Ticket #39125: 39125.2.diff

src/wp-includes/class-wp-customize-manager.php

@@ -3889 +3889 @@
                 $this->add_setting( 'external_header_video', array(
                         'theme_supports'    => array( 'custom-header', 'video' ),
                         'transport'         => 'postMessage',
-                        'sanitize_callback' => 'esc_url_raw',
+                        'sanitize_callback' => array( $this, '_sanitize_external_header_video' ),
                         'validate_callback' => array( $this, '_validate_external_header_video' ),
                 ) );
 
@@ -4312 +4312 @@
         }
 
         /**
+         * Callback for sanitizing the external_header_video value.
+         *
+         * @since 4.7.1
+         *
+         * @param string $value
+         * @return string
+         */
+        public function _sanitize_external_header_video( $value ) {
+                return esc_url_raw( trim( $value ) );
+        }
+
+        /**
          * Callback for rendering the custom logo, used in the custom_logo partial.
          *
          * This method exists because the partial object and context data are passed

tests/phpunit/tests/customize/manager.php

@@ -2580 +2580 @@
                 $result = $this->manager->panels();
                 $this->assertEquals( $panels_sorted, array_keys( $result ) );
         }
+
+        /**
+         * Verify sanitization of external header video URL will trim the whitespaces in the beginning and end of the URL.
+         *
+         * @ticket 39125
+         */
+        function test_sanitize_external_header_video_trim() {
+                $this->manager->register_controls();
+                $setting = $this->manager->get_setting( 'external_header_video' );
+                $video_url = 'https://www.youtube.com/watch?v=KiS8rZBeIO0';
+
+                $whitespaces = array(
+                        ' ',  // space
+                        "\t", // horizontal tab
+                        "\n", // line feed
+                        "\r", // carriage return,
+                        "\f", // form feed,
+                        "\v"  // vertical tab
+                );
+
+                foreach ( $whitespaces as $whitespace  ) {
+                        $sanitized = $setting->sanitize( $whitespace . $video_url . $whitespace );
+                        $this->assertEquals( $video_url, $sanitized );
+                }
+        }
 }
 
 require_once ABSPATH . WPINC . '/class-wp-customize-setting.php';