mirror of
https://github.com/gosticks/wordpress-develop.git
synced 2026-06-28 22:30:04 +00:00
Customize: Prevent dropping backslashes from input on general settings and settings for nav menus and some widgets.
Ensures that intentional backslashes (e.g. "\o/") can be used in: * Site title * Site description * Nav menu name * Custom Menu widget title * Tag Cloud widget title * Text widget body if can't `unfiltered_html` The latter three are also fixed on the widgets admin page. Fixes #35898. git-svn-id: https://develop.svn.wordpress.org/trunk@36622 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Weston Ruter
@@ -496,7 +496,6 @@ class WP_Customize_Setting {
|
||||
* @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
|
||||
*/
|
||||
public function sanitize( $value ) {
|
||||
$value = wp_unslash( $value );
|
||||
|
||||
/**
|
||||
* Filter a Customize setting value in un-slashed form.
|
||||
|
||||
@@ -513,14 +513,14 @@ class WP_Customize_Nav_Menu_Setting extends WP_Customize_Setting {
|
||||
$menu_data['menu-name'] = $value['name'];
|
||||
|
||||
$menu_id = $is_placeholder ? 0 : $this->term_id;
|
||||
$r = wp_update_nav_menu_object( $menu_id, $menu_data );
|
||||
$r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
|
||||
$original_name = $menu_data['menu-name'];
|
||||
$name_conflict_suffix = 1;
|
||||
while ( is_wp_error( $r ) && 'menu_exists' === $r->get_error_code() ) {
|
||||
$name_conflict_suffix += 1;
|
||||
/* translators: 1: original menu name, 2: duplicate count */
|
||||
$menu_data['menu-name'] = sprintf( __( '%1$s (%2$d)' ), $original_name, $name_conflict_suffix );
|
||||
$r = wp_update_nav_menu_object( $menu_id, $menu_data );
|
||||
$r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
|
||||
}
|
||||
|
||||
if ( is_wp_error( $r ) ) {
|
||||
|
||||
@@ -196,12 +196,15 @@ function is_nav_menu_item( $menu_item_id = 0 ) {
|
||||
/**
|
||||
* Creates a navigation menu.
|
||||
*
|
||||
* Note that <code>$menu_name</code> is expected to be pre-slashed.
|
||||
*
|
||||
* @since 3.0.0
|
||||
*
|
||||
* @param string $menu_name Menu name.
|
||||
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
|
||||
*/
|
||||
function wp_create_nav_menu( $menu_name ) {
|
||||
// expected_slashed ($menu_name)
|
||||
return wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
|
||||
}
|
||||
|
||||
@@ -252,6 +255,8 @@ function wp_delete_nav_menu( $menu ) {
|
||||
/**
|
||||
* Save the properties of a menu or create a new menu with those properties.
|
||||
*
|
||||
* Note that <code>$menu_data</code> is expected to be pre-slashed.
|
||||
*
|
||||
* @since 3.0.0
|
||||
*
|
||||
* @param int $menu_id The ID of the menu or "0" to create a new menu.
|
||||
@@ -259,6 +264,7 @@ function wp_delete_nav_menu( $menu ) {
|
||||
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
|
||||
*/
|
||||
function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) {
|
||||
// expected_slashed ($menu_data)
|
||||
$menu_id = (int) $menu_id;
|
||||
|
||||
$_menu = wp_get_nav_menu_object( $menu_id );
|
||||
|
||||
@@ -92,7 +92,7 @@
|
||||
public function update( $new_instance, $old_instance ) {
|
||||
$instance = array();
|
||||
if ( ! empty( $new_instance['title'] ) ) {
|
||||
$instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
|
||||
$instance['title'] = sanitize_text_field( $new_instance['title'] );
|
||||
}
|
||||
if ( ! empty( $new_instance['nav_menu'] ) ) {
|
||||
$instance['nav_menu'] = (int) $new_instance['nav_menu'];
|
||||
|
||||
@@ -98,7 +98,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
|
||||
*/
|
||||
public function update( $new_instance, $old_instance ) {
|
||||
$instance = array();
|
||||
$instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
|
||||
$instance['title'] = sanitize_text_field( $new_instance['title'] );
|
||||
$instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
|
||||
return $instance;
|
||||
}
|
||||
|
||||
@@ -80,10 +80,11 @@ class WP_Widget_Text extends WP_Widget {
|
||||
public function update( $new_instance, $old_instance ) {
|
||||
$instance = $old_instance;
|
||||
$instance['title'] = sanitize_text_field( $new_instance['title'] );
