Changeset 36608

Timestamp:

02/22/2016 12:13:53 AM (8 years ago)

Author:

westonruter

Message:

Customize: Fix previewing and updating of nav menu items containing slashed/slashable characters.

Prevents slashes from being added when a user without unfiltered_html previews a nav menu item containing an apostrophe or some other slashable character, and prevents the loss of an intentional slash (e.g. "\o/") when saving a nav menu item, regardless of capability.

Fixes #35869.

Location:

trunk

Files:

• src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php (modified) (2 diffs)
• src/wp-includes/nav-menu.php (modified) (1 diff)
• tests/phpunit/tests/customize/nav-menu-item-setting.php (modified) (5 diffs)

trunk/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

@@ -640 +640 @@
 
         // Apply the same filters as when calling wp_insert_post().
-        $menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] );
-        $menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] );
-        $menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] );
+        $menu_item_value['title'] = wp_unslash( apply_filters( 'title_save_pre', wp_slash( $menu_item_value['title'] ) ) );
+        $menu_item_value['attr_title'] = wp_unslash( apply_filters( 'excerpt_save_pre', wp_slash( $menu_item_value['attr_title'] ) ) );
+        $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
 
         $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
@@ -777 +777 @@
                 $value['nav_menu_term_id'],
                 $is_placeholder ? 0 : $this->post_id,
-                $menu_item_data
+                wp_slash( $menu_item_data )
             );
 

trunk/src/wp-includes/nav-menu.php

@@ -344 +344 @@
 /**
  * Save the properties of a menu item or create a new one.
+ *
+ * The menu-item-title, menu-item-description, and menu-item-attr-title are expected
+ * to be pre-slashed since they are passed directly into <code>wp_insert_post()</code>.
  *
  * @since 3.0.0

trunk/tests/phpunit/tests/customize/nav-menu-item-setting.php

@@ -451 +451 @@
             'position' => -123,
             'type' => 'custom<b>',
-            'title' => 'Hi<script>unfilteredHtml()</script>',
+            'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
             'url' => 'javascript:alert(1)',
             'target' => '" onclick="',
-            'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>',
-            'description' => '<b>Hello world</b><script>unfilteredHtml()</script>',
+            'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
+            'description' => '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>',
             'classes' => 'hello " inject="',
             'xfn' => 'hello " inject="',
@@ -470 +470 @@
             'position' => -123,
             'type' => 'customb',
-            'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()',
+            'title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\o/ o\'o HiunfilteredHtml()',
             'url' => '',
             'target' => 'onclick',
-            'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()',
-            'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()',
+            'attr_title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>bolded</b>unfilteredHtml()',
+            'description' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>Hello world</b>unfilteredHtml()',
             'classes' => 'hello  inject',
             'xfn' => 'hello  inject',
@@ -489 +489 @@
         }
 
-        $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array(
+        $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, wp_slash( array(
             'menu-item-object-id' => $unsanitized['object_id'],
             'menu-item-object' => $unsanitized['object'],
@@ -503 +503 @@
             'menu-item-xfn' => $unsanitized['xfn'],
             'menu-item-status' => $unsanitized['status'],
-        ) );
+        ) ) );
 
         $post = get_post( $nav_menu_item_id );
@@ -550 +550 @@
             'object' => 'post',
             'object_id' => $second_post_id,
-            'title' => 'Saludos',
+            'title' => 'Saludos \o/ o\'o',
             'status' => 'publish',
             'nav_menu_term_id' => $secondary_menu_id,