WordPress.org

Make WordPress Core

Ticket #32812: 32812.2.diff

File 32812.2.diff, 7.4 KB (added by westonruter, 6 years ago)
  • src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

    diff --git src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
    index 463da87..3edfbdd 100644
    class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 
    619619                );
    620620                $menu_item_value = array_merge( $default, $menu_item_value );
    621621                $menu_item_value = wp_array_slice_assoc( $menu_item_value, array_keys( $default ) );
    622                 $menu_item_value['position'] = max( 0, intval( $menu_item_value['position'] ) );
     622                $menu_item_value['position'] = intval( $menu_item_value['position'] );
    623623
    624624                foreach ( array( 'object_id', 'menu_item_parent', 'nav_menu_term_id' ) as $key ) {
    625625                        // Note we need to allow negative-integer IDs for previewed objects not inserted yet.
    class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 
    638638                        $menu_item_value[ $key ] = implode( ' ', array_map( 'sanitize_html_class', $value ) );
    639639                }
    640640
    641                 foreach ( array( 'title', 'attr_title', 'description', 'original_title' ) as $key ) {
    642                         // @todo Should esc_attr() the attr_title as well?
    643                         $menu_item_value[ $key ] = sanitize_text_field( $menu_item_value[ $key ] );
    644                 }
     641                $menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] );
     642
     643                // Apply the same filters as when calling wp_insert_post().
     644                $menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] );
     645                $menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] );
     646                $menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] );
    645647
    646648                $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
    647                 if ( ! get_post_status_object( $menu_item_value['status'] ) ) {
    648                         $menu_item_value['status'] = 'publish';
     649                if ( 'publish' !== $menu_item_value['status'] ) {
     650                        $menu_item_value['status'] = 'draft';
    649651                }
    650652
    651653                $menu_item_value['_invalid'] = (bool) $menu_item_value['_invalid'];
  • tests/phpunit/tests/customize/nav-menu-item-setting.php

