Changeset 20882 for trunk/wp-admin/customize.php

Timestamp:

05/24/2012 07:17:49 PM (13 years ago)

Author:

koopersmith

Message:

Theme Customizer: Improve accuracy of identifying internal urls. see #20507, #19910.

The 'customize_preview_link' filter has been replaced by 'customize_allowed_urls'.
Improved accuracy when checking for wp-admin.
Improved accuracy when attempting to match the schemes of the control and preview frames.
Improved accuracy of internal link whitelist.

File:

• trunk/wp-admin/customize.php (modified) (2 diffs)

trunk/wp-admin/customize.php

@@ -102 +102 @@
     // insecure content warnings. This is not attempted if the admin and frontend
     // are on different domains to avoid the case where the frontend doesn't have
-    // ssl certs. Domain mapping plugins can force ssl in these conditions using
-    // the customize_preview_link filter.
+    // ssl certs. Domain mapping plugins can allow other urls in these conditions
+    // using the customize_allowed_urls filter.
+
+    $allowed_urls = array( home_url('/') );
     $admin_origin = parse_url( admin_url() );
-    $home_origin = parse_url( home_url() );
-    $scheme = null;
+    $home_origin  = parse_url( home_url() );
+
     if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
-        $scheme = 'https';
+        $allowed_urls[] = home_url( '/', 'https' );
 
-    $preview_url = apply_filters( 'customize_preview_link',  home_url( '/', $scheme ) );
+    $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
 
     $settings = array(
@@ -118 +120 @@
         ),
         'url'      => array(
-            'preview'  => esc_url( $preview_url ),
+            'preview'  => esc_url( home_url( '/' ) ),
             'parent'   => esc_url( admin_url() ),
             'ajax'     => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
+            'allowed'  => array_map( 'esc_url', $allowed_urls ),
         ),
         'settings' => array(),