WordPress.org

Make WordPress Core

Ticket #33924: 33924.3.diff

File 33924.3.diff, 2.6 KB (added by peterwilsoncc, 4 years ago)
  • src/wp-includes/formatting.php

    diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
    index de71956..f6fe42b 100644
    a b function sanitize_sql_orderby( $orderby ) { 
    16511651 *      Defaults to an empty string.
    16521652 * @return string The sanitized value
    16531653 */
    1654 function sanitize_html_class( $class, $fallback = '' ) {
    1655         //Strip out any % encoded octets
    1656         $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
     1654function sanitize_html_class( $class, $fallback = '', $strict = true ) {
     1655        if ( $strict ) {
     1656                //Strip out any % encoded octets
     1657                $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
    16571658
    1658         //Limit to A-Z,a-z,0-9,_,-
    1659         $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
     1659                //Limit to A-Z,a-z,0-9,_,-
     1660                $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
     1661        }
     1662        else {
     1663                // remove any white space
     1664                $sanitized = preg_replace( '/\s/', '', $class );
     1665
     1666                // classes are attributes
     1667                $sanitized = esc_attr( $sanitized );
     1668        }
    16601669
    16611670        if ( '' == $sanitized && $fallback ) {
    1662                 return sanitize_html_class( $fallback );
     1671                return sanitize_html_class( $fallback, false, $strict );
    16631672        }
    16641673        /**
    16651674         * Filter a sanitized HTML class string.
  • new file tests/phpunit/tests/formatting/SanitizeHtmlClass.php

    diff --git a/tests/phpunit/tests/formatting/SanitizeHtmlClass.php b/tests/phpunit/tests/formatting/SanitizeHtmlClass.php
    new file mode 100644
    index 0000000..1dfeadb
    - +  
     1<?php
     2
     3/**
     4 * @group formatting
     5 */
     6class Tests_Formatting_SanitizeHtmlClass extends WP_UnitTestCase {
     7        function test_class_strips_spaces() {
     8                $input = "Captain Awesome";
     9                $expected = "CaptainAwesome";
     10                $this->assertEquals( $expected, sanitize_html_class( $input ) );
     11        }
     12
     13        function test_class_strips_spaces_permissive() {
     14                $input = "Captain Awesome";
     15                $expected = "CaptainAwesome";
     16                $this->assertEquals( $expected, sanitize_html_class( $input, '', false ) );
     17        }
     18
     19        function test_class_sanitized_to_nothing_applies_fallback() {
     20                $input    = "****";
     21                $fallback = "CaptainAwesome";
     22                $this->assertEquals( $fallback, sanitize_html_class( $input, $fallback ) );
     23        }
     24
     25        function test_class_escapes_ampersand_permissive() {
     26                $input = "Captain&Tennille";
     27                $expected = "Captain&amp;Tennille";
     28                $this->assertEquals( $expected, sanitize_html_class( $input, '', false ) );
     29        }
     30
     31        function test_class_removes_ampersand_strict() {
     32                $input = "Captain&Tennille";
     33                $expected = "CaptainTennille";
     34                $this->assertEquals( $expected, sanitize_html_class( $input, '' ) );
     35        }
     36}