sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Theme Customizer: Improve accuracy of identifying internal urls. see #20507, #19910.

Browse Source 
The 'customize_preview_link' filter has been replaced by 'customize_allowed_urls'.
Improved accuracy when checking for wp-admin.
Improved accuracy when attempting to match the schemes of the control and preview frames.
Improved accuracy of internal link whitelist.


git-svn-id: https://develop.svn.wordpress.org/trunk@20882 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Daryl Koopersmith 2012-05-24 19:17:49 +00:00
parent 7b01e30d39
commit b0a9ad5216
2 changed files with 52 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
wp-admin/customize.php
View File

@ -101,15 +101,17 @@ do_action( 'customize_controls_print_scripts' );
// preview over ssl if the customizer is being loaded over ssl. This avoids // preview over ssl if the customizer is being loaded over ssl. This avoids
// insecure content warnings. This is not attempted if the admin and frontend // insecure content warnings. This is not attempted if the admin and frontend
// are on different domains to avoid the case where the frontend doesn't have // are on different domains to avoid the case where the frontend doesn't have
// ssl certs. Domain mapping plugins can force ssl in these conditions using // ssl certs. Domain mapping plugins can allow other urls in these conditions
// the customize_preview_link filter. // using the customize_allowed_urls filter.
$admin_origin = parse_url( admin_url() );
$home_origin = parse_url( home_url() );
$scheme = null;
if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
$scheme = 'https';
$preview_url = apply_filters( 'customize_preview_link', home_url( '/', $scheme ) ); $allowed_urls = array( home_url('/') );
$admin_origin = parse_url( admin_url() );
$home_origin = parse_url( home_url() );
if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
$allowed_urls[] = home_url( '/', 'https' );
$allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
$settings = array( $settings = array(
'theme' => array( 'theme' => array(
@ -117,9 +119,10 @@ do_action( 'customize_controls_print_scripts' );
'active' => $wp_customize->is_theme_active(), 'active' => $wp_customize->is_theme_active(),
), ),
'url' => array( 'url' => array(
'preview' => esc_url( $preview_url ), 'preview' => esc_url( home_url( '/' ) ),
'parent' => esc_url( admin_url() ), 'parent' => esc_url( admin_url() ),
'ajax' => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ), 'ajax' => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
'allowed' => array_map( 'esc_url', $allowed_urls ),
), ),
'settings' => array(), 'settings' => array(),
'controls' => array(), 'controls' => array(),

48
wp-includes/js/customize-controls.dev.js
View File

@ -272,7 +272,8 @@
* - url - the URL of preview frame * - url - the URL of preview frame
*/ */
initialize: function( params, options ) { initialize: function( params, options ) {
var self = this; var self = this,
rscheme = /^https?/;
$.extend( this, options || {} ); $.extend( this, options || {} );
@ -314,7 +315,8 @@
}; };
})( this ); })( this );
this.container = api.ensure( params.container ); this.container = api.ensure( params.container );
this.allowedUrls = params.allowedUrls;
api.Messenger.prototype.initialize.call( this, params.url ); api.Messenger.prototype.initialize.call( this, params.url );
@ -322,13 +324,42 @@
// to the current window's location, not the url's. // to the current window's location, not the url's.
this.origin.unlink( this.url ).set( window.location.href ); this.origin.unlink( this.url ).set( window.location.href );
this.add( 'scheme', this.origin() ).link( this.origin ).setter( function( to ) {
var match = to.match( rscheme );
return match ? match[0] : '';
});
// Limit the URL to internal, front-end links. // Limit the URL to internal, front-end links.
//
// If the frontend and the admin are served from the same domain, load the
// preview over ssl if the customizer is being loaded over ssl. This avoids
// insecure content warnings. This is not attempted if the admin and frontend
// are on different domains to avoid the case where the frontend doesn't have
// ssl certs.
this.url.setter( function( to ) { this.url.setter( function( to ) {
// Bail if we're navigating to a different origin or wp-admin. var result;
if ( 0 !== to.indexOf( self.origin() + '/' ) || -1 !== to.indexOf( 'wp-admin' ) )
// Check for URLs that include "/wp-admin/" or end in "/wp-admin".
// Strip hashes and query strings before testing.
if ( /\/wp-admin(\/|$)/.test( to.replace(/[#?].*$/, '') ) )
return null; return null;
return to; // Attempt to match the URL to the control frame's scheme
// and check if it's allowed. If not, try the original URL.
$.each([ to.replace( rscheme, self.scheme() ), to ], function( i, url ) {
$.each( self.allowedUrls, function( i, allowed ) {
if ( 0 === url.indexOf( allowed ) ) {
result = url;
return false;
}
});
if ( result )
return false;
});
// If we found a matching result, return it. If not, bail.
return result ? result : null;
}); });
// Refresh the preview when the URL is changed. // Refresh the preview when the URL is changed.
@ -422,9 +453,10 @@
}); });
previewer = new api.Previewer({ previewer = new api.Previewer({
container: '#customize-preview', container: '#customize-preview',
form: '#customize-controls', form: '#customize-controls',
url: api.settings.url.preview url: api.settings.url.preview,
allowedUrls: api.settings.url.allowed
}, { }, {
query: function() { query: function() {
return { return {