    diff --git tests/phpunit/tests/customize/nav-menu-item-setting.php tests/phpunit/tests/customize/nav-menu-item-setting.php
    index 367d947..f218b76 100644
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    438438         */
    439439        function test_sanitize() {
    440440                do_action( 'customize_register', $this->wp_customize );
     441
     442                $menu_id = wp_create_nav_menu( 'Primary' );
    441443                $setting = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, 'nav_menu_item[123]' );
    442444
    443445                $this->assertNull( $setting->sanitize( 'not an array' ) );
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    449451                        'menu_item_parent' => 'asdasd',
    450452                        'position' => -123,
    451453                        'type' => 'custom<b>',
    452                         'title' => 'Hi<script>alert(1)</script>',
     454                        'title' => 'Hi<script>unfilteredHtml()</script>',
    453455                        'url' => 'javascript:alert(1)',
    454456                        'target' => '" onclick="',
    455                         'attr_title' => '<b>evil</b>',
    456                         'description' => '<b>Hello world</b>',
     457                        'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>',
     458                        'description' => '<b>Hello world</b><script>unfilteredHtml()</script>',
    457459                        'classes' => 'hello " inject="',
    458460                        'xfn' => 'hello " inject="',
    459461                        'status' => 'forbidden',
    460                         'original_title' => 'Hi<script>alert(1)</script>',
     462                        'original_title' => 'Hi<script>unfilteredHtml()</script>',
    461463                        'nav_menu_term_id' => 'heilo',
    462464                        '_invalid' => false,
    463465                );
    464466
     467                $expected_sanitized = array(
     468                        'object_id' => 0,
     469                        'object' => 'bhellob',
     470                        'menu_item_parent' => 0,
     471                        'position' => -123,
     472                        'type' => 'customb',
     473                        'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()',
     474                        'url' => '',
     475                        'target' => 'onclick',
     476                        'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()',
     477                        'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()',
     478                        'classes' => 'hello  inject',
     479                        'xfn' => 'hello  inject',
     480                        'status' => 'draft',
     481                        'original_title' => 'Hi',
     482                        'nav_menu_term_id' => 0,
     483                );
     484
    465485                $sanitized = $setting->sanitize( $unsanitized );
    466486                $this->assertEqualSets( array_keys( $unsanitized ), array_keys( $sanitized ) );
    467487
    468                 $this->assertEquals( 0, $sanitized['object_id'] );
    469                 $this->assertEquals( 'bhellob', $sanitized['object'] );
    470                 $this->assertEquals( 0, $sanitized['menu_item_parent'] );
    471                 $this->assertEquals( 0, $sanitized['position'] );
    472                 $this->assertEquals( 'customb', $sanitized['type'] );
    473                 $this->assertEquals( 'Hi', $sanitized['title'] );
    474                 $this->assertEquals( '', $sanitized['url'] );
    475                 $this->assertEquals( 'onclick', $sanitized['target'] );
    476                 $this->assertEquals( 'evil', $sanitized['attr_title'] );
    477                 $this->assertEquals( 'Hello world', $sanitized['description'] );
    478                 $this->assertEquals( 'hello  inject', $sanitized['classes'] );
    479                 $this->assertEquals( 'hello  inject', $sanitized['xfn'] );
    480                 $this->assertEquals( 'publish', $sanitized['status'] );
    481                 $this->assertEquals( 'Hi', $sanitized['original_title'] );
    482                 $this->assertEquals( 0, $sanitized['nav_menu_term_id'] );
     488                foreach ( $expected_sanitized as $key => $value ) {
     489                        $this->assertEquals( $value, $sanitized[ $key ], "Expected $key to be sanitized." );
     490                }
     491
     492                $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array(
     493                        'menu-item-object-id' => $unsanitized['object_id'],
     494                        'menu-item-object' => $unsanitized['object'],
     495                        'menu-item-parent-id' => $unsanitized['menu_item_parent'],
     496                        'menu-item-position' => $unsanitized['position'],
     497                        'menu-item-type' => $unsanitized['type'],
     498                        'menu-item-title' => $unsanitized['title'],
     499                        'menu-item-url' => $unsanitized['url'],
     500                        'menu-item-description' => $unsanitized['description'],
     501                        'menu-item-attr-title' => $unsanitized['attr_title'],
     502                        'menu-item-target' => $unsanitized['target'],
     503                        'menu-item-classes' => $unsanitized['classes'],
     504                        'menu-item-xfn' => $unsanitized['xfn'],
     505                        'menu-item-status' => $unsanitized['status'],
     506                ) );
     507
     508                $post = get_post( $nav_menu_item_id );
     509                $nav_menu_item = wp_setup_nav_menu_item( clone $post );
     510
     511                $this->assertEquals( $expected_sanitized['object_id'], $nav_menu_item->object_id );
     512                $this->assertEquals( $expected_sanitized['object'], $nav_menu_item->object );
     513                $this->assertEquals( $expected_sanitized['menu_item_parent'], $nav_menu_item->menu_item_parent );
     514                $this->assertEquals( $expected_sanitized['position'], $post->menu_order );
     515                $this->assertEquals( $expected_sanitized['type'], $nav_menu_item->type );
     516                $this->assertEquals( $expected_sanitized['title'], $post->post_title );
     517                $this->assertEquals( $expected_sanitized['url'], $nav_menu_item->url );
     518                $this->assertEquals( $expected_sanitized['description'], $post->post_content );
     519                $this->assertEquals( $expected_sanitized['attr_title'], $post->post_excerpt );
     520                $this->assertEquals( $expected_sanitized['target'], $nav_menu_item->target );
     521                $this->assertEquals( $expected_sanitized['classes'], implode( ' ', $nav_menu_item->classes ) );
     522                $this->assertEquals( $expected_sanitized['xfn'], $nav_menu_item->xfn );
     523                $this->assertEquals( $expected_sanitized['status'], $post->post_status );
    483524        }
    484525
    485526        /**