|
||||
if ( current_user_can('unfiltered_html') )
|
||||
$instance['text'] = $new_instance['text'];
|
||||
else
|
||||
$instance['text'] = wp_kses_post( stripslashes( $new_instance['text'] ) );
|
||||
if ( current_user_can( 'unfiltered_html' ) ) {
|
||||
$instance['text'] = $new_instance['text'];
|
||||
} else {
|
||||
$instance['text'] = wp_kses_post( $new_instance['text'] );
|
||||
}
|
||||
$instance['filter'] = ! empty( $new_instance['filter'] );
|
||||
return $instance;
|
||||
}
|
||||
|
||||
@@ -114,8 +114,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_construct_placeholder() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
$default = array(
|
||||
'name' => 'Lorem',
|
||||
'description' => 'ipsum',
|
||||
'name' => 'Lorem \\o/',
|
||||
'description' => 'ipsum \\o/',
|
||||
'parent' => 123,
|
||||
);
|
||||
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, 'nav_menu[-5]', compact( 'default' ) );
|
||||
@@ -131,14 +131,14 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_value() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_name = 'Test 123';
|
||||
$parent_menu_id = wp_create_nav_menu( "Parent $menu_name" );
|
||||
$description = 'Hello my world.';
|
||||
$menu_id = wp_update_nav_menu_object( 0, array(
|
||||
$menu_name = 'Test 123 \\o/';
|
||||
$parent_menu_id = wp_create_nav_menu( wp_slash( "Parent $menu_name" ) );
|
||||
$description = 'Hello my world \\o/.';
|
||||
$menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
|
||||
'menu-name' => $menu_name,
|
||||
'parent' => $parent_menu_id,
|
||||
'description' => $description,
|
||||
) );
|
||||
) ) );
|
||||
|
||||
$setting_id = "nav_menu[$menu_id]";
|
||||
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
|
||||
@@ -153,7 +153,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$this->assertEquals( $parent_menu_id, $value['parent'] );
|
||||
|
||||
$new_menu_name = 'Foo';
|
||||
wp_update_nav_menu_object( $menu_id, array( 'menu-name' => $new_menu_name ) );
|
||||
wp_update_nav_menu_object( $menu_id, wp_slash( array( 'menu-name' => $new_menu_name ) ) );
|
||||
$updated_value = $setting->value();
|
||||
$this->assertEquals( $new_menu_name, $updated_value['name'] );
|
||||
}
|
||||
@@ -166,11 +166,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_preview_updated() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_id = wp_update_nav_menu_object( 0, array(
|
||||
'menu-name' => 'Name 1',
|
||||
'description' => 'Description 1',
|
||||
$menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
|
||||
'menu-name' => 'Name 1 \\o/',
|
||||
'description' => 'Description 1 \\o/',
|
||||
'parent' => 0,
|
||||
) );
|
||||
) ) );
|
||||
$setting_id = "nav_menu[$menu_id]";
|
||||
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
|
||||
|
||||
@@ -178,16 +178,16 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
|
||||
|
||||
$post_value = array(
|
||||
'name' => 'Name 2',
|
||||
'description' => 'Description 2',
|
||||
'name' => 'Name 2 \\o/',
|
||||
'description' => 'Description 2 \\o/',
|
||||
'parent' => 1,
|
||||
'auto_add' => true,
|
||||
);
|
||||
$this->wp_customize->set_post_value( $setting_id, $post_value );
|
||||
|
||||
$value = $setting->value();
|
||||
$this->assertEquals( 'Name 1', $value['name'] );
|
||||
$this->assertEquals( 'Description 1', $value['description'] );
|
||||
$this->assertEquals( 'Name 1 \\o/', $value['name'] );
|
||||
$this->assertEquals( 'Description 1 \\o/', $value['description'] );
|
||||
$this->assertEquals( 0, $value['parent'] );
|
||||
|
||||
$term = (array) wp_get_nav_menu_object( $menu_id );
|
||||
@@ -199,8 +199,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
|
||||
$setting->preview();
|
||||
$value = $setting->value();
|
||||
$this->assertEquals( 'Name 2', $value['name'] );
|
||||
$this->assertEquals( 'Description 2', $value['description'] );
|
||||
$this->assertEquals( 'Name 2 \\o/', $value['name'] );
|
||||
$this->assertEquals( 'Description 2 \\o/', $value['description'] );
|
||||
$this->assertEquals( 1, $value['parent'] );
|
||||
$term = (array) wp_get_nav_menu_object( $menu_id );
|
||||
