Ticket #38409: 38409.1.diff

src/wp-admin/js/customize-controls.js

@@ -4055 +4055 @@
                         // ssl certs.
 
                         previewer.add( 'previewUrl', params.previewUrl ).setter( function( to ) {
-                                var result, urlParser, newPreviewUrl, schemeMatchingPreviewUrl, queryParams;
+                                var matchesAllowedUrl, urlParser, queryParams;
                                 urlParser = document.createElement( 'a' );
                                 urlParser.href = to;
+                                urlParser.protocol = previewer.scheme.get() + ':';
 
                                 // Abort if URL is for admin or (static) files in wp-includes or wp-content.
                                 if ( /\/wp-(admin|includes|content)(\/|$)/.test( urlParser.pathname ) ) {
@@ -4077 +4078 @@
                                         }
                                 }
 
-                                newPreviewUrl = urlParser.href;
-                                urlParser.protocol = previewer.scheme.get() + ':';
-                                schemeMatchingPreviewUrl = urlParser.href;
-
                                 // Attempt to match the URL to the control frame's scheme
                                 // and check if it's allowed. If not, try the original URL.
-                                $.each( [ schemeMatchingPreviewUrl, newPreviewUrl ], function( i, url ) {
-                                        $.each( previewer.allowedUrls, function( i, allowed ) {
-                                                var path;
-
-                                                allowed = allowed.replace( /\/+$/, '' );
-                                                path = url.replace( allowed, '' );
-
-                                                if ( 0 === url.indexOf( allowed ) && /^([/#?]|$)/.test( path ) ) {
-                                                        result = url;
-                                                        return false;
-                                                }
-                                        });
-                                        if ( result ) {
-                                                return false;
-                                        }
-                                });
+                                matchesAllowedUrl = ! _.isUndefined( _.find( previewer.allowedUrls, function( allowedUrl ) {
+                                        var parsedAllowedUrl = document.createElement( 'a' );
+                                        parsedAllowedUrl.href = allowedUrl;
+                                        return urlParser.protocol === parsedAllowedUrl.protocol && urlParser.host === parsedAllowedUrl.host && 0 === parsedAllowedUrl.pathname.indexOf( urlParser.pathname );
+                                }) );
 
-                                // If we found a matching result, return it. If not, bail.
-                                return result ? result : null;
+                                return matchesAllowedUrl ? urlParser.href : null;
                         });
 
                         previewer.bind( 'ready', previewer.ready );

src/wp-includes/js/customize-base.js

@@ -654 +654 @@
                         this.add( 'origin', this.url() ).link( this.url ).setter( function( to ) {
                                 var urlParser = document.createElement( 'a' );
                                 urlParser.href = to;
-                                return urlParser.protocol + '//' + urlParser.hostname;
+                                // Port stripping needed by IE since it adds to host but not to event.origin.
+                                return urlParser.protocol + '//' + urlParser.host.replace( /:80$/, '' );
                         });
 
                         // first add with no value

src/wp-includes/js/customize-preview.js

@@ -275 +275 @@
          * @param {HTMLAnchorElement|HTMLAreaElement} element Link element.
          * @param {string} element.search Query string.
          * @param {string} element.pathname Path.
-         * @param {string} element.hostname Hostname.
+         * @param {string} element.host Host.
          * @param {object} [options]
          * @param {object} [options.allowAdminAjax=false] Allow admin-ajax.php requests.
          * @returns {boolean} Is appropriate for changeset link.
          */
         api.isLinkPreviewable = function isLinkPreviewable( element, options ) {
-                var hasMatchingHost, urlParser, args;
+                var matchesAllowedUrl, parsedAllowedUrl, args;
 
                 args = _.extend( {}, { allowAdminAjax: false }, options || {} );
 
@@ -294 +294 @@
                         return false;
                 }
 
-                urlParser = document.createElement( 'a' );
-                hasMatchingHost = ! _.isUndefined( _.find( api.settings.url.allowed, function( allowedUrl ) {
-                        urlParser.href = allowedUrl;
-                        if ( urlParser.hostname === element.hostname && urlParser.protocol === element.protocol ) {
-                                return true;
-                        }
-                        return false;
+                parsedAllowedUrl = document.createElement( 'a' );
+                matchesAllowedUrl = ! _.isUndefined( _.find( api.settings.url.allowed, function( allowedUrl ) {
+                        parsedAllowedUrl.href = allowedUrl;
+                        return parsedAllowedUrl.protocol === element.protocol && parsedAllowedUrl.host === element.host && 0 === element.pathname.indexOf( parsedAllowedUrl.pathname );
                 } ) );
-                if ( ! hasMatchingHost ) {
+                if ( ! matchesAllowedUrl ) {
                         return false;
                 }
 
@@ -331 +328 @@
          * @access protected
          *
          * @param {HTMLAnchorElement|HTMLAreaElement} element Link element.
-         * @param {object} element.search Query string.
+         * @param {string} element.search Query string.
+         * @param {string} element.host Host.
+         * @param {string} element.protocol Protocol.
          * @returns {void}
          */
         api.prepareLinkPreview = function prepareLinkPreview( element ) {
@@ -348 +347 @@
                 }
 
                 // Make sure links in preview use HTTPS if parent frame uses HTTPS.
-                if ( 'https' === api.preview.scheme.get() && 'http:' === element.protocol && -1 !== api.settings.url.allowedHosts.indexOf( element.hostname ) ) {
+                if ( 'https' === api.preview.scheme.get() && 'http:' === element.protocol && -1 !== api.settings.url.allowedHosts.indexOf( element.host ) ) {
                         element.protocol = 'https:';
                 }
 
@@ -496 +495 @@
                 urlParser.href = form.action;
 
                 // Make sure forms in preview use HTTPS if parent frame uses HTTPS.
-                if ( 'https' === api.preview.scheme.get() && 'http:' === urlParser.protocol && -1 !== api.settings.url.allowedHosts.indexOf( urlParser.hostname ) ) {
+                if ( 'https' === api.preview.scheme.get() && 'http:' === urlParser.protocol && -1 !== api.settings.url.allowedHosts.indexOf( urlParser.host ) ) {
                         urlParser.protocol = 'https:';
                         form.action = urlParser.href;
                 }