Ticket #32812: 32812.3.diff
File 32812.3.diff, 7.8 KB (added by , 9 years ago) |
---|
-
src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
diff --git src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php index 463da87..2fa0b5c 100644
class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 572 572 } 573 573 } 574 574 575 /** This filter is documented in wp-includes/nav-menu.php */ 576 $post->attr_title = apply_filters( 'nav_menu_attr_title', $post->attr_title ); 577 578 /** This filter is documented in wp-includes/nav-menu.php */ 579 $post->description = apply_filters( 'nav_menu_description', wp_trim_words( $post->description, 200 ) ); 580 575 581 return $post; 576 582 } 577 583 … … class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 619 625 ); 620 626 $menu_item_value = array_merge( $default, $menu_item_value ); 621 627 $menu_item_value = wp_array_slice_assoc( $menu_item_value, array_keys( $default ) ); 622 $menu_item_value['position'] = max( 0, intval( $menu_item_value['position'] ));628 $menu_item_value['position'] = intval( $menu_item_value['position'] ); 623 629 624 630 foreach ( array( 'object_id', 'menu_item_parent', 'nav_menu_term_id' ) as $key ) { 625 631 // Note we need to allow negative-integer IDs for previewed objects not inserted yet. … … class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 638 644 $menu_item_value[ $key ] = implode( ' ', array_map( 'sanitize_html_class', $value ) ); 639 645 } 640 646 641 foreach ( array( 'title', 'attr_title', 'description', 'original_title' ) as $key ) { 642 // @todo Should esc_attr() the attr_title as well? 643 $menu_item_value[ $key ] = sanitize_text_field( $menu_item_value[ $key ] ); 644 } 647 $menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] ); 648 649 // Apply the same filters as when calling wp_insert_post(). 650 $menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] ); 651 $menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] ); 652 $menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] ); 645 653 646 654 $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] ); 647 if ( ! get_post_status_object( $menu_item_value['status'] )) {648 $menu_item_value['status'] = ' publish';655 if ( 'publish' !== $menu_item_value['status'] ) { 656 $menu_item_value['status'] = 'draft'; 649 657 } 650 658 651 659 $menu_item_value['_invalid'] = (bool) $menu_item_value['_invalid']; -
tests/phpunit/tests/customize/nav-menu-item-setting.php
diff --git tests/phpunit/tests/customize/nav-menu-item-setting.php tests/phpunit/tests/customize/nav-menu-item-setting.php index 367d947..f218b76 100644
class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 438 438 */ 439 439 function test_sanitize() { 440 440 do_action( 'customize_register', $this->wp_customize ); 441 442 $menu_id = wp_create_nav_menu( 'Primary' ); 441 443 $setting = new WP_Customize_Nav_Menu_Item_Setting( $this->wp_customize, 'nav_menu_item[123]' ); 442 444 443 445 $this->assertNull( $setting->sanitize( 'not an array' ) ); … … class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 449 451 'menu_item_parent' => 'asdasd', 450 452 'position' => -123, 451 453 'type' => 'custom<b>', 452 'title' => 'Hi<script> alert(1)</script>',454 'title' => 'Hi<script>unfilteredHtml()</script>', 453 455 'url' => 'javascript:alert(1)', 454 456 'target' => '" onclick="', 455 'attr_title' => '<b> evil</b>',456 'description' => '<b>Hello world</b> ',457 'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>', 458 'description' => '<b>Hello world</b><script>unfilteredHtml()</script>', 457 459 'classes' => 'hello " inject="', 458 460 'xfn' => 'hello " inject="', 459 461 'status' => 'forbidden', 460 'original_title' => 'Hi<script> alert(1)</script>',462 'original_title' => 'Hi<script>unfilteredHtml()</script>', 461 463 