sergiotarxz/Wordpress
sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update wp.a11y.speak() to sanitize HTML before display.

Browse Source 
Props iandunn, adamsilverstein, sstoqnov, peterwilsoncc


git-svn-id: https://develop.svn.wordpress.org/trunk@45979 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jake Spurlock 2019-09-04 17:11:22 +00:00
parent 8552a9af15
commit c957e2573e
8 changed files with 31 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/js/_enqueues/admin/post.js
View File

@ -795,7 +795,9 @@ jQuery(document).ready( function($) {
}
// Update "Status:" to currently selected status.
$('#post-status-display').html($('option:selected', postStatus).text());
$('#post-status-display').text(
wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text.
);
// Show or hide the "Save Draft" button.
if ( $('option:selected', postStatus).val() == 'private' || $('option:selected', postStatus).val() == 'publish' ) {

4
src/js/_enqueues/wp/a11y.js
View File

@ -27,8 +27,8 @@ window.wp = window.wp || {};
// Clear previous messages to allow repeated strings being read out.
clear();
// Ensure only text is sent to screen readers.
message = $( '<p>' ).html( message ).text();
// Remove HTML tags, ensuring only text is sent to screen readers.
message = wp.sanitize.stripTagsAndEncodeText( message );
/*
* Safari 10+VoiceOver don't announce repeated, identical strings. We use

2
src/js/_enqueues/wp/customize/nav-menus.js
View File

@ -3456,7 +3456,7 @@
*/
function displayNavMenuName( name ) {
name = name || '';
name = $( '<div>' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php.
name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name.
name = $.trim( name );
return name || api.Menus.data.l10n.unnamed;
}

20
src/js/_enqueues/wp/sanitize.js
View File

@ -23,10 +23,20 @@
stripTags: function( text ) {
text = text || '';
return text
.replace( /<!--[\s\S]*?(-->|$)/g, '' )
.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
// Do the replacement.
var _text = text
.replace( /<!--[\s\S]*?(-->|$)/g, '' )
.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
// If the initial text is not equal to the modified text,
// do the search-replace again, until there is nothing to be replaced.
if ( _text !== text ) {
return wp.sanitize.stripTags( _text );
}
// Return the text with stripped tags.
return _text;
},
/**
@ -41,7 +51,7 @@
textarea = document.createElement( 'textarea' );
try {
textarea.innerHTML = _text;
textarea.textContent = _text;
_text = wp.sanitize.stripTags( textarea.value );
} catch ( er ) {}

3
src/js/_enqueues/wp/updates.js
View File

@ -262,7 +262,8 @@
if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) {
_.map( response.debug, function( message ) {
window.console.log( $( '<p />' ).html( message ).text() );
// Remove all HTML tags and write a message to the console.
window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) );
} );
}
};

10
src/wp-includes/script-loader.php
View File

@ -880,7 +880,9 @@ function wp_default_scripts( &$scripts ) {
)
);
$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
$scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 );
$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 );
$scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
@ -1487,7 +1489,7 @@ function wp_default_scripts( &$scripts ) {
$scripts->add( 'customize-widgets', "/wp-admin/js/customize-widgets$suffix.js", array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-droppable', 'wp-backbone', 'customize-controls' ), false, 1 );
$scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 );
$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 );
$scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
$scripts->add( 'wp-custom-header', "/wp-includes/js/wp-custom-header$suffix.js", array( 'wp-a11y' ), false, 1 );
@ -1572,7 +1574,7 @@ function wp_default_scripts( &$scripts ) {
)
);
$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 );
$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 );
did_action( 'init' ) && $scripts->localize(
'post',
'postL10n',
@ -1700,7 +1702,7 @@ function wp_default_scripts( &$scripts ) {
)
);
$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 );
$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 );
did_action( 'init' ) && $scripts->localize(
'updates',
'_wpUpdatesSettings',

2
tests/phpunit/tests/dependencies/scripts.php
View File

@ -692,7 +692,7 @@ JS;
$wp_scripts->do_concat = true;
$ver = get_bloginfo( 'version' );
$expected = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-a11y&amp;ver={$ver}'></script>\n";
$expected = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-sanitize,wp-a11y&amp;ver={$ver}'></script>\n";
$expected .= "<script type='text/javascript'>\nconsole.log(\"before\");\n</script>\n";
$expected .= "<script type='text/javascript' src='http://example.com'></script>\n";
$expected .= "<script type='text/javascript' src='http://example2.com'></script>\n";

1
tests/qunit/index.html
View File

@ -76,6 +76,7 @@
<script src="../../build/wp-includes/js/customize-base.js"></script>
<script src="../../build/wp-includes/js/customize-models.js"></script>
<script src="../../build/wp-includes/js/shortcode.js"></script>
+ <script src="../../build/wp-includes/js/wp-sanitize.js"></script>
<script src="../../build/wp-admin/js/customize-controls.js"></script>
<script src="../../build/wp-includes/js/api-request.js"></script>
<script src="../../build/wp-includes/js/wp-api.js"></script>