Make WordPress Core

Changeset 35788


Ignore:
Timestamp:
12/06/2015 08:28:26 PM (9 years ago)
Author:
kovshenin
Message:

Allow usage of angle brackets in a site title or tagline.

The whole string is escaped with esc_html() anyway, so we don't
need to wp_kses_post(). This is a better experience for users who
want to use angle brackets in their site title or description.
Does not allow any HTML, adds unit tests.

props BandonRandon, pauldewouters.
fixes #27942.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/formatting.php

    r35709 r35788  
    37073707                $error = $value->get_error_message();
    37083708            } else {
    3709                 $value = wp_kses_post( $value );
    37103709                $value = esc_html( $value );
    37113710            }
  • trunk/tests/phpunit/tests/formatting/BlogInfo.php

    r33027 r35788  
    3232        );
    3333    }
     34
     35    /**
     36     * @ticket 27942
     37     */
     38    function test_bloginfo_sanitize_option() {
     39        $old_values = array(
     40            'blogname'        => get_option( 'blogname' ),
     41            'blogdescription' => get_option( 'blogdescription' ),
     42        );
     43
     44        $values = array(
     45            'foo'                  => 'foo',
     46            '<em>foo</em>'         => '&lt;em&gt;foo&lt;/em&gt;',
     47            '<script>foo</script>' => '&lt;script&gt;foo&lt;/script&gt;',
     48            '&lt;foo&gt;'          => '&lt;foo&gt;',
     49            '<foo'                 => '&lt;foo',
     50        );
     51
     52        foreach ( $values as $value => $expected ) {
     53            $sanitized_value = sanitize_option( 'blogname', $value );
     54            update_option( 'blogname', $sanitized_value );
     55
     56            $this->assertEquals( $expected, $sanitized_value );
     57            $this->assertEquals( $expected, get_bloginfo( 'name' ) );
     58            $this->assertEquals( $expected, get_bloginfo( 'name', 'display' ) );
     59
     60            $sanitized_value = sanitize_option( 'blogdescription', $value );
     61            update_option( 'blogdescription', $sanitized_value );
     62
     63            $this->assertEquals( $expected, $sanitized_value );
     64            $this->assertEquals( $expected, get_bloginfo( 'description' ) );
     65            $this->assertEquals( $expected, get_bloginfo( 'description', 'display' ) );
     66        }
     67
     68        // Restore old values.
     69        foreach ( $old_values as $option_name => $value ) {
     70            update_option( $option_name, $value );
     71        }
     72    }
    3473}
Note: See TracChangeset for help on using the changeset viewer.