diff --git a/src/wp-includes/class-wp-customize-setting.php b/src/wp-includes/class-wp-customize-setting.php
index 7fe88e8333..4593729886 100644
--- a/src/wp-includes/class-wp-customize-setting.php
+++ b/src/wp-includes/class-wp-customize-setting.php
@@ -496,7 +496,6 @@ class WP_Customize_Setting {
* @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
*/
public function sanitize( $value ) {
- $value = wp_unslash( $value );
/**
* Filter a Customize setting value in un-slashed form.
diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-setting.php
index 5562a8df52..8d6436c68c 100644
--- a/src/wp-includes/customize/class-wp-customize-nav-menu-setting.php
+++ b/src/wp-includes/customize/class-wp-customize-nav-menu-setting.php
@@ -513,14 +513,14 @@ class WP_Customize_Nav_Menu_Setting extends WP_Customize_Setting {
$menu_data['menu-name'] = $value['name'];
$menu_id = $is_placeholder ? 0 : $this->term_id;
- $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+ $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
$original_name = $menu_data['menu-name'];
$name_conflict_suffix = 1;
while ( is_wp_error( $r ) && 'menu_exists' === $r->get_error_code() ) {
$name_conflict_suffix += 1;
/* translators: 1: original menu name, 2: duplicate count */
$menu_data['menu-name'] = sprintf( __( '%1$s (%2$d)' ), $original_name, $name_conflict_suffix );
- $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+ $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
}
if ( is_wp_error( $r ) ) {
diff --git a/src/wp-includes/nav-menu.php b/src/wp-includes/nav-menu.php
index 3b878f762b..9627d27edb 100644
--- a/src/wp-includes/nav-menu.php
+++ b/src/wp-includes/nav-menu.php
@@ -196,12 +196,15 @@ function is_nav_menu_item( $menu_item_id = 0 ) {
/**
* Creates a navigation menu.
*
+ * Note that $menu_name is expected to be pre-slashed.
+ *
* @since 3.0.0
*
* @param string $menu_name Menu name.
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
*/
function wp_create_nav_menu( $menu_name ) {
+ // expected_slashed ($menu_name)
return wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
}
@@ -252,6 +255,8 @@ function wp_delete_nav_menu( $menu ) {
/**
* Save the properties of a menu or create a new menu with those properties.
*
+ * Note that $menu_data is expected to be pre-slashed.
+ *
* @since 3.0.0
*
* @param int $menu_id The ID of the menu or "0" to create a new menu.
@@ -259,6 +264,7 @@ function wp_delete_nav_menu( $menu ) {
* @return int|WP_Error Menu ID on success, WP_Error object on failure.
*/
function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) {
+ // expected_slashed ($menu_data)
$menu_id = (int) $menu_id;
$_menu = wp_get_nav_menu_object( $menu_id );
diff --git a/src/wp-includes/widgets/class-wp-nav-menu-widget.php b/src/wp-includes/widgets/class-wp-nav-menu-widget.php
index 22ec861076..d6ac26c948 100644
--- a/src/wp-includes/widgets/class-wp-nav-menu-widget.php
+++ b/src/wp-includes/widgets/class-wp-nav-menu-widget.php
@@ -92,7 +92,7 @@
public function update( $new_instance, $old_instance ) {
$instance = array();
if ( ! empty( $new_instance['title'] ) ) {
- $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+ $instance['title'] = sanitize_text_field( $new_instance['title'] );
}
if ( ! empty( $new_instance['nav_menu'] ) ) {
$instance['nav_menu'] = (int) $new_instance['nav_menu'];
diff --git a/src/wp-includes/widgets/class-wp-widget-tag-cloud.php b/src/wp-includes/widgets/class-wp-widget-tag-cloud.php
index 99f7af6ea1..4115c79387 100644
--- a/src/wp-includes/widgets/class-wp-widget-tag-cloud.php
+++ b/src/wp-includes/widgets/class-wp-widget-tag-cloud.php
@@ -98,7 +98,7 @@ class WP_Widget_Tag_Cloud extends WP_Widget {
*/
public function update( $new_instance, $old_instance ) {
$instance = array();
- $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+ $instance['title'] = sanitize_text_field( $new_instance['title'] );
$instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
return $instance;
}
