Ticket #34893: 34893.1.diff

src/wp-includes/class-wp-customize-manager.php

@@ -957 +957 @@
                         wp_send_json_error( 'invalid_nonce' );
                 }
 
+                // Validate settings.
+                $invalid_settings = array();
+                foreach ( $this->unsanitized_post_values() as $setting_id => $unsanitized_value ) {
+                        $setting = $this->get_setting( $setting_id );
+                        if ( ! $setting ) {
+                                continue;
+                        }
+                        $valid = $setting->validate( $unsanitized_value );
+                        if ( false === $valid ) {
+                                $valid = new WP_Error( 'invalid_value', __( 'Invalid value.' ) );
+                        }
+                        if ( is_wp_error( $valid ) ) {
+                                $invalid_settings[ $setting_id ] = $valid;
+                        }
+                }
+                $invalid_count = count( $invalid_settings );
+                if ( $invalid_count > 0 ) {
+                        $response = array(
+                                'invalid_settings' => $invalid_settings,
+                                'message' => sprintf( _n( 'There is %d invalid setting.', 'There are %d invalid settings.', $invalid_count ), $invalid_count ),
+                        );
+
+                        /** This filter is documented in wp-includes/class-wp-customize-manager.php */
+                        $response = apply_filters( 'customize_save_response', $response, $this );
+                        wp_send_json_error( $response );
+                }
+
                 // Do we have to switch themes?
                 if ( ! $this->is_theme_active() ) {
                         // Temporarily stop previewing the theme to allow switch_themes()

src/wp-includes/class-wp-customize-setting.php

@@ -59 +59 @@
          *
          * @var callback
          */
+        public $validate_callback    = '';
         public $sanitize_callback    = '';
         public $sanitize_js_callback = '';
 
@@ -142 +143 @@
                         $this->id .= '[' . implode( '][', $this->id_data['keys'] ) . ']';
                 }
 
+                if ( $this->validate_callback ) {
+                        add_filter( "customize_validate_{$this->id}", $this->validate_callback, 10, 3 );
+                }
                 if ( $this->sanitize_callback ) {
-                        add_filter( "customize_sanitize_{$this->id}", $this->sanitize_callback, 10, 2 );
+                        add_filter( "customize_sanitize_{$this->id}", $this->sanitize_callback, 10, 3 );
                 }
                 if ( $this->sanitize_js_callback ) {
                         add_filter( "customize_sanitize_js_{$this->id}", $this->sanitize_js_callback, 10, 2 );
@@ -491 +495 @@
          * Sanitize an input.
          *
          * @since 3.4.0
+         * @since 4.5.0 Added $strict parameter.
          *
-         * @param string|array $value The value to sanitize.
-         * @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
+         * @param string|array $value    The value to sanitize.
+         * @param bool         $strict   Whether validation is being performed.
+         * @return string|array|null|WP_Error Null or WP_Error (when $strict) if an input isn't valid, otherwise the sanitized value.
          */
-        public function sanitize( $value ) {
-                $value = wp_unslash( $value );
+        public function sanitize( $value, $strict = false ) {
+                $value = wp_unslash( $value ); // @todo Remove this because it is erroneously stripping slashes. $_POST['customized'] is already unslashed when parsed as JSON. Try entering \o/ in the blogname for example.
 
                 /**
                  * Filter a Customize setting value in un-slashed form.
                  *
                  * @since 3.4.0
+                 * @since 4.5.0 Added $strict param which is true when validation is being done.
                  *
                  * @param mixed                $value Value of the setting.
                  * @param WP_Customize_Setting $this  WP_Customize_Setting instance.
                  */
-                return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
+                return apply_filters( "customize_sanitize_{$this->id}", $value, $this, $strict );
+        }
+
+        /**
+         * Validate an input.
+         *
+         * @since 4.5.0
+         * @see WP_REST_Request::has_valid_params()
+         *
+         * @param string|array $unsanitized_value The value to validate.
+         * @return bool|WP_Error Whether an input isn't valid, or an WP_Error explaining why it isn't valid.
+         */
+        public function validate( $unsanitized_value ) {
+                $valid = true;
+
+                $strict = true;
+                $sanitized_value = $this->sanitize( $unsanitized_value, $strict );
+                if ( null === $sanitized_value ) {
+                        $valid = false;
+                } else if ( is_wp_error( $sanitized_value ) ) {
+                        $valid = $sanitized_value;
+                }
+
+                /**
+                 * Filter the validation state of a Customize setting value.
+                 *
+                 * @since 4.5.0
+                 *
+                 * @param
+                 * @param bool|WP_Error        $valid              Validity of the value based on sanitization.
+                 * @param mixed                $sanitized_value    Sanitized value of the setting.
+                 * @param mixed                $unsanitized_value  Unsanitized value of the setting.
+                 * @param WP_Customize_Setting $this               WP_Customize_Setting instance.
+                 */
+                $valid = apply_filters( "customize_validate_{$this->id}", $valid, $sanitized_value, $unsanitized_value, $this );
+
+                return $valid;
         }
 
         /**