WordPress.org
Get WordPress

Make WordPress Core

Ticket #35869: 35869.2.diff

File 35869.2.diff, 5.6 KB (added by westonruter, 9 years ago)

Add apostrophes to test input

  • src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php 

    diff --git src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
index b89b56c..5317c94 100644
    class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 
    639639                $menu_item_value['original_title'] = sanitize_text_field( $menu_item_value['original_title'] );
    640640
    641641                // Apply the same filters as when calling wp_insert_post().
    642                 $menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] );
    643                 $menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] );
    644                 $menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] );
     642                $menu_item_value['title'] = wp_unslash( apply_filters( 'title_save_pre', wp_slash( $menu_item_value['title'] ) ) );
     643                $menu_item_value['attr_title'] = wp_unslash( apply_filters( 'excerpt_save_pre', wp_slash( $menu_item_value['attr_title'] ) ) );
     644                $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
    645645
    646646                $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
    647647                if ( 'publish' !== $menu_item_value['status'] ) {
    class WP_Customize_Nav_Menu_Item_Setting extends WP_Customize_Setting { 
    776776                        $r = wp_update_nav_menu_item(
    777777                                $value['nav_menu_term_id'],
    778778                                $is_placeholder ? 0 : $this->post_id,
    779                                 $menu_item_data
     779                                wp_slash( $menu_item_data )
    780780                        );
    781781
    782782                        if ( is_wp_error( $r ) ) {

  • src/wp-includes/nav-menu.php 

    diff --git src/wp-includes/nav-menu.php src/wp-includes/nav-menu.php
index 9ab6786..3b878f7 100644
    function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) { 
    344344/**
    345345 * Save the properties of a menu item or create a new one.
    346346 *
     347 * The menu-item-title, menu-item-description, and menu-item-attr-title are expected
     348 * to be pre-slashed since they are passed directly into <code>wp_insert_post()</code>.
     349 *
    347350 * @since 3.0.0
    348351 *
    349352 * @param int   $menu_id         The ID of the menu. Required. If "0", makes the menu item a draft orphan.

  • tests/phpunit/tests/customize/nav-menu-item-setting.php 

    diff --git tests/phpunit/tests/customize/nav-menu-item-setting.php tests/phpunit/tests/customize/nav-menu-item-setting.php
index 3431ef8..e06db56 100644
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    450450                        'menu_item_parent' => 'asdasd',
    451451                        'position' => -123,
    452452                        'type' => 'custom<b>',
    453                         'title' => 'Hi<script>unfilteredHtml()</script>',
     453                        'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
    454454                        'url' => 'javascript:alert(1)',
    455455                        'target' => '" onclick="',
    456                         'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>',
    457                         'description' => '<b>Hello world</b><script>unfilteredHtml()</script>',
     456                        'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
     457                        'description' => '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>',
    458458                        'classes' => 'hello " inject="',
    459459                        'xfn' => 'hello " inject="',
    460460                        'status' => 'forbidden',
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    469469                        'menu_item_parent' => 0,
    470470                        'position' => -123,
    471471                        'type' => 'customb',
    472                         'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()',
     472                        'title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\o/ o\'o HiunfilteredHtml()',
    473473                        'url' => '',
    474474                        'target' => 'onclick',
    475                         'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()',
    476                         'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()',
     475                        'attr_title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>bolded</b>unfilteredHtml()',
     476                        'description' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>Hello world</b>unfilteredHtml()',
    477477                        'classes' => 'hello  inject',
    478478                        'xfn' => 'hello  inject',
    479479                        'status' => 'draft',
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    488488                        $this->assertEquals( $value, $sanitized[ $key ], "Expected $key to be sanitized." );
    489489                }
    490490
    491                 $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array(
     491                $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, wp_slash( array(
    492492                        'menu-item-object-id' => $unsanitized['object_id'],
    493493                        'menu-item-object' => $unsanitized['object'],
    494494                        'menu-item-parent-id' => $unsanitized['menu_item_parent'],
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    502502                        'menu-item-classes' => $unsanitized['classes'],
    503503                        'menu-item-xfn' => $unsanitized['xfn'],
    504504                        'menu-item-status' => $unsanitized['status'],
    505                 ) );
     505                ) ) );
    506506
    507507                $post = get_post( $nav_menu_item_id );
    508508                $nav_menu_item = wp_setup_nav_menu_item( clone $post );
    class Test_WP_Customize_Nav_Menu_Item_Setting extends WP_UnitTestCase { 
    549549                        'type' => 'post_type',
    550550                        'object' => 'post',
    551551                        'object_id' => $second_post_id,
    552                         'title' => 'Saludos',
     552                        'title' => 'Saludos \o/',
    553553                        'status' => 'publish',
    554554                        'nav_menu_term_id' => $secondary_menu_id,
    555555                );