diff --git a/src/wp-includes/widgets/class-wp-widget-text.php b/src/wp-includes/widgets/class-wp-widget-text.php
index 96cf642908..5a1a056a54 100644
--- a/src/wp-includes/widgets/class-wp-widget-text.php
+++ b/src/wp-includes/widgets/class-wp-widget-text.php
@@ -80,10 +80,11 @@ class WP_Widget_Text extends WP_Widget {
public function update( $new_instance, $old_instance ) {
$instance = $old_instance;
$instance['title'] = sanitize_text_field( $new_instance['title'] );
- if ( current_user_can('unfiltered_html') )
- $instance['text'] = $new_instance['text'];
- else
- $instance['text'] = wp_kses_post( stripslashes( $new_instance['text'] ) );
+ if ( current_user_can( 'unfiltered_html' ) ) {
+ $instance['text'] = $new_instance['text'];
+ } else {
+ $instance['text'] = wp_kses_post( $new_instance['text'] );
+ }
$instance['filter'] = ! empty( $new_instance['filter'] );
return $instance;
}
diff --git a/tests/phpunit/tests/customize/nav-menu-setting.php b/tests/phpunit/tests/customize/nav-menu-setting.php
index a3438c9932..81e3e74960 100644
--- a/tests/phpunit/tests/customize/nav-menu-setting.php
+++ b/tests/phpunit/tests/customize/nav-menu-setting.php
@@ -114,8 +114,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_construct_placeholder() {
do_action( 'customize_register', $this->wp_customize );
$default = array(
- 'name' => 'Lorem',
- 'description' => 'ipsum',
+ 'name' => 'Lorem \\o/',
+ 'description' => 'ipsum \\o/',
'parent' => 123,
);
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, 'nav_menu[-5]', compact( 'default' ) );
@@ -131,14 +131,14 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_value() {
do_action( 'customize_register', $this->wp_customize );
- $menu_name = 'Test 123';
- $parent_menu_id = wp_create_nav_menu( "Parent $menu_name" );
- $description = 'Hello my world.';
- $menu_id = wp_update_nav_menu_object( 0, array(
+ $menu_name = 'Test 123 \\o/';
+ $parent_menu_id = wp_create_nav_menu( wp_slash( "Parent $menu_name" ) );
+ $description = 'Hello my world \\o/.';
+ $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
'menu-name' => $menu_name,
'parent' => $parent_menu_id,
'description' => $description,
- ) );
+ ) ) );
$setting_id = "nav_menu[$menu_id]";
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
@@ -153,7 +153,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$this->assertEquals( $parent_menu_id, $value['parent'] );
$new_menu_name = 'Foo';
- wp_update_nav_menu_object( $menu_id, array( 'menu-name' => $new_menu_name ) );
+ wp_update_nav_menu_object( $menu_id, wp_slash( array( 'menu-name' => $new_menu_name ) ) );
$updated_value = $setting->value();
$this->assertEquals( $new_menu_name, $updated_value['name'] );
}
@@ -166,11 +166,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_preview_updated() {
do_action( 'customize_register', $this->wp_customize );
- $menu_id = wp_update_nav_menu_object( 0, array(
- 'menu-name' => 'Name 1',
- 'description' => 'Description 1',
+ $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+ 'menu-name' => 'Name 1 \\o/',
+ 'description' => 'Description 1 \\o/',
'parent' => 0,
- ) );
+ ) ) );
$setting_id = "nav_menu[$menu_id]";
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
@@ -178,16 +178,16 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
$post_value = array(
- 'name' => 'Name 2',
- 'description' => 'Description 2',
+ 'name' => 'Name 2 \\o/',
+ 'description' => 'Description 2 \\o/',
'parent' => 1,
'auto_add' => true,
);
$this->wp_customize->set_post_value( $setting_id, $post_value );
$value = $setting->value();
- $this->assertEquals( 'Name 1', $value['name'] );
- $this->assertEquals( 'Description 1', $value['description'] );
+ $this->assertEquals( 'Name 1 \\o/', $value['name'] );
+ $this->assertEquals( 'Description 1 \\o/', $value['description'] );
$this->assertEquals( 0, $value['parent'] );
$term = (array) wp_get_nav_menu_object( $menu_id );
@@ -199,8 +199,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$setting->preview();
