From f447d2f5bfbc13264292e861c093b35b9e2a9a35 Mon Sep 17 00:00:00 2001
From: Andrew Ozz <azaozz@git.wordpress.org>
Date: Wed, 21 Oct 2015 20:37:54 +0000
Subject: [PATCH] TinyMCE: - Sanitize and render HTML in captions when showing
 a gallery preview (wpView). - Encode/escape HTML entered in the text field in
 the wpLink dialog.

Props iseulde, kraftbj, jnylen0, shawarkhan.
Fixes #32616.

git-svn-id: https://develop.svn.wordpress.org/trunk@35341 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/js/mce-view.js     | 22 +++++++++++++++++++++-
 src/wp-includes/js/wplink.js       |  2 +-
 src/wp-includes/media-template.php |  2 +-
 3 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/wp-includes/js/mce-view.js b/src/wp-includes/js/mce-view.js
index 5e21b4f5ca..b532cb97a5 100644
--- a/src/wp-includes/js/mce-view.js
+++ b/src/wp-includes/js/mce-view.js
@@ -732,7 +732,26 @@
  * and a view for embeddable URLs.
  */
 ( function( window, views, media, $ ) {
-	var base, gallery, av, embed;
+	var base, gallery, av, embed,
+		schema, parser, serializer;
+
+	function verifyHTML( string ) {
+		var settings = {};
+
+		if ( ! window.tinymce ) {
+			return string.replace( /<[^>]+>/g, '' );
+		}
+
+		if ( ! string || ( string.indexOf( '<' ) === -1 && string.indexOf( '>' ) === -1 ) ) {
+			return string;
+		}
+
+		schema = schema || new window.tinymce.html.Schema( settings );
+		parser = parser || new window.tinymce.html.DomParser( settings, schema );
+		serializer = serializer || new window.tinymce.html.Serializer( settings, schema );
+
+		return serializer.serialize( parser.parse( string, { forced_root_block: false } ) );
+	}
 
 	base = {
 		state: [],
@@ -783,6 +802,7 @@
 				} );
 
 				self.render( self.template( {
+					verifyHTML: verifyHTML,
 					attachments: attachments,
 					columns: attrs.columns ? parseInt( attrs.columns, 10 ) : media.galleryDefaults.columns
 				} ) );
diff --git a/src/wp-includes/js/wplink.js b/src/wp-includes/js/wplink.js
index 5b69c88d30..f34a9bea09 100644
--- a/src/wp-includes/js/wplink.js
+++ b/src/wp-includes/js/wplink.js
@@ -382,7 +382,7 @@ var wpLink;
 				editor.dom.setAttribs( link, attrs );
 			} else {
 				if ( text ) {
-					editor.selection.setNode( editor.dom.create( 'a', attrs, text ) );
+					editor.selection.setNode( editor.dom.create( 'a', attrs, editor.dom.encode( text ) ) );
 				} else {
 					editor.execCommand( 'mceInsertLink', false, attrs );
 				}
diff --git a/src/wp-includes/media-template.php b/src/wp-includes/media-template.php
index ae39d57dfa..c195d7419f 100644
--- a/src/wp-includes/media-template.php
+++ b/src/wp-includes/media-template.php
@@ -1216,7 +1216,7 @@ function wp_print_media_templates() {
 						</dt>
 						<# if ( attachment.caption ) { #>
 							<dd class="wp-caption-text gallery-caption">
-								{{ attachment.caption }}
+								{{{ data.verifyHTML( attachment.caption ) }}}
 							</dd>
 						<# } #>
 					</dl>