Allow usage of angle brackets in a site title or tagline.

The whole string is escaped with `esc_html()` anyway, so we don't need to `wp_kses_post()`. This is a better experience for users who want to use angle brackets in their site title or description. Does not allow any HTML, adds unit tests. props BandonRandon, pauldewouters. fixes #27942. git-svn-id: https://develop.svn.wordpress.org/trunk@35788 602fd350-edb4-49c9-b593-d223f7449a82
2015-12-06 20:28:26 +00:00 · 2015-12-06 20:28:26 +00:00 · 1aa7dda524
parent 800971f2fd
commit 1aa7dda524
2 changed files with 39 additions and 1 deletions
--- a/src/wp-includes/formatting.php
+++ b/src/wp-includes/formatting.php
@ -3706,7 +3706,6 @@ function sanitize_option( $option, $value ) {
 			if ( is_wp_error( $value ) ) {
 				$error = $value->get_error_message();
 			} else {
-				$value = wp_kses_post( $value );
 				$value = esc_html( $value );
 			}
 			break;
--- a/tests/phpunit/tests/formatting/BlogInfo.php
+++ b/tests/phpunit/tests/formatting/BlogInfo.php
@ -31,4 +31,43 @@ class Tests_Formatting_BlogInfo extends WP_UnitTestCase {
 			array( 'pt_PT_ao1990', 'pt-PT-ao1990' ),
 		);
 	}
+
+	/**
+	 * @ticket 27942
+	 */
+	function test_bloginfo_sanitize_option() {
+		$old_values = array(
+			'blogname'        => get_option( 'blogname' ),
+			'blogdescription' => get_option( 'blogdescription' ),
+		);
+
+		$values = array(
+			'foo'                  => 'foo',
+			'<em>foo</em>'         => '&lt;em&gt;foo&lt;/em&gt;',
+			'<script>foo</script>' => '&lt;script&gt;foo&lt;/script&gt;',
+			'&lt;foo&gt;'          => '&lt;foo&gt;',
+			'<foo'                 => '&lt;foo',
+		);
+
+		foreach ( $values as $value => $expected ) {
+			$sanitized_value = sanitize_option( 'blogname', $value );
+			update_option( 'blogname', $sanitized_value );
+
+			$this->assertEquals( $expected, $sanitized_value );
+			$this->assertEquals( $expected, get_bloginfo( 'name' ) );
+			$this->assertEquals( $expected, get_bloginfo( 'name', 'display' ) );
+
+			$sanitized_value = sanitize_option( 'blogdescription', $value );
+			update_option( 'blogdescription', $sanitized_value );
+
+			$this->assertEquals( $expected, $sanitized_value );
+			$this->assertEquals( $expected, get_bloginfo( 'description' ) );
+			$this->assertEquals( $expected, get_bloginfo( 'description', 'display' ) );
+		}
+
+		// Restore old values.
+		foreach ( $old_values as $option_name => $value ) {
+			update_option( $option_name, $value );
+		}
+	}
 }