Widgets: Use wp_sidebar_description() to retrieve a sidebar’s description.

This switches `WP_REST_Sidebars_Controller` to use `wp_sidebar_description()` for retrieving the `description` of a given sidebar instead of referencing the value in the `$wp_registered_sidebars` global variable directly. `wp_sidebar_description()` uses `wp_kses()` to only allow the default list of `$allowed_tags` to be present in a sidebar’s `description`. Props timothyblynjacobs, desrosj. Fixes #53646. git-svn-id: https://develop.svn.wordpress.org/trunk@51408 602fd350-edb4-49c9-b593-d223f7449a82
2026-06-28 14:20:15 +00:00 · 2021-07-12 19:02:53 +00:00
parent bb389cda94
commit daea174b3f
2 changed files with 52 additions and 1 deletions
--- a/src/wp-includes/rest-api/endpoints/class-wp-rest-sidebars-controller.php
+++ b/src/wp-includes/rest-api/endpoints/class-wp-rest-sidebars-controller.php
@@ -281,7 +281,7 @@ class WP_REST_Sidebars_Controller extends WP_REST_Controller {

 			$sidebar['status']        = 'active';
 			$sidebar['name']          = isset( $registered_sidebar['name'] ) ? $registered_sidebar['name'] : '';
-			$sidebar['description']   = isset( $registered_sidebar['description'] ) ? $registered_sidebar['description'] : '';
+			$sidebar['description']   = isset( $registered_sidebar['description'] ) ? wp_sidebar_description( $id ) : '';
 			$sidebar['class']         = isset( $registered_sidebar['class'] ) ? $registered_sidebar['class'] : '';
 			$sidebar['before_widget'] = isset( $registered_sidebar['before_widget'] ) ? $registered_sidebar['before_widget'] : '';
 			$sidebar['after_widget']  = isset( $registered_sidebar['after_widget'] ) ? $registered_sidebar['after_widget'] : '';
--- a/tests/phpunit/tests/rest-api/rest-sidebars-controller.php
+++ b/tests/phpunit/tests/rest-api/rest-sidebars-controller.php
@@ -312,6 +312,57 @@ class WP_Test_REST_Sidebars_Controller extends WP_Test_REST_Controller_Testcase
 		);
 	}

+	/**
+	 * @ticket 53646
+	 */
+	public function test_get_items_when_descriptions_have_markup() {
+		register_sidebar(
+			array(
+				'name'          => 'New Sidebar',
+				'id'            => 'new-sidebar',
+				'description'   => '<iframe></iframe>This is a <b>description</b> with some <a href="#">markup</a>.<script></script>',
+				'before_widget' => '',
+				'after_widget'  => '',
+				'before_title'  => '',
+				'after_title'   => '',
+			)
+		);
+
+		$request  = new WP_REST_Request( 'GET', '/wp/v2/sidebars' );
+		$response = rest_get_server()->dispatch( $request );
+		$data     = $response->get_data();
+		$data     = $this->remove_links( $data );
+		$this->assertSame(
+			array(
+				array(
+					'id'            => 'wp_inactive_widgets',
+					'name'          => 'Inactive widgets',
+					'description'   => '',
+					'class'         => '',
+					'before_widget' => '',
+					'after_widget'  => '',
+					'before_title'  => '',
+					'after_title'   => '',
+					'status'        => 'inactive',
+					'widgets'       => array(),
+				),
+				array(
+					'id'            => 'new-sidebar',
+					'name'          => 'New Sidebar',
+					'description'   => 'This is a <b>description</b> with some <a href="#">markup</a>.',
+					'class'         => '',
+					'before_widget' => '',
+					'after_widget'  => '',
+					'before_title'  => '',
+					'after_title'   => '',
+					'status'        => 'active',
+					'widgets'       => array(),
+				),
+			),
+			$data
+		);
+	}
+
 	/**
 	 * @ticket 41683
 	 */