Make WordPress Core

Changeset 20882


Ignore:
Timestamp:
05/24/2012 07:17:49 PM (12 years ago)
Author:
koopersmith
Message:

Theme Customizer: Improve accuracy of identifying internal urls. see #20507, #19910.

The 'customize_preview_link' filter has been replaced by 'customize_allowed_urls'.
Improved accuracy when checking for wp-admin.
Improved accuracy when attempting to match the schemes of the control and preview frames.
Improved accuracy of internal link whitelist.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-admin/customize.php

    r20877 r20882  
    102102    // insecure content warnings. This is not attempted if the admin and frontend
    103103    // are on different domains to avoid the case where the frontend doesn't have
    104     // ssl certs. Domain mapping plugins can force ssl in these conditions using
    105     // the customize_preview_link filter.
     104    // ssl certs. Domain mapping plugins can allow other urls in these conditions
     105    // using the customize_allowed_urls filter.
     106
     107    $allowed_urls = array( home_url('/') );
    106108    $admin_origin = parse_url( admin_url() );
    107     $home_origin = parse_url( home_url() );
    108     $scheme = null;
     109    $home_origin  = parse_url( home_url() );
     110
    109111    if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
    110         $scheme = 'https';
     112        $allowed_urls[] = home_url( '/', 'https' );
    111113
    112     $preview_url = apply_filters( 'customize_preview_link',  home_url( '/', $scheme ) );
     114    $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
    113115
    114116    $settings = array(
     
    118120        ),
    119121        'url'      => array(
    120             'preview'  => esc_url( $preview_url ),
     122            'preview'  => esc_url( home_url( '/' ) ),
    121123            'parent'   => esc_url( admin_url() ),
    122124            'ajax'     => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
     125            'allowed'  => array_map( 'esc_url', $allowed_urls ),
    123126        ),
    124127        'settings' => array(),
  • trunk/wp-includes/js/customize-controls.dev.js

    r20864 r20882  
    273273         */
    274274        initialize: function( params, options ) {
    275             var self = this;
     275            var self = this,
     276                rscheme = /^https?/;
    276277
    277278            $.extend( this, options || {} );
     
    315316            })( this );
    316317
    317             this.container = api.ensure( params.container );
     318            this.container   = api.ensure( params.container );
     319            this.allowedUrls = params.allowedUrls;
    318320
    319321            api.Messenger.prototype.initialize.call( this, params.url );
     
    323325            this.origin.unlink( this.url ).set( window.location.href );
    324326
     327            this.add( 'scheme', this.origin() ).link( this.origin ).setter( function( to ) {
     328                var match = to.match( rscheme );
     329                return match ? match[0] : '';
     330            });
     331
    325332            // Limit the URL to internal, front-end links.
     333            //
     334            // If the frontend and the admin are served from the same domain, load the
     335            // preview over ssl if the customizer is being loaded over ssl. This avoids
     336            // insecure content warnings. This is not attempted if the admin and frontend
     337            // are on different domains to avoid the case where the frontend doesn't have
     338            // ssl certs.
     339
    326340            this.url.setter( function( to ) {
    327                 // Bail if we're navigating to a different origin or wp-admin.
    328                 if ( 0 !== to.indexOf( self.origin() + '/' ) || -1 !== to.indexOf( 'wp-admin' ) )
     341                var result;
     342
     343                // Check for URLs that include "/wp-admin/" or end in "/wp-admin".
     344                // Strip hashes and query strings before testing.
     345                if ( /\/wp-admin(\/|$)/.test( to.replace(/[#?].*$/, '') ) )
    329346                    return null;
    330347
    331                 return to;
     348                // Attempt to match the URL to the control frame's scheme
     349                // and check if it's allowed. If not, try the original URL.
     350                $.each([ to.replace( rscheme, self.scheme() ), to ], function( i, url ) {
     351                    $.each( self.allowedUrls, function( i, allowed ) {
     352                        if ( 0 === url.indexOf( allowed ) ) {
     353                            result = url;
     354                            return false;
     355                        }
     356                    });
     357                    if ( result )
     358                        return false;
     359                });
     360
     361                // If we found a matching result, return it. If not, bail.
     362                return result ? result : null;
    332363            });
    333364
     
    423454
    424455        previewer = new api.Previewer({
    425             container: '#customize-preview',
    426             form:      '#customize-controls',
    427             url:       api.settings.url.preview
     456            container:   '#customize-preview',
     457            form:        '#customize-controls',
     458            url:         api.settings.url.preview,
     459            allowedUrls: api.settings.url.allowed
    428460        }, {
    429461            query: function() {
Note: See TracChangeset for help on using the changeset viewer.