Ticket #33924: 33924.3.diff
File 33924.3.diff, 2.6 KB (added by , 9 years ago) |
---|
-
src/wp-includes/formatting.php
diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php index de71956..f6fe42b 100644
a b function sanitize_sql_orderby( $orderby ) { 1651 1651 * Defaults to an empty string. 1652 1652 * @return string The sanitized value 1653 1653 */ 1654 function sanitize_html_class( $class, $fallback = '' ) { 1655 //Strip out any % encoded octets 1656 $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class ); 1654 function sanitize_html_class( $class, $fallback = '', $strict = true ) { 1655 if ( $strict ) { 1656 //Strip out any % encoded octets 1657 $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class ); 1657 1658 1658 //Limit to A-Z,a-z,0-9,_,- 1659 $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized ); 1659 //Limit to A-Z,a-z,0-9,_,- 1660 $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized ); 1661 } 1662 else { 1663 // remove any white space 1664 $sanitized = preg_replace( '/\s/', '', $class ); 1665 1666 // classes are attributes 1667 $sanitized = esc_attr( $sanitized ); 1668 } 1660 1669 1661 1670 if ( '' == $sanitized && $fallback ) { 1662 return sanitize_html_class( $fallback );1671 return sanitize_html_class( $fallback, false, $strict ); 1663 1672 } 1664 1673 /** 1665 1674 * Filter a sanitized HTML class string. -
new file tests/phpunit/tests/formatting/SanitizeHtmlClass.php
diff --git a/tests/phpunit/tests/formatting/SanitizeHtmlClass.php b/tests/phpunit/tests/formatting/SanitizeHtmlClass.php new file mode 100644 index 0000000..1dfeadb
- + 1 <?php 2 3 /** 4 * @group formatting 5 */ 6 class Tests_Formatting_SanitizeHtmlClass extends WP_UnitTestCase { 7 function test_class_strips_spaces() { 8 $input = "Captain Awesome"; 9 $expected = "CaptainAwesome"; 10 $this->assertEquals( $expected, sanitize_html_class( $input ) ); 11 } 12 13 function test_class_strips_spaces_permissive() { 14 $input = "Captain Awesome"; 15 $expected = "CaptainAwesome"; 16 $this->assertEquals( $expected, sanitize_html_class( $input, '', false ) ); 17 } 18 19 function test_class_sanitized_to_nothing_applies_fallback() { 20 $input = "****"; 21 $fallback = "CaptainAwesome"; 22 $this->assertEquals( $fallback, sanitize_html_class( $input, $fallback ) ); 23 } 24 25 function test_class_escapes_ampersand_permissive() { 26 $input = "Captain&Tennille"; 27 $expected = "Captain&Tennille"; 28 $this->assertEquals( $expected, sanitize_html_class( $input, '', false ) ); 29 } 30 31 function test_class_removes_ampersand_strict() { 32 $input = "Captain&Tennille"; 33 $expected = "CaptainTennille"; 34 $this->assertEquals( $expected, sanitize_html_class( $input, '' ) ); 35 } 36 }