Ticket #35898: 35898.0.diff

src/wp-includes/class-wp-customize-setting.php

@@ -496 +496 @@
          * @return string|array|null Null if an input isn't valid, otherwise the sanitized value.
          */
         public function sanitize( $value ) {
-                $value = wp_unslash( $value );
 
                 /**
                  * Filter a Customize setting value in un-slashed form.

src/wp-includes/customize/class-wp-customize-nav-menu-setting.php

@@ -513 +513 @@
                         $menu_data['menu-name'] = $value['name'];
 
                         $menu_id = $is_placeholder ? 0 : $this->term_id;
-                        $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+                        $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
                         $original_name = $menu_data['menu-name'];
                         $name_conflict_suffix = 1;
                         while ( is_wp_error( $r ) && 'menu_exists' === $r->get_error_code() ) {
                                 $name_conflict_suffix += 1;
                                 /* translators: 1: original menu name, 2: duplicate count */
                                 $menu_data['menu-name'] = sprintf( __( '%1$s (%2$d)' ), $original_name, $name_conflict_suffix );
-                                $r = wp_update_nav_menu_object( $menu_id, $menu_data );
+                                $r = wp_update_nav_menu_object( $menu_id, wp_slash( $menu_data ) );
                         }
 
                         if ( is_wp_error( $r ) ) {

src/wp-includes/nav-menu.php

@@ -196 +196 @@
 /**
  * Creates a navigation menu.
  *
+ * Note that <code>$menu_name</code> is expected to be pre-slashed.
+ *
  * @since 3.0.0
  *
  * @param string $menu_name Menu name.
  * @return int|WP_Error Menu ID on success, WP_Error object on failure.
  */
 function wp_create_nav_menu( $menu_name ) {
+        // expected_slashed ($menu_name)
         return wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
 }
 
@@ -252 +255 @@
 /**
  * Save the properties of a menu or create a new menu with those properties.
  *
+ * Note that <code>$menu_data</code> is expected to be pre-slashed.
+ *
  * @since 3.0.0
  *
  * @param int   $menu_id   The ID of the menu or "0" to create a new menu.
@@ -259 +264 @@
  * @return int|WP_Error Menu ID on success, WP_Error object on failure.
  */
 function wp_update_nav_menu_object( $menu_id = 0, $menu_data = array() ) {
+        // expected_slashed ($menu_data)
         $menu_id = (int) $menu_id;
 
         $_menu = wp_get_nav_menu_object( $menu_id );

src/wp-includes/widgets/class-wp-nav-menu-widget.php

@@ -92 +92 @@
         public function update( $new_instance, $old_instance ) {
                 $instance = array();
                 if ( ! empty( $new_instance['title'] ) ) {
-                        $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+                        $instance['title'] = sanitize_text_field( $new_instance['title'] );
                 }
                 if ( ! empty( $new_instance['nav_menu'] ) ) {
                         $instance['nav_menu'] = (int) $new_instance['nav_menu'];

src/wp-includes/widgets/class-wp-widget-tag-cloud.php

@@ -98 +98 @@
          */
         public function update( $new_instance, $old_instance ) {
                 $instance = array();
-                $instance['title'] = sanitize_text_field( stripslashes( $new_instance['title'] ) );
+                $instance['title'] = sanitize_text_field( $new_instance['title'] );
                 $instance['taxonomy'] = stripslashes($new_instance['taxonomy']);
                 return $instance;
         }

src/wp-includes/widgets/class-wp-widget-text.php

@@ -83 +83 @@
                 if ( current_user_can('unfiltered_html') )
                         $instance['text'] =  $new_instance['text'];
                 else
-                        $instance['text'] = wp_kses_post( stripslashes( $new_instance['text'] ) );
+                        $instance['text'] = wp_kses_post( $new_instance['text'] );
                 $instance['filter'] = ! empty( $new_instance['filter'] );
                 return $instance;
         }

tests/phpunit/tests/customize/nav-menu-setting.php

@@ -114 +114 @@
         function test_construct_placeholder() {
                 do_action( 'customize_register', $this->wp_customize );
                 $default = array(
-                        'name' => 'Lorem',
-                        'description' => 'ipsum',
+                        'name' => 'Lorem \\o/',
+                        'description' => 'ipsum \\o/',
                         'parent' => 123,
                 );
                 $setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, 'nav_menu[-5]', compact( 'default' ) );
@@ -131 +131 @@
         function test_value() {
                 do_action( 'customize_register', $this->wp_customize );
 
