WordPress.org

Make WordPress Core

Ticket #34893: 34893.1.diff

File 34893.1.diff, 5.0 KB (added by westonruter, 4 years ago)

Additional changes: https://github.com/xwp/wordpress-develop/compare/04bc5da...e6052b1 PR: https://github.com/xwp/wordpress-develop/pull/136

  • src/wp-includes/class-wp-customize-manager.php

    diff --git src/wp-includes/class-wp-customize-manager.php src/wp-includes/class-wp-customize-manager.php
    index daa15e6..00ed0ef 100644
    final class WP_Customize_Manager { 
    957957                        wp_send_json_error( 'invalid_nonce' );
    958958                }
    959959
     960                // Validate settings.
     961                $invalid_settings = array();
     962                foreach ( $this->unsanitized_post_values() as $setting_id => $unsanitized_value ) {
     963                        $setting = $this->get_setting( $setting_id );
     964                        if ( ! $setting ) {
     965                                continue;
     966                        }
     967                        $valid = $setting->validate( $unsanitized_value );
     968                        if ( false === $valid ) {
     969                                $valid = new WP_Error( 'invalid_value', __( 'Invalid value.' ) );
     970                        }
     971                        if ( is_wp_error( $valid ) ) {
     972                                $invalid_settings[ $setting_id ] = $valid;
     973                        }
     974                }
     975                $invalid_count = count( $invalid_settings );
     976                if ( $invalid_count > 0 ) {
     977                        $response = array(
     978                                'invalid_settings' => $invalid_settings,
     979                                'message' => sprintf( _n( 'There is %d invalid setting.', 'There are %d invalid settings.', $invalid_count ), $invalid_count ),
     980                        );
     981
     982                        /** This filter is documented in wp-includes/class-wp-customize-manager.php */
     983                        $response = apply_filters( 'customize_save_response', $response, $this );
     984                        wp_send_json_error( $response );
     985                }
     986
    960987                // Do we have to switch themes?
    961988                if ( ! $this->is_theme_active() ) {
    962989                        // Temporarily stop previewing the theme to allow switch_themes()
  • src/wp-includes/class-wp-customize-setting.php

    diff --git src/wp-includes/class-wp-customize-setting.php src/wp-includes/class-wp-customize-setting.php
    index 434dec7..3f98590 100644
    class WP_Customize_Setting { 
    5959         *
    6060         * @var callback
    6161         */
     62        public $validate_callback    = '';
    6263        public $sanitize_callback    = '';
    6364        public $sanitize_js_callback = '';
    6465
    class WP_Customize_Setting { 
    142143                        $this->id .= '[' . implode( '][', $this->id_data['keys'] ) . ']';
    143144                }
    144145
     146                if ( $this->validate_callback ) {
     147                        add_filter( "customize_validate_{$this->id}", $this->validate_callback, 10, 3 );
     148                }
    145149                if ( $this->sanitize_callback ) {
    146                         add_filter( "customize_sanitize_{$this->id}", $this->sanitize_callback, 10, 2 );
     150                        add_filter( "customize_sanitize_{$this->id}", $this->sanitize_callback, 10, 3 );
    147151                }
    148152                if ( $this->sanitize_js_callback ) {
    149153                        add_filter( "customize_sanitize_js_{$this->id}", $this->sanitize_js_callback, 10, 2 );
    class WP_Customize_Setting { 
    491495         * Sanitize an input.
    492496         *
    493497         * @since 3.4.0
     498         * @since 4.5.0 Added $strict parameter.
    494499         *
    495          * @param string|array $value The value to sanitize.
    496          * @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
     500         * @param string|array $value    The value to sanitize.
     501         * @param bool         $strict   Whether validation is being performed.
     502         * @return string|array|null|WP_Error Null or WP_Error (when $strict) if an input isn't valid, otherwise the sanitized value.
    497503         */
    498         public function sanitize( $value ) {
    499                 $value = wp_unslash( $value );
     504        public function sanitize( $value, $strict = false ) {
     505                $value = wp_unslash( $value ); // @todo Remove this because it is erroneously stripping slashes. $_POST['customized'] is already unslashed when parsed as JSON. Try entering \o/ in the blogname for example.
    500506
    501507                /**
    502508                 * Filter a Customize setting value in un-slashed form.
    503509                 *
    504510                 * @since 3.4.0
     511                 * @since 4.5.0 Added $strict param which is true when validation is being done.
    505512                 *
    506513                 * @param mixed                $value Value of the setting.
    507514                 * @param WP_Customize_Setting $this  WP_Customize_Setting instance.
    508515                 */
    509                 return apply_filters( "customize_sanitize_{$this->id}", $value, $this );
     516                return apply_filters( "customize_sanitize_{$this->id}", $value, $this, $strict );
     517        }
     518
     519        /**
     520         * Validate an input.
     521         *
     522         * @since 4.5.0
     523         * @see WP_REST_Request::has_valid_params()
     524         *
     525         * @param string|array $unsanitized_value The value to validate.
     526         * @return bool|WP_Error Whether an input isn't valid, or an WP_Error explaining why it isn't valid.
     527         */
     528        public function validate( $unsanitized_value ) {
     529                $valid = true;
     530
     531                $strict = true;
     532                $sanitized_value = $this->sanitize( $unsanitized_value, $strict );
     533                if ( null === $sanitized_value ) {
     534                        $valid = false;
     535                } else if ( is_wp_error( $sanitized_value ) ) {
     536                        $valid = $sanitized_value;
     537                }
     538
     539                /**
     540                 * Filter the validation state of a Customize setting value.
     541                 *
     542                 * @since 4.5.0
     543                 *
     544                 * @param
     545                 * @param bool|WP_Error        $valid              Validity of the value based on sanitization.
     546                 * @param mixed                $sanitized_value    Sanitized value of the setting.
     547                 * @param mixed                $unsanitized_value  Unsanitized value of the setting.
     548                 * @param WP_Customize_Setting $this               WP_Customize_Setting instance.
     549                 */
     550                $valid = apply_filters( "customize_validate_{$this->id}", $valid, $sanitized_value, $unsanitized_value, $this );
     551
     552                return $valid;
    510553        }
    511554
    512555        /**