WordPress.org

Make WordPress Core

Changeset 36608


Ignore:
Timestamp:
02/22/2016 12:13:53 AM (4 years ago)
Author:
westonruter
Message:

Customize: Fix previewing and updating of nav menu items containing slashed/slashable characters.

Prevents slashes from being added when a user without unfiltered_html previews a nav menu item containing an apostrophe or some other slashable character, and prevents the loss of an intentional slash (e.g. "\o/") when saving a nav menu item, regardless of capability.

Fixes #35869.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/customize/class-wp-customize-nav-menu-item-setting.php

    r36586 r36608  
    640640
    641641        // Apply the same filters as when calling wp_insert_post().
    642         $menu_item_value['title'] = apply_filters( 'title_save_pre', $menu_item_value['title'] );
    643         $menu_item_value['attr_title'] = apply_filters( 'excerpt_save_pre', $menu_item_value['attr_title'] );
    644         $menu_item_value['description'] = apply_filters( 'content_save_pre', $menu_item_value['description'] );
     642        $menu_item_value['title'] = wp_unslash( apply_filters( 'title_save_pre', wp_slash( $menu_item_value['title'] ) ) );
     643        $menu_item_value['attr_title'] = wp_unslash( apply_filters( 'excerpt_save_pre', wp_slash( $menu_item_value['attr_title'] ) ) );
     644        $menu_item_value['description'] = wp_unslash( apply_filters( 'content_save_pre', wp_slash( $menu_item_value['description'] ) ) );
    645645
    646646        $menu_item_value['url'] = esc_url_raw( $menu_item_value['url'] );
     
    777777                $value['nav_menu_term_id'],
    778778                $is_placeholder ? 0 : $this->post_id,
    779                 $menu_item_data
     779                wp_slash( $menu_item_data )
    780780            );
    781781
  • trunk/src/wp-includes/nav-menu.php

    r36496 r36608  
    344344/**
    345345 * Save the properties of a menu item or create a new one.
     346 *
     347 * The menu-item-title, menu-item-description, and menu-item-attr-title are expected
     348 * to be pre-slashed since they are passed directly into <code>wp_insert_post()</code>.
    346349 *
    347350 * @since 3.0.0
  • trunk/tests/phpunit/tests/customize/nav-menu-item-setting.php

    r36586 r36608  
    451451            'position' => -123,
    452452            'type' => 'custom<b>',
    453             'title' => 'Hi<script>unfilteredHtml()</script>',
     453            'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
    454454            'url' => 'javascript:alert(1)',
    455455            'target' => '" onclick="',
    456             'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>',
    457             'description' => '<b>Hello world</b><script>unfilteredHtml()</script>',
     456            'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
     457            'description' => '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>',
    458458            'classes' => 'hello " inject="',
    459459            'xfn' => 'hello " inject="',
     
    470470            'position' => -123,
    471471            'type' => 'customb',
    472             'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()',
     472            'title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\o/ o\'o HiunfilteredHtml()',
    473473            'url' => '',
    474474            'target' => 'onclick',
    475             'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()',
    476             'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()',
     475            'attr_title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>bolded</b>unfilteredHtml()',
     476            'description' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>Hello world</b>unfilteredHtml()',
    477477            'classes' => 'hello  inject',
    478478            'xfn' => 'hello  inject',
     
    489489        }
    490490
    491         $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array(
     491        $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, wp_slash( array(
    492492            'menu-item-object-id' => $unsanitized['object_id'],
    493493            'menu-item-object' => $unsanitized['object'],
     
    503503            'menu-item-xfn' => $unsanitized['xfn'],
    504504            'menu-item-status' => $unsanitized['status'],
    505         ) );
     505        ) ) );
    506506
    507507        $post = get_post( $nav_menu_item_id );
     
    550550            'object' => 'post',
    551551            'object_id' => $second_post_id,
    552             'title' => 'Saludos',
     552            'title' => 'Saludos \o/ o\'o',
    553553            'status' => 'publish',
    554554            'nav_menu_term_id' => $secondary_menu_id,
Note: See TracChangeset for help on using the changeset viewer.