-                $menu_name = 'Test 123';
-                $parent_menu_id = wp_create_nav_menu( "Parent $menu_name" );
-                $description = 'Hello my world.';
-                $menu_id = wp_update_nav_menu_object( 0, array(
+                $menu_name = 'Test 123 \\o/';
+                $parent_menu_id = wp_create_nav_menu( wp_slash( "Parent $menu_name" ) );
+                $description = 'Hello my world \\o/.';
+                $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
                         'menu-name' => $menu_name,
                         'parent' => $parent_menu_id,
                         'description' => $description,
-                ) );
+                ) ) );
 
                 $setting_id = "nav_menu[$menu_id]";
                 $setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
@@ -153 +153 @@
                 $this->assertEquals( $parent_menu_id, $value['parent'] );
 
                 $new_menu_name = 'Foo';
-                wp_update_nav_menu_object( $menu_id, array( 'menu-name' => $new_menu_name ) );
+                wp_update_nav_menu_object( $menu_id, wp_slash( array( 'menu-name' => $new_menu_name ) ) );
                 $updated_value = $setting->value();
                 $this->assertEquals( $new_menu_name, $updated_value['name'] );
         }
@@ -166 +166 @@
         function test_preview_updated() {
                 do_action( 'customize_register', $this->wp_customize );
 
-                $menu_id = wp_update_nav_menu_object( 0, array(
-                        'menu-name' => 'Name 1',
-                        'description' => 'Description 1',
+                $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+                        'menu-name' => 'Name 1 \\o/',
+                        'description' => 'Description 1 \\o/',
                         'parent' => 0,
-                ) );
+                ) ) );
                 $setting_id = "nav_menu[$menu_id]";
                 $setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
 
@@ -178 +178 @@
                 $this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
 
                 $post_value = array(
-                        'name' => 'Name 2',
-                        'description' => 'Description 2',
+                        'name' => 'Name 2 \\o/',
+                        'description' => 'Description 2 \\o/',
                         'parent' => 1,
                         'auto_add' => true,
                 );
                 $this->wp_customize->set_post_value( $setting_id, $post_value );
 
                 $value = $setting->value();
-                $this->assertEquals( 'Name 1', $value['name'] );
-                $this->assertEquals( 'Description 1', $value['description'] );
+                $this->assertEquals( 'Name 1 \\o/', $value['name'] );
+                $this->assertEquals( 'Description 1 \\o/', $value['description'] );
                 $this->assertEquals( 0, $value['parent'] );
 
                 $term = (array) wp_get_nav_menu_object( $menu_id );
@@ -199 +199 @@
 
                 $setting->preview();
                 $value = $setting->value();
-                $this->assertEquals( 'Name 2', $value['name'] );
-                $this->assertEquals( 'Description 2', $value['description'] );
+                $this->assertEquals( 'Name 2 \\o/', $value['name'] );
+                $this->assertEquals( 'Description 2 \\o/', $value['description'] );
                 $this->assertEquals( 1, $value['parent'] );
                 $term = (array) wp_get_nav_menu_object( $menu_id );
                 $this->assertEqualSets( $value, wp_array_slice_assoc( $term, array_keys( $value ) ) );
@@ -217 +217 @@
                 $i = array_search( $menu_id, $menus_ids );
                 $this->assertInternalType( 'int', $i, 'Update-previewed menu does not appear in wp_get_nav_menus()' );
                 $filtered_menu = $menus[ $i ];
-                $this->assertEquals( 'Name 2', $filtered_menu->name );
+                $this->assertEquals( 'Name 2 \\o/', $filtered_menu->name );
         }
 
