Make WordPress Core


Ignore:
Timestamp:
02/22/2016 12:13:53 AM (9 years ago)
Author:
westonruter
Message:

Customize: Fix previewing and updating of nav menu items containing slashed/slashable characters.

Prevents slashes from being added when a user without unfiltered_html previews a nav menu item containing an apostrophe or some other slashable character, and prevents the loss of an intentional slash (e.g. "\o/") when saving a nav menu item, regardless of capability.

Fixes #35869.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/customize/nav-menu-item-setting.php

    r36586 r36608  
    451451            'position' => -123,
    452452            'type' => 'custom<b>',
    453             'title' => 'Hi<script>unfilteredHtml()</script>',
     453            'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
    454454            'url' => 'javascript:alert(1)',
    455455            'target' => '" onclick="',
    456             'attr_title' => '<b>bolded</b><script>unfilteredHtml()</script>',
    457             'description' => '<b>Hello world</b><script>unfilteredHtml()</script>',
     456            'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
     457            'description' => '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>',
    458458            'classes' => 'hello " inject="',
    459459            'xfn' => 'hello " inject="',
     
    470470            'position' => -123,
    471471            'type' => 'customb',
    472             'title' => current_user_can( 'unfiltered_html' ) ? 'Hi<script>unfilteredHtml()</script>' : 'HiunfilteredHtml()',
     472            'title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\o/ o\'o HiunfilteredHtml()',
    473473            'url' => '',
    474474            'target' => 'onclick',
    475             'attr_title' => current_user_can( 'unfiltered_html' ) ? '<b>bolded</b><script>unfilteredHtml()</script>' : '<b>bolded</b>unfilteredHtml()',
    476             'description' => current_user_can( 'unfiltered_html' ) ? '<b>Hello world</b><script>unfilteredHtml()</script>' : '<b>Hello world</b>unfilteredHtml()',
     475            'attr_title' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>bolded</b>unfilteredHtml()',
     476            'description' => current_user_can( 'unfiltered_html' ) ? '\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\o/ o\'o <b>Hello world</b>unfilteredHtml()',
    477477            'classes' => 'hello  inject',
    478478            'xfn' => 'hello  inject',
     
    489489        }
    490490
    491         $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, array(
     491        $nav_menu_item_id = wp_update_nav_menu_item( $menu_id, 0, wp_slash( array(
    492492            'menu-item-object-id' => $unsanitized['object_id'],
    493493            'menu-item-object' => $unsanitized['object'],
     
    503503            'menu-item-xfn' => $unsanitized['xfn'],
    504504            'menu-item-status' => $unsanitized['status'],
    505         ) );
     505        ) ) );
    506506
    507507        $post = get_post( $nav_menu_item_id );
     
    550550            'object' => 'post',
    551551            'object_id' => $second_post_id,
    552             'title' => 'Saludos',
     552            'title' => 'Saludos \o/ o\'o',
    553553            'status' => 'publish',
    554554            'nav_menu_term_id' => $secondary_menu_id,
Note: See TracChangeset for help on using the changeset viewer.