sergiotarxz
/
Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

TinyMCE: 

- Sanitize and render HTML in captions when showing a gallery preview (wpView).
- Encode/escape HTML entered in the text field in the wpLink dialog.

Props iseulde, kraftbj, jnylen0, shawarkhan.
Fixes #32616.

git-svn-id: https://develop.svn.wordpress.org/trunk@35341 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Andrew Ozz 2015-10-21 20:37:54 +00:00
parent 9e865f51a8
commit f447d2f5bf
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/wp-includes/js/mce-view.js
View File

@ -732,7 +732,26 @@
* and a view for embeddable URLs. * and a view for embeddable URLs.
*/ */
( function( window, views, media, $ ) { ( function( window, views, media, $ ) {
var base, gallery, av, embed; var base, gallery, av, embed,
schema, parser, serializer;
function verifyHTML( string ) {
var settings = {};
if ( ! window.tinymce ) {
return string.replace( /<[^>]+>/g, '' );
}
if ( ! string || ( string.indexOf( '<' ) === -1 && string.indexOf( '>' ) === -1 ) ) {
return string;
}
schema = schema || new window.tinymce.html.Schema( settings );
parser = parser || new window.tinymce.html.DomParser( settings, schema );
serializer = serializer || new window.tinymce.html.Serializer( settings, schema );
return serializer.serialize( parser.parse( string, { forced_root_block: false } ) );
}
base = { base = {
state: [], state: [],
@ -783,6 +802,7 @@
} ); } );
self.render( self.template( { self.render( self.template( {
verifyHTML: verifyHTML,
attachments: attachments, attachments: attachments,
columns: attrs.columns ? parseInt( attrs.columns, 10 ) : media.galleryDefaults.columns columns: attrs.columns ? parseInt( attrs.columns, 10 ) : media.galleryDefaults.columns
} ) ); } ) );

2
src/wp-includes/js/wplink.js
View File

@ -382,7 +382,7 @@ var wpLink;
editor.dom.setAttribs( link, attrs ); editor.dom.setAttribs( link, attrs );
} else { } else {
if ( text ) { if ( text ) {
editor.selection.setNode( editor.dom.create( 'a', attrs, text ) ); editor.selection.setNode( editor.dom.create( 'a', attrs, editor.dom.encode( text ) ) );
} else { } else {
editor.execCommand( 'mceInsertLink', false, attrs ); editor.execCommand( 'mceInsertLink', false, attrs );
} }

2
src/wp-includes/media-template.php
View File

@ -1216,7 +1216,7 @@ function wp_print_media_templates() {
</dt> </dt>
<# if ( attachment.caption ) { #> <# if ( attachment.caption ) { #>
<dd class="wp-caption-text gallery-caption"> <dd class="wp-caption-text gallery-caption">
{{ attachment.caption }} {{{ data.verifyHTML( attachment.caption ) }}}
</dd> </dd>
<# } #> <# } #>
</dl> </dl>