Update wp.a11y.speak() to sanitize HTML before display.
Props iandunn, adamsilverstein, sstoqnov, peterwilsoncc git-svn-id: https://develop.svn.wordpress.org/trunk@45979 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
8552a9af15
commit
c957e2573e
@ -795,7 +795,9 @@ jQuery(document).ready( function($) {
|
||||
}
|
||||
|
||||
// Update "Status:" to currently selected status.
|
||||
$('#post-status-display').html($('option:selected', postStatus).text());
|
||||
$('#post-status-display').text(
|
||||
wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text.
|
||||
);
|
||||
|
||||
// Show or hide the "Save Draft" button.
|
||||
if ( $('option:selected', postStatus).val() == 'private' || $('option:selected', postStatus).val() == 'publish' ) {
|
||||
|
@ -27,8 +27,8 @@ window.wp = window.wp || {};
|
||||
// Clear previous messages to allow repeated strings being read out.
|
||||
clear();
|
||||
|
||||
// Ensure only text is sent to screen readers.
|
||||
message = $( '<p>' ).html( message ).text();
|
||||
// Remove HTML tags, ensuring only text is sent to screen readers.
|
||||
message = wp.sanitize.stripTagsAndEncodeText( message );
|
||||
|
||||
/*
|
||||
* Safari 10+VoiceOver don't announce repeated, identical strings. We use
|
||||
|
@ -3456,7 +3456,7 @@
|
||||
*/
|
||||
function displayNavMenuName( name ) {
|
||||
name = name || '';
|
||||
name = $( '<div>' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php.
|
||||
name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name.
|
||||
name = $.trim( name );
|
||||
return name || api.Menus.data.l10n.unnamed;
|
||||
}
|
||||
|
@ -23,10 +23,20 @@
|
||||
stripTags: function( text ) {
|
||||
text = text || '';
|
||||
|
||||
return text
|
||||
.replace( /<!--[\s\S]*?(-->|$)/g, '' )
|
||||
.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
|
||||
.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
|
||||
// Do the replacement.
|
||||
var _text = text
|
||||
.replace( /<!--[\s\S]*?(-->|$)/g, '' )
|
||||
.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
|
||||
.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
|
||||
|
||||
// If the initial text is not equal to the modified text,
|
||||
// do the search-replace again, until there is nothing to be replaced.
|
||||
if ( _text !== text ) {
|
||||
return wp.sanitize.stripTags( _text );
|
||||
}
|
||||
|
||||
// Return the text with stripped tags.
|
||||
return _text;
|
||||
},
|
||||
|
||||
/**
|
||||
@ -41,7 +51,7 @@
|
||||
textarea = document.createElement( 'textarea' );
|
||||
|
||||
try {
|
||||
textarea.innerHTML = _text;
|
||||
textarea.textContent = _text;
|
||||
_text = wp.sanitize.stripTags( textarea.value );
|
||||
} catch ( er ) {}
|
||||
|
||||
|
@ -262,7 +262,8 @@
|
||||
|
||||
if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) {
|
||||
_.map( response.debug, function( message ) {
|
||||
window.console.log( $( '<p />' ).html( message ).text() );
|
||||
// Remove all HTML tags and write a message to the console.
|
||||
window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) );
|
||||
} );
|
||||
}
|
||||
};
|
||||
|
@ -880,7 +880,9 @@ function wp_default_scripts( &$scripts ) {
|
||||
)
|
||||
);
|
||||
|
||||
$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
|
||||
$scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 );
|
||||
|
||||
$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 );
|
||||
|
||||
$scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
|
||||
|
||||
@ -1487,7 +1489,7 @@ function wp_default_scripts( &$scripts ) {
|
||||
$scripts->add( 'customize-widgets', "/wp-admin/js/customize-widgets$suffix.js", array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-droppable', 'wp-backbone', 'customize-controls' ), false, 1 );
|
||||
$scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
|
||||
|
||||
$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 );
|
||||
$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 );
|
||||
$scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
|
||||
|
||||
$scripts->add( 'wp-custom-header', "/wp-includes/js/wp-custom-header$suffix.js", array( 'wp-a11y' ), false, 1 );
|
||||
@ -1572,7 +1574,7 @@ function wp_default_scripts( &$scripts ) {
|
||||
)
|
||||
);
|
||||
|
||||
$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 );
|
||||
$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 );
|
||||
did_action( 'init' ) && $scripts->localize(
|
||||
'post',
|
||||
'postL10n',
|
||||
@ -1700,7 +1702,7 @@ function wp_default_scripts( &$scripts ) {
|
||||
)
|
||||
);
|
||||
|
||||
$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 );
|
||||
$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 );
|
||||
did_action( 'init' ) && $scripts->localize(
|
||||
'updates',
|
||||
'_wpUpdatesSettings',
|
||||
|
@ -692,7 +692,7 @@ JS;
|
||||
$wp_scripts->do_concat = true;
|
||||
|
||||
$ver = get_bloginfo( 'version' );
|
||||
$expected = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-a11y&ver={$ver}'></script>\n";
|
||||
$expected = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-sanitize,wp-a11y&ver={$ver}'></script>\n";
|
||||
$expected .= "<script type='text/javascript'>\nconsole.log(\"before\");\n</script>\n";
|
||||
$expected .= "<script type='text/javascript' src='http://example.com'></script>\n";
|
||||
$expected .= "<script type='text/javascript' src='http://example2.com'></script>\n";
|
||||
|
@ -76,6 +76,7 @@
|
||||
<script src="../../build/wp-includes/js/customize-base.js"></script>
|
||||
<script src="../../build/wp-includes/js/customize-models.js"></script>
|
||||
<script src="../../build/wp-includes/js/shortcode.js"></script>
|
||||
+ <script src="../../build/wp-includes/js/wp-sanitize.js"></script>
|
||||
<script src="../../build/wp-admin/js/customize-controls.js"></script>
|
||||
<script src="../../build/wp-includes/js/api-request.js"></script>
|
||||
<script src="../../build/wp-includes/js/wp-api.js"></script>
|
||||
|
Loading…
x
Reference in New Issue
Block a user