         /**
@@ -230 +230 @@
 
                 $menu_id = -123;
                 $post_value = array(
-                        'name' => 'New Menu Name 1',
-                        'description' => 'New Menu Description 1',
+                        'name' => 'New Menu Name 1 \\o/',
+                        'description' => 'New Menu Description 1 \\o/',
                         'parent' => 0,
                         'auto_add' => false,
                 );
@@ -262 +262 @@
                 $i = array_search( $menu_id, $menus_ids );
                 $this->assertInternalType( 'int', $i, 'Insert-previewed menu was not injected into wp_get_nav_menus()' );
                 $filtered_menu = $menus[ $i ];
-                $this->assertEquals( 'New Menu Name 1', $filtered_menu->name );
+                $this->assertEquals( 'New Menu Name 1 \\o/', $filtered_menu->name );
         }
 
         /**
@@ -273 +273 @@
         function test_preview_deleted() {
                 do_action( 'customize_register', $this->wp_customize );
 
-                $menu_id = wp_update_nav_menu_object( 0, array(
-                        'menu-name' => 'Name 1',
-                        'description' => 'Description 1',
+                $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+                        'menu-name' => 'Name 1 \\o/',
+                        'description' => 'Description 1 \\o/',
                         'parent' => 0,
-                ) );
+                ) ) );
                 $setting_id = "nav_menu[$menu_id]";
                 $setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
                 $nav_menu_options = $this->get_nav_menu_items_option();
@@ -312 +312 @@
                 $this->assertNull( $setting->sanitize( 123 ) );
 
                 $value = array(
-                        'name' => ' Hello <b>world</b> ',
-                        'description' => "New\nline",
+                        'name' => ' Hello \\o/ <b>world</b> ',
+                        'description' => "New\nline \\o/",
                         'parent' => -12,
                         'auto_add' => true,
                         'extra' => 'ignored',
                 );
                 $sanitized = $setting->sanitize( $value );
-                $this->assertEquals( 'Hello &lt;b&gt;world&lt;/b&gt;', $sanitized['name'] );
-                $this->assertEquals( 'New line', $sanitized['description'] );
+                $this->assertEquals( 'Hello \\o/ &lt;b&gt;world&lt;/b&gt;', $sanitized['name'] );
+                $this->assertEquals( 'New line \\o/', $sanitized['description'] );
                 $this->assertEquals( 0, $sanitized['parent'] );
                 $this->assertEquals( true, $sanitized['auto_add'] );
                 $this->assertEqualSets( array( 'name', 'description', 'parent', 'auto_add' ), array_keys( $sanitized ) );
@@ -338 +338 @@
         function test_save_updated() {
                 do_action( 'customize_register', $this->wp_customize );
 
-                $menu_id = wp_update_nav_menu_object( 0, array(
-                        'menu-name' => 'Name 1',
-                        'description' => 'Description 1',
+                $menu_id = wp_update_nav_menu_object( 0, wp_slash( array(
+                        'menu-name' => 'Name 1 \\o/',
+                        'description' => 'Description 1 \\o/',
                         'parent' => 0,
-                ) );
+                ) ) );
                 $nav_menu_options = $this->get_nav_menu_items_option();
                 $nav_menu_options['auto_add'][] = $menu_id;
                 update_option( 'nav_menu_options', $nav_menu_options );
@@ -352 +352 @@
 
                 $auto_add = false;
                 $new_value = array(
-                        'name' => 'Name 2',
-                        'description' => 'Description 2',
+                        'name' => 'Name 2 \\o/',
+                        'description' => 'Description 2 \\o/',
                         'parent' => 1,
                         'auto_add' => $auto_add,
                 );
@@ -400 +400 @@
 
                 $menu_id = -123;
                 $post_value = array(
-                        'name' => 'New Menu Name 1',
-                        'description' => 'New Menu Description 1',
+                        'name' => 'New Menu Name 1 \\o/',
+                        'description' => 'New Menu Description 1 \\o/',
                         'parent' => 0,
                         'auto_add' => true,
                 );
@@ -448 +448 @@
                 do_action( 'customize_register', $this->wp_customize );
 
