From e27098f5bd8e5d94ce1f83c5e72a54d768164333 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Sat, 10 Dec 2016 06:59:24 +0000 Subject: [PATCH] Customize: Trim whitespace for URLs supplied for `external_header_video` to prevent `esc_url_raw()` from making them invalid. Props tyxla. See #38172. Fixes #39125. git-svn-id: https://develop.svn.wordpress.org/trunk@39560 602fd350-edb4-49c9-b593-d223f7449a82 --- .../class-wp-customize-manager.php | 14 ++++++++++- tests/phpunit/tests/customize/manager.php | 25 +++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/class-wp-customize-manager.php b/src/wp-includes/class-wp-customize-manager.php index 5b68a76943..4ac25232ff 100644 --- a/src/wp-includes/class-wp-customize-manager.php +++ b/src/wp-includes/class-wp-customize-manager.php @@ -3896,7 +3896,7 @@ final class WP_Customize_Manager { $this->add_setting( 'external_header_video', array( 'theme_supports' => array( 'custom-header', 'video' ), 'transport' => 'postMessage', - 'sanitize_callback' => 'esc_url_raw', + 'sanitize_callback' => array( $this, '_sanitize_external_header_video' ), 'validate_callback' => array( $this, '_validate_external_header_video' ), ) ); @@ -4318,6 +4318,18 @@ final class WP_Customize_Manager { return $validity; } + /** + * Callback for sanitizing the external_header_video value. + * + * @since 4.7.1 + * + * @param string $value URL. + * @return string Sanitized URL. + */ + public function _sanitize_external_header_video( $value ) { + return esc_url_raw( trim( $value ) ); + } + /** * Callback for rendering the custom logo, used in the custom_logo partial. * diff --git a/tests/phpunit/tests/customize/manager.php b/tests/phpunit/tests/customize/manager.php index 39f304f04e..2ead05ea08 100644 --- a/tests/phpunit/tests/customize/manager.php +++ b/tests/phpunit/tests/customize/manager.php @@ -2580,6 +2580,31 @@ class Tests_WP_Customize_Manager extends WP_UnitTestCase { $result = $this->manager->panels(); $this->assertEquals( $panels_sorted, array_keys( $result ) ); } + + /** + * Verify sanitization of external header video URL will trim the whitespaces in the beginning and end of the URL. + * + * @ticket 39125 + */ + function test_sanitize_external_header_video_trim() { + $this->manager->register_controls(); + $setting = $this->manager->get_setting( 'external_header_video' ); + $video_url = 'https://www.youtube.com/watch?v=KiS8rZBeIO0'; + + $whitespaces = array( + ' ', // space + "\t", // horizontal tab + "\n", // line feed + "\r", // carriage return, + "\f", // form feed, + "\v", // vertical tab + ); + + foreach ( $whitespaces as $whitespace ) { + $sanitized = $setting->sanitize( $whitespace . $video_url . $whitespace ); + $this->assertEquals( $video_url, $sanitized ); + } + } } require_once ABSPATH . WPINC . '/class-wp-customize-setting.php';