$this->assertEqualSets( $value, wp_array_slice_assoc( $term, array_keys( $value ) ) );
|
||||
@@ -217,7 +217,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$i = array_search( $menu_id, $menus_ids );
|
||||
$this->assertInternalType( 'int', $i, 'Update-previewed menu does not appear in wp_get_nav_menus()' );
|
||||
$filtered_menu = $menus[ $i ];
|
||||
$this->assertEquals( 'Name 2', $filtered_menu->name );
|
||||
$this->assertEquals( 'Name 2 \\o/', $filtered_menu->name );
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -230,8 +230,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
|
||||
$menu_id = -123;
|
||||
$post_value = array(
|
||||
'name' => 'New Menu Name 1',
|
||||
'description' => 'New Menu Description 1',
|
||||
'name' => 'New Menu Name 1 \\o/',
|
||||
'description' => 'New Menu Description 1 \\o/',
|
||||
'parent' => 0,
|
||||
'auto_add' => false,
|
||||
);
|
||||
@@ -262,7 +262,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$i = array_search( $menu_id, $menus_ids );
|
||||
$this->assertInternalType( 'int', $i, 'Insert-previewed menu was not injected into wp_get_nav_menus()' );
|
||||
$filtered_menu = $menus[ $i ];
|
||||
$this->assertEquals( 'New Menu Name 1', $filtered_menu->name );
|
||||
$this->assertEquals( 'New Menu Name 1 \\o/', $filtered_menu->name );
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -273,11 +273,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_preview_deleted() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_id = wp_update_nav_menu_object( 0, array(
|
||||
'menu-name' => 'Name 1',
|
||||
'description' => 'Description 1',
|
||||
$menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
|
||||
'menu-name' => 'Name 1 \\o/',
|
||||
'description' => 'Description 1 \\o/',
|
||||
'parent' => 0,
|
||||
) );
|
||||
) ) );
|
||||
$setting_id = "nav_menu[$menu_id]";
|
||||
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
|
||||
$nav_menu_options = $this->get_nav_menu_items_option();
|
||||
@@ -312,15 +312,15 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$this->assertNull( $setting->sanitize( 123 ) );
|
||||
|
||||
$value = array(
|
||||
'name' => ' Hello <b>world</b> ',
|
||||
'description' => "New\nline",
|
||||
'name' => ' Hello \\o/ <b>world</b> ',
|
||||
'description' => "New\nline \\o/",
|
||||
'parent' => -12,
|
||||
'auto_add' => true,
|
||||
'extra' => 'ignored',
|
||||
);
|
||||
$sanitized = $setting->sanitize( $value );
|
||||
$this->assertEquals( 'Hello <b>world</b>', $sanitized['name'] );
|
||||
$this->assertEquals( 'New line', $sanitized['description'] );
|
||||
$this->assertEquals( 'Hello \\o/ <b>world</b>', $sanitized['name'] );
|
||||
$this->assertEquals( 'New line \\o/', $sanitized['description'] );
|
||||
$this->assertEquals( 0, $sanitized['parent'] );
|
||||
$this->assertEquals( true, $sanitized['auto_add'] );
|
||||
$this->assertEqualSets( array( 'name', 'description', 'parent', 'auto_add' ), array_keys( $sanitized ) );
|
||||
@@ -338,11 +338,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_save_updated() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_id = wp_update_nav_menu_object( 0, array(
|
||||
'menu-name' => 'Name 1',
|
||||
'description' => 'Description 1',
|
||||
$menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
|
||||
'menu-name' => 'Name 1 \\o/',
|
||||
'description' => 'Description 1 \\o/',
|
||||
'parent' => 0,
|
||||
) );
|
||||
) ) );
|
||||
$nav_menu_options = $this->get_nav_menu_items_option();
|
||||
$nav_menu_options['auto_add'][] = $menu_id;
|
||||
update_option( 'nav_menu_options', $nav_menu_options );
|
||||
@@ -352,8 +352,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
|
||||
$auto_add = false;
|
||||
$new_value = array(
|
||||
'name' => 'Name 2',
|
||||
'description' => 'Description 2',
|
||||
'name' => 'Name 2 \\o/',
|
||||
'description' => 'Description 2 \\o/',
|
||||
'parent' => 1,
|
||||
'auto_add' => $auto_add,
|
||||
);
|
||||
@@ -400,8 +400,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
|
||||
$menu_id = -123;
|
||||
$post_value = array(
|
||||
'name' => 'New Menu Name 1',
|
||||
'description' => 'New Menu Description 1',
|
||||