                 $menu_name = 'Foo';
-                wp_update_nav_menu_object( 0, array( 'menu-name' => $menu_name ) );
+                wp_update_nav_menu_object( 0, wp_slash( array( 'menu-name' => $menu_name ) ) );
 
                 $menu_id = -123;
                 $setting_id = "nav_menu[$menu_id]";
@@ -472 +472 @@
         function test_save_deleted() {
                 do_action( 'customize_register', $this->wp_customize );
 
-                $menu_name = 'Lorem Ipsum';
-                $menu_id = wp_create_nav_menu( $menu_name );
+                $menu_name = 'Lorem Ipsum \\o/';
+                $menu_id = wp_create_nav_menu( wp_slash( $menu_name ) );
                 $setting_id = "nav_menu[$menu_id]";
                 $setting = new WP_Customize_Nav_Menu_Setting( $this->wp_customize, $setting_id );
                 $nav_menu_options = $this->get_nav_menu_items_option();
@@ -506 +506 @@
                 $nav_menu_options = $this->get_nav_menu_items_option();
                 $this->assertNotContains( $menu_id, $nav_menu_options['auto_add'] );
         }
-
 }

tests/phpunit/tests/customize/setting.php

@@ -67 +67 @@
         }
 
         public $post_data_overrides = array(
-                'unset_option_overridden' => 'unset_option_post_override_value',
-                'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value',
-                'set_option_overridden' => 'set_option_post_override_value',
-                'set_theme_mod_overridden' => 'set_theme_mod_post_override_value',
-                'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value',
-                'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value',
-                'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value',
-                'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value',
+                'unset_option_overridden' => 'unset_option_post_override_value\\o/',
+                'unset_theme_mod_overridden' => 'unset_theme_mod_post_override_value\\o/',
+                'set_option_overridden' => 'set_option_post_override_value\\o/',
+                'set_theme_mod_overridden' => 'set_theme_mod_post_override_value\\o/',
+                'unset_option_multi_overridden[foo]' => 'unset_option_multi_overridden[foo]_post_override_value\\o/',
+                'unset_theme_mod_multi_overridden[foo]' => 'unset_theme_mod_multi_overridden[foo]_post_override_value\\o/',
+                'set_option_multi_overridden[foo]' => 'set_option_multi_overridden[foo]_post_override_value\\o/',
+                'set_theme_mod_multi_overridden[foo]' => 'set_theme_mod_multi_overridden[foo]_post_override_value\\o/',
         );
 
         public $standard_type_configs = array(
@@ -299 +299 @@
         function test_preview_custom_type() {
                 $type = 'custom_type';
                 $post_data_overrides = array(
-                        "unset_{$type}_with_post_value" => "unset_{$type}_without_post_value",
-                        "set_{$type}_with_post_value" => "set_{$type}_without_post_value",
+                        "unset_{$type}_with_post_value" => "unset_{$type}_without_post_value\\o/",
+                        "set_{$type}_with_post_value" => "set_{$type}_without_post_value\\o/",
                 );
                 $_POST['customized'] = wp_slash( wp_json_encode( $post_data_overrides ) );
 
@@ -417 +417 @@
                 $this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
 
                 // Try setting post value without user as admin.
-                $this->manager->set_post_value( $setting->id, 'hello world' );
+                $this->manager->set_post_value( $setting->id, 'hello world \\o/' );
                 $this->assertFalse( $setting->save() );
                 $this->assertTrue( 0 === did_action( 'customize_update_custom' ) );
                 $this->assertTrue( 0 === did_action( 'customize_save_foo' ) );
@@ -437 +437 @@
          * @param WP_Customize_Setting $setting
          */
         function handle_customize_update_custom_foo_action( $value, $setting = null ) {
-                $this->assertEquals( 'hello world', $value );
+                $this->assertEquals( 'hello world \\o/', $value );
                 $this->assertInstanceOf( 'WP_Customize_Setting', $setting );
         }