$value = $setting->value();
- $this->assertEquals( 'Name 2', $value['name'] );
- $this->assertEquals( 'Description 2', $value['description'] );
+ $this->assertEquals( 'Name 2 \\o/', $value['name'] );
+ $this->assertEquals( 'Description 2 \\o/', $value['description'] );
$this->assertEquals( 1, $value['parent'] );
$term = (array) wp_get_nav_menu_object( $menu_id );
$this->assertEqualSets( $value, wp_array_slice_assoc( $term, array_keys( $value ) ) );
@@ -217,7 +217,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$i = array_search( $menu_id, $menus_ids );
$this->assertInternalType( 'int', $i, 'Update-previewed menu does not appear in wp_get_nav_menus()' );
$filtered_menu = $menus[ $i ];
- $this->assertEquals( 'Name 2', $filtered_menu->name );
+ $this->assertEquals( 'Name 2 \\o/', $filtered_menu->name );
}
/**
@@ -230,8 +230,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$menu_id = -123;
$post_value = array(
- 'name' => 'New Menu Name 1',
- 'description' => 'New Menu Description 1',
+ 'name' => 'New Menu Name 1 \\o/',
+ 'description' => 'New Menu Description 1 \\o/',
'parent' => 0,
'auto_add' => false,
);
@@ -262,7 +262,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$i = array_search( $menu_id, $menus_ids );
$this->assertInternalType( 'int', $i, 'Insert-previewed menu was not injected into wp_get_nav_menus()' );
$filtered_menu = $menus[ $i ];
- $this->assertEquals( 'New Menu Name 1', $filtered_menu->name );
+ $this->assertEquals( 'New Menu Name 1 \\o/', $filtered_menu->name );
}
/**
@@ -273,11 +273,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_preview_deleted() {
do_action( 'customize_register', $this->wp_customize );
- $menu_id = wp_update_nav_menu_object( 0, array(
- 'menu-name' => 'Name 1',
- 'description' => 'Description 1',
+ $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+ 'menu-name' => 'Name 1 \\o/',
+ 'description' => 'Description 1 \\o/',
'parent' => 0,
- ) );
+ ) ) );
$setting_id = "nav_menu[$menu_id]";
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
$nav_menu_options = $this->get_nav_menu_items_option();
@@ -312,15 +312,15 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$this->assertNull( $setting->sanitize( 123 ) );
$value = array(
- 'name' => ' Hello world ',
- 'description' => "New\nline",
+ 'name' => ' Hello \\o/ world ',
+ 'description' => "New\nline \\o/",
'parent' => -12,
'auto_add' => true,
'extra' => 'ignored',
);
$sanitized = $setting->sanitize( $value );
- $this->assertEquals( 'Hello <b>world</b>', $sanitized['name'] );
- $this->assertEquals( 'New line', $sanitized['description'] );
+ $this->assertEquals( 'Hello \\o/ <b>world</b>', $sanitized['name'] );
+ $this->assertEquals( 'New line \\o/', $sanitized['description'] );
$this->assertEquals( 0, $sanitized['parent'] );
$this->assertEquals( true, $sanitized['auto_add'] );
$this->assertEqualSets( array( 'name', 'description', 'parent', 'auto_add' ), array_keys( $sanitized ) );
@@ -338,11 +338,11 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_save_updated() {
do_action( 'customize_register', $this->wp_customize );
- $menu_id = wp_update_nav_menu_object( 0, array(
- 'menu-name' => 'Name 1',
- 'description' => 'Description 1',
+ $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+ 'menu-name' => 'Name 1 \\o/',
+ 'description' => 'Description 1 \\o/',
'parent' => 0,
- ) );
+ ) ) );
$nav_menu_options = $this->get_nav_menu_items_option();
$nav_menu_options['auto_add'][] = $menu_id;
update_option( 'nav_menu_options', $nav_menu_options );
@@ -352,8 +352,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$auto_add = false;
$new_value = array(
- 'name' => 'Name 2',
- 'description' => 'Description 2',
+ 'name' => 'Name 2 \\o/',
+ 'description' => 'Description 2 \\o/',
'parent' => 1,
'auto_add' => $auto_add,
);
@@ -400,8 +400,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$menu_id = -123;
$post_value = array(
- 'name' => 'New Menu Name 1',
- 'description' => 'New Menu Description 1',
