sergiotarxz/Wordpress
sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Customize: Fix previewing and updating of nav menu items containing slashed/slashable characters.

Browse Source 
Prevents slashes from being added when a user without `unfiltered_html` previews a nav menu item containing an apostrophe or some other slashable character, and prevents the loss of an intentional slash (e.g. "\o/") when saving a nav menu item, regardless of capability.

Fixes #35869.


git-svn-id: https://develop.svn.wordpress.org/trunk@36608 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Weston Ruter 2016-02-22 00:13:53 +00:00
parent c592a7262e
commit d06329d035
3 changed files with 16 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
View File

@ -639,9 +639,9 @@ class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting {
$menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] ); $menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] );
// Apply the same filters as when calling wp_insert_post(). // Apply the same filters as when calling wp_insert_post().
$menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] ); $menu_item_value['title'] = wp_unslash( apply_filters( 'title_save_pre', wp_slash( $menu_item_value['title'] ) ) );
$menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] ); $menu_item_value['attr_title'] = wp_unslash( apply_filters( 'excerpt_save_pre', wp_slash( $menu_item_value['attr_title'] ) ) );
$menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] ); $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
$menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
if ( 'publish' !== $menu_item_value['status'] ) { if ( 'publish' !== $menu_item_value['status'] ) {
@ -776,7 +776,7 @@ class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting {
$r = wp_update_nav_menu_item( $r = wp_update_nav_menu_item(
$value['nav_menu_term_id'], $value['nav_menu_term_id'],
$is_placeholder ? 0 : $this->post_id, $is_placeholder ? 0 : $this->post_id,
$menu_item_data wp_slash( $menu_item_data )
); );
if ( is_wp_error( $r ) ) { if ( is_wp_error( $r ) ) {

3
src/wp-includes/nav-menu.php
View File

@ -344,6 +344,9 @@ function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) {
/** /**
* Save the properties of a menu item or create a new one. * Save the properties of a menu item or create a new one.
* *
* The menu-item-title, menu-item-description, and menu-item-attr-title are expected
* to be pre-slashed since they are passed directly into <code>wp_insert_post()</code>.
*
* @since 3.0.0 * @since 3.0.0
* *
* @param int $menu_id The ID of the menu. Required. If "0", makes the menu item a draft orphan. * @param int $menu_id The ID of the menu. Required. If "0", makes the menu item a draft orphan.

18
tests/phpunit/tests/customize/nav-menu-item-setting.php
View File

@ -450,11 +450,11 @@ class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase {
'menu_item_parent' => 'asdasd', 'menu_item_parent' => 'asdasd',
'position' => -123, 'position' => -123,
'type' => 'custom<b>', 'type' => 'custom<b>',
'title' => 'Hi<script>unfilteredHtml()</script>', 'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
'url' => 'javascript:alert(1)', 'url' => 'javascript:alert(1)',
'target' => '" onclick="', 'target' => '" onclick="',
'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>', 'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
'description' => '<b>Hello world</b><script>unfilteredHtml()</script>', 'description' => '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>',
'classes' => 'hello " inject="', 'classes' => 'hello " inject="',
'xfn' => 'hello " inject="', 'xfn' => 'hello " inject="',
'status' => 'forbidden', 'status' => 'forbidden',
@ -469,11 +469,11 @@ class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase {
'menu_item_parent' => 0, 'menu_item_parent' => 0,
'position' => -123, 'position' => -123,
'type' => 'customb', 'type' => 'customb',
'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()', 'title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\o/ o\'o HiunfilteredHtml()',
'url' => '', 'url' => '',
'target' => 'onclick', 'target' => 'onclick',
'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()', 'attr_title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>bolded</b>unfilteredHtml()',
'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()', 'description' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>Hello world</b>unfilteredHtml()',
'classes' => 'hello inject', 'classes' => 'hello inject',
'xfn' => 'hello inject', 'xfn' => 'hello inject',
'status' => 'draft', 'status' => 'draft',
@ -488,7 +488,7 @@ class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase {
$this->assertEquals( $value, $sanitized[ $key ], "Expected $key to be sanitized." ); $this->assertEquals( $value, $sanitized[ $key ], "Expected $key to be sanitized." );
} }
$nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array( $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, wp_slash( array(
'menu-item-object-id' => $unsanitized['object_id'], 'menu-item-object-id' => $unsanitized['object_id'],
'menu-item-object' => $unsanitized['object'], 'menu-item-object' => $unsanitized['object'],
'menu-item-parent-id' => $unsanitized['menu_item_parent'], 'menu-item-parent-id' => $unsanitized['menu_item_parent'],
@ -502,7 +502,7 @@ class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase {
'menu-item-classes' => $unsanitized['classes'], 'menu-item-classes' => $unsanitized['classes'],
'menu-item-xfn' => $unsanitized['xfn'], 'menu-item-xfn' => $unsanitized['xfn'],
'menu-item-status' => $unsanitized['status'], 'menu-item-status' => $unsanitized['status'],
) ); ) ) );
$post = get_post( $nav_menu_item_id ); $post = get_post( $nav_menu_item_id );
$nav_menu_item = wp_setup_nav_menu_item( clone $post ); $nav_menu_item = wp_setup_nav_menu_item( clone $post );
@ -549,7 +549,7 @@ class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase {
'type' => 'post_type', 'type' => 'post_type',
'object' => 'post', 'object' => 'post',
'object_id' => $second_post_id, 'object_id' => $second_post_id,
'title' => 'Saludos', 'title' => 'Saludos \o/ o\'o',
'status' => 'publish', 'status' => 'publish',
'nav_menu_term_id' => $secondary_menu_id, 'nav_menu_term_id' => $secondary_menu_id,
); );