Changeset 39038 for trunk/src/wp-includes/class-wp-customize-nav-menus.php

Timestamp:

10/30/2016 08:20:54 PM (10 years ago)

Author:

westonruter

Message:

Customize: Prevent auto-draft post/page stubs from being saved with empty slugs or published with non-unique slugs.

• Allow WP_Customize_Nav_Menus::insert_auto_draft_post() to take full post array to pass to wp_insert_post(), except for post_status. Require post_title.
• Ensure empty post_name gets explicitly set to slugified post_title.
• Explicitly allow only post_type and post_title params in WP_Customize_Nav_Menus::ajax_insert_auto_draft_post().
• Use wp_update_post() instead of wp_publish_post() to ensure unique slugs are assigned to published auto-draft posts.
• Re-use WP_Customize_Nav_Menus::insert_auto_draft_post() when inserting stubs from starter content.

See #38114, #38013, #34923.
Fixes #38539.

File:

• trunk/src/wp-includes/class-wp-customize-nav-menus.php (modified) (4 diffs)

trunk/src/wp-includes/class-wp-customize-nav-menus.php

@@ -735 +735 @@
      *
      * @param array $postarr {
-     *     Abbreviated post array.
-     *
-     *     @var string $post_title Post title.
-     *     @var string $post_type  Post type.
+     *     Post array. Note that post_status is overridden to be `auto-draft`.
+     *
+     *     @var string $post_title   Post title. Required.
+     *     @var string $post_type    Post type. Required.
+     *     @var string $post_name    Post name.
+     *     @var string $post_content Post content.
      * }
      * @return WP_Post|WP_Error Inserted auto-draft post object or error.
@@ -746 +748 @@
             return new WP_Error( 'unknown_post_type', __( 'Unknown post type' ) );
         }
-        if ( ! isset( $postarr['post_title'] ) ) {
-            $postarr['post_title'] = '';
+        if ( empty( $postarr['post_title'] ) ) {
+            return new WP_Error( 'empty_title', __( 'Empty title' ) );
+        }
+        if ( ! empty( $postarr['post_status'] ) ) {
+            return new WP_Error( 'status_forbidden', __( 'Status is forbidden' ) );
+        }
+
+        $postarr['post_status'] = 'auto-draft';
+
+        // Auto-drafts are allowed to have empty post_names, so it has to be explicitly set.
+        if ( empty( $postarr['post_name'] ) ) {
+            $postarr['post_name'] = sanitize_title( $postarr['post_title'] );
         }
 
         add_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
-        $args = array(
-            'post_status' => 'auto-draft',
-            'post_type'   => $postarr['post_type'],
-            'post_title'  => $postarr['post_title'],
-            'post_name'   => sanitize_title( $postarr['post_title'] ), // Auto-drafts are allowed to have empty post_names, so we need to explicitly set it.
-        );
-        $r = wp_insert_post( wp_slash( $args ), true );
+        $r = wp_insert_post( wp_slash( $postarr ), true );
         remove_filter( 'wp_insert_post_empty_content', '__return_false', 1000 );
 
@@ -786 +792 @@
         }
 
-        $params = wp_array_slice_assoc(
-            array_merge(
-                array(
-                    'post_type' => '',
-                    'post_title' => '',
-                ),
-                wp_unslash( $_POST['params'] )
+        $params = wp_unslash( $_POST['params'] );
+        $illegal_params = array_diff( array_keys( $params ), array( 'post_type', 'post_title' ) );
+        if ( ! empty( $illegal_params ) ) {
+            wp_send_json_error( 'illegal_params', 400 );
+        }
+
+        $params = array_merge(
+            array(
+                'post_type' => '',
+                'post_title' => '',
             ),
-            array( 'post_type', 'post_title' )
+            $params
         );
 
@@ -1140 +1149 @@
         if ( ! empty( $post_ids ) ) {
             foreach ( $post_ids as $post_id ) {
-                wp_publish_post( $post_id );
+                // Note that wp_publish_post() cannot be used because unique slugs need to be assigned.
+                wp_update_post( array( 'ID' => $post_id, 'post_status' => 'publish' ) );
             }
         }