'nav_menu_term_id' => 'heilo', 462 464 '_invalid' => false, 463 465 ); 464 466 467 $expected_sanitized = array( 468 'object_id' => 0, 469 'object' => 'bhellob', 470 'menu_item_parent' => 0, 471 'position' => -123, 472 'type' => 'customb', 473 'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()', 474 'url' => '', 475 'target' => 'onclick', 476 'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()', 477 'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()', 478 'classes' => 'hello inject', 479 'xfn' => 'hello inject', 480 'status' => 'draft', 481 'original_title' => 'Hi', 482 'nav_menu_term_id' => 0, 483 ); 484 465 485 $sanitized = $setting->sanitize( $unsanitized ); 466 486 $this->assertEqualSets( array_keys( $unsanitized ), array_keys( $sanitized ) ); 467 487 468 $this->assertEquals( 0, $sanitized['object_id'] ); 469 $this->assertEquals( 'bhellob', $sanitized['object'] ); 470 $this->assertEquals( 0, $sanitized['menu_item_parent'] ); 471 $this->assertEquals( 0, $sanitized['position'] ); 472 $this->assertEquals( 'customb', $sanitized['type'] ); 473 $this->assertEquals( 'Hi', $sanitized['title'] ); 474 $this->assertEquals( '', $sanitized['url'] ); 475 $this->assertEquals( 'onclick', $sanitized['target'] ); 476 $this->assertEquals( 'evil', $sanitized['attr_title'] ); 477 $this->assertEquals( 'Hello world', $sanitized['description'] ); 478 $this->assertEquals( 'hello inject', $sanitized['classes'] ); 479 $this->assertEquals( 'hello inject', $sanitized['xfn'] ); 480 $this->assertEquals( 'publish', $sanitized['status'] ); 481 $this->assertEquals( 'Hi', $sanitized['original_title'] ); 482 $this->assertEquals( 0, $sanitized['nav_menu_term_id'] ); 488 foreach ( $expected_sanitized as $key => $value ) { 489 $this->assertEquals( $value, $sanitized[ $key ], "Expected $key to be sanitized." ); 490 } 491 492 $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array( 493 'menu-item-object-id' => $unsanitized['object_id'], 494 'menu-item-object' => $unsanitized['object'], 495 'menu-item-parent-id' => $unsanitized['menu_item_parent'], 496 'menu-item-position' => $unsanitized['position'], 497 'menu-item-type' => $unsanitized['type'], 498 'menu-item-title' => $unsanitized['title'], 499 'menu-item-url' => $unsanitized['url'], 500 'menu-item-description' => $unsanitized['description'], 501 'menu-item-attr-title' => $unsanitized['attr_title'], 502 'menu-item-target' => $unsanitized['target'], 503 'menu-item-classes' => $unsanitized['classes'], 504 'menu-item-xfn' => $unsanitized['xfn'], 505 'menu-item-status' => $unsanitized['status'], 506 ) ); 507 508 $post = get_post( $nav_menu_item_id ); 509 $nav_menu_item = wp_setup_nav_menu_item( clone $post ); 510 511 $this->assertEquals( $expected_sanitized['object_id'], $nav_menu_item->object_id ); 512 $this->assertEquals( $expected_sanitized['object'], $nav_menu_item->object ); 513 $this->assertEquals( $expected_sanitized['menu_item_parent'], $nav_menu_item->menu_item_parent ); 514 $this->assertEquals( $expected_sanitized['position'], $post->menu_order ); 515 $this->assertEquals( $expected_sanitized['type'], $nav_menu_item->type ); 516 $this->assertEquals( $expected_sanitized['title'], $post->post_title ); 517 $this->assertEquals( $expected_sanitized['url'], $nav_menu_item->url ); 518 $this->assertEquals( $expected_sanitized['description'], $post->post_content ); 519 $this->assertEquals( $expected_sanitized['attr_title'], $post->post_excerpt ); 520 $this->assertEquals( $expected_sanitized['target'], $nav_menu_item->target ); 521 $this->assertEquals( $expected_sanitized['classes'], implode( ' ', $nav_menu_item->classes ) ); 522 $this->assertEquals( $expected_sanitized['xfn'], $nav_menu_item->xfn ); 523 $this->assertEquals( $expected_sanitized['status'], $post->post_status ); 483 524 } 484 525 485 526 /**