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 ); + $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 ); $scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 ); $scripts->add( 'wp-custom-header', "/wp-includes/js/wp-custom-header$suffix.js", array( 'wp-a11y' ), false, 1 ); @@ -1572,7 +1574,7 @@ function wp_default_scripts( &$scripts ) { ) ); - $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 ); + $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 ); did_action( 'init' ) && $scripts->localize( 'post', 'postL10n', @@ -1700,7 +1702,7 @@ function wp_default_scripts( &$scripts ) { ) ); - $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 ); + $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 ); did_action( 'init' ) && $scripts->localize( 'updates', '_wpUpdatesSettings', diff --git a/tests/phpunit/tests/dependencies/scripts.php b/tests/phpunit/tests/dependencies/scripts.php index b1dda73d97..f0638a7176 100644 --- a/tests/phpunit/tests/dependencies/scripts.php +++ b/tests/phpunit/tests/dependencies/scripts.php @@ -692,7 +692,7 @@ JS; $wp_scripts->do_concat = true; $ver = get_bloginfo( 'version' ); - $expected = "\n"; + $expected = "\n"; $expected .= "\n"; $expected .= "\n"; $expected .= "\n"; diff --git a/tests/qunit/index.html b/tests/qunit/index.html index 1d9e688915..2f2ad59b39 100644 --- a/tests/qunit/index.html +++ b/tests/qunit/index.html @@ -76,6 +76,7 @@ ++