+ 'name' => 'New Menu Name 1 \\o/',
+ 'description' => 'New Menu Description 1 \\o/',
'parent' => 0,
'auto_add' => true,
);
@@ -448,7 +448,7 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
do_action( 'customize_register', $this->wp_customize );
$menu_name = 'Foo';
- wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
+ wp_update_nav_menu_object( 0, wp_slash( array( 'menu-name' => $menu_name ) ) );
$menu_id = -123;
$setting_id = "nav_menu[$menu_id]";
@@ -472,8 +472,8 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
function test_save_deleted() {
do_action( 'customize_register', $this->wp_customize );
- $menu_name = 'Lorem Ipsum';
- $menu_id = wp_create_nav_menu( $menu_name );
+ $menu_name = 'Lorem Ipsum \\o/';
+ $menu_id = wp_create_nav_menu( wp_slash( $menu_name ) );
$setting_id = "nav_menu[$menu_id]";
$setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
$nav_menu_options = $this->get_nav_menu_items_option();
@@ -506,5 +506,4 @@ class Test_WP_Customize_Nav_Menu_Setting extends WP_UnitTestCase {
$nav_menu_options = $this->get_nav_menu_items_option();
$this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
}
-
}
diff --git a/tests/phpunit/tests/customize/setting.php b/tests/phpunit/tests/customize/setting.php
index 6d46f3be56..380d2d6e6a 100644
--- a/tests/phpunit/tests/customize/setting.php
+++ b/tests/phpunit/tests/customize/setting.php
@@ -67,14 +67,14 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
}
public $post_data_overrides = array(
- 'unset_option_overridden' => 'unset_option_post_override_value',
- 'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value',
- 'set_option_overridden' => 'set_option_post_override_value',
- 'set_theme_mod_overridden' => 'set_theme_mod_post_override_value',
- 'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value',
- 'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value',
- 'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value',
- 'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value',
+ 'unset_option_overridden' => 'unset_option_post_override_value\\o/',
+ 'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value\\o/',
+ 'set_option_overridden' => 'set_option_post_override_value\\o/',
+ 'set_theme_mod_overridden' => 'set_theme_mod_post_override_value\\o/',
+ 'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value\\o/',
+ 'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value\\o/',
+ 'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value\\o/',
+ 'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value\\o/',
);
public $standard_type_configs = array(
@@ -299,8 +299,8 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
function test_preview_custom_type() {
$type = 'custom_type';
$post_data_overrides = array(
- "unset_{$type}_with_post_value" => "unset_{$type}_without_post_value",
- "set_{$type}_with_post_value" => "set_{$type}_without_post_value",
+ "unset_{$type}_with_post_value" => "unset_{$type}_without_post_value\\o/",
+ "set_{$type}_with_post_value" => "set_{$type}_without_post_value\\o/",
);
$_POST['customized'] = wp_slash( wp_json_encode( $post_data_overrides ) );
@@ -417,7 +417,7 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
$this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
// Try setting post value without user as admin.
- $this->manager->set_post_value( $setting->id, 'hello world' );
+ $this->manager->set_post_value( $setting->id, 'hello world \\o/' );
$this->assertFalse( $setting->save() );
$this->assertTrue( 0 === did_action( 'customize_update_custom' ) );
$this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
@@ -437,7 +437,7 @@ class Tests_WP_Customize_Setting extends WP_UnitTestCase {
* @param WP_Customize_Setting $setting
*/
function handle_customize_update_custom_foo_action( $value, $setting = null ) {
- $this->assertEquals( 'hello world', $value );
+ $this->assertEquals( 'hello world \\o/', $value );
$this->assertInstanceOf( 'WP_Customize_Setting', $setting );
}