'name' => 'New Menu Name 1 \\o/',
|
||||
'description' => 'New Menu Description 1 \\o/',
|
||||
'parent' => 0,
|
||||
'auto_add' => true,
|
||||
);
|
||||
@@ -448,7 +448,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_name = 'Foo';
|
||||
wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
|
||||
wp_update_nav_menu_object( 0, wp_slash( array( 'menu-name' => $menu_name ) ) );
|
||||
|
||||
$menu_id = -123;
|
||||
$setting_id = "nav_menu[$menu_id]";
|
||||
@@ -472,8 +472,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
function test_save_deleted() {
|
||||
do_action( 'customize_register', $this->wp_customize );
|
||||
|
||||
$menu_name = 'Lorem Ipsum';
|
||||
$menu_id = wp_create_nav_menu( $menu_name );
|
||||
$menu_name = 'Lorem Ipsum \\o/';
|
||||
$menu_id = wp_create_nav_menu( wp_slash( $menu_name ) );
|
||||
$setting_id = "nav_menu[$menu_id]";
|
||||
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
|
||||
$nav_menu_options = $this->get_nav_menu_items_option();
|
||||
@@ -506,5 +506,4 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
|
||||
$nav_menu_options = $this->get_nav_menu_items_option();
|
||||
$this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -67,14 +67,14 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
|
||||
}
|
||||
|
||||
public $post_data_overrides = array(
|
||||
'unset_option_overridden' => 'unset_option_post_override_value',
|
||||
'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value',
|
||||
'set_option_overridden' => 'set_option_post_override_value',
|
||||
'set_theme_mod_overridden' => 'set_theme_mod_post_override_value',
|
||||
'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value',
|
||||
'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value',
|
||||
'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value',
|
||||
'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value',
|
||||
'unset_option_overridden' => 'unset_option_post_override_value\\o/',
|
||||
'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value\\o/',
|
||||
'set_option_overridden' => 'set_option_post_override_value\\o/',
|
||||
'set_theme_mod_overridden' => 'set_theme_mod_post_override_value\\o/',
|
||||
'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value\\o/',
|
||||
'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value\\o/',
|
||||
'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value\\o/',
|
||||
'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value\\o/',
|
||||
);
|
||||
|
||||
public $standard_type_configs = array(
|
||||
@@ -299,8 +299,8 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
|
||||
function test_preview_custom_type() {
|
||||
$type = 'custom_type';
|
||||
$post_data_overrides = array(
|
||||
"unset_{$type}_with_post_value" => "unset_{$type}_without_post_value",
|
||||
"set_{$type}_with_post_value" => "set_{$type}_without_post_value",
|
||||
"unset_{$type}_with_post_value" => "unset_{$type}_without_post_value\\o/",
|
||||
"set_{$type}_with_post_value" => "set_{$type}_without_post_value\\o/",
|
||||
);
|
||||
$_POST['customized'] = wp_slash( wp_json_encode( $post_data_overrides ) );
|
||||
|
||||
@@ -417,7 +417,7 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
|
||||
$this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
|
||||
|
||||
// Try setting post value without user as admin.
|
||||
$this->manager->set_post_value( $setting->id, 'hello world' );
|
||||
$this->manager->set_post_value( $setting->id, 'hello world \\o/' );
|
||||
$this->assertFalse( $setting->save() );
|
||||
$this->assertTrue( 0 === did_action( 'customize_update_custom' ) );
|
||||
$this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
|
||||
@@ -437,7 +437,7 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
|
||||
* @param WP_Customize_Setting $setting
|
||||
*/
|
||||
function handle_customize_update_custom_foo_action( $value, $setting = null ) {
|
||||
$this->assertEquals( 'hello world', $value );
|
||||
$this->assertEquals( 'hello world \\o/', $value );
|
||||
$this->assertInstanceOf( 'WP_Customize_Setting', $setting );
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user