WordPress.org

Make WordPress Core

Ticket #42288: 42288.diff

File 42288.diff, 1.2 KB (added by jukkarau, 19 months ago)

Adds URL validation for custom links in customizer

  • src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

    diff --git a/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php b/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php
    index b5ce2e3cf4..df5050d195 100644
    a b public function sanitize( $menu_item_value ) { 
    711711                $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
    712712
    713713                if ( '' !== $menu_item_value['url'] ) {
    714                         $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
    715                         if ( '' === $menu_item_value['url'] ) {
     714                        // Validate URL with the same regex as on the frontend
     715                        if ( ! preg_match( '/^((\w+:)?\/\/\w.*|\w+:(?!\/\/$)|\/|\?|#)/', $menu_item_value['url'] ) ) {
    716716                                return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is invalid.
    717717                        }
     718                        $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
     719                } else {
     720                        return new WP_Error( 'invalid_url', __( 'Invalid URL.' ) ); // Fail sanitization if URL is empty.
    718721                }
    719722                if ( 'publish' !== $menu_item_value['status'] ) {
    720723                        $menu_item_value['status'] = 'draft';