Context Navigation

← Previous Change
Next Change →

rest-attachments-controller.php

Timestamp:

11/08/2016 05:54:22 AM (9 years ago)

Author:

rmccue

Message:

REST API: Respect unfiltered_html for HTML post fields.

This necessitates a change to our slashing code as well. Ah slashing, the cause of, and solution to, all of life's problems.

Props jnylen0.
Fixes #38609.

File:

: 1 edited

trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php

-                      r39154
+                      r39155
  */
 class WP_Test_REST_Attachments_Controller extends WP_Test_REST_Post_Type_Controller_Testcase {
+    protected static $superadmin_id;
     protected static $editor_id;
     protected static $author_id;
 …
     public static function wpSetUpBeforeClass( $factory ) {
+        self::$superadmin_id = $factory->user->create( array(
+            'role'       => 'administrator',
+            'user_login' => 'superadmin',
+        ) );
         self::$editor_id = $factory->user->create( array(
             'role' => 'editor',
 …
             'role' => 'uploader',
         ) );
+        if ( is_multisite() ) {
+            update_site_option( 'site_admins', array( 'superadmin' ) );
+        }
+    }
 …
         $this->test_file2 = '/tmp/codeispoetry.png';
         copy( $orig_file2, $this->test_file2 );
+    }
 …
+    }
+    public function verify_attachment_roundtrip( $input = array(), $expected_output = array() ) {
+        // Create the post
+        $request = new WP_REST_Request( 'POST', '/wp/v2/media' );
+        $request->set_header( 'Content-Type', 'image/jpeg' );
+        $request->set_header( 'Content-Disposition', 'attachment; filename=canola.jpg' );
+        $request->set_body( file_get_contents( $this->test_file ) );
+        foreach ( $input as $name => $value ) {
+            $request->set_param( $name, $value );
+        }
+        $response = $this->server->dispatch( $request );
+        $this->assertEquals( 201, $response->get_status() );
+        $actual_output = $response->get_data();
+        // Remove <p class="attachment"> from rendered description
+        // see https://core.trac.wordpress.org/ticket/38679
+        $content = $actual_output['description']['rendered'];
+        $content = explode( "\n", trim( $content ) );
+        if ( preg_match( '/^<p class="attachment">/', $content[0] ) ) {
+            $content = implode( "\n", array_slice( $content, 1 ) );
+            $actual_output['description']['rendered'] = $content;
+        }
+        // Compare expected API output to actual API output
+        $this->assertEquals( $expected_output['title']['raw']           , $actual_output['title']['raw'] );
+        $this->assertEquals( $expected_output['title']['rendered']      , trim( $actual_output['title']['rendered'] ) );
+        $this->assertEquals( $expected_output['description']['raw']     , $actual_output['description']['raw'] );
+        $this->assertEquals( $expected_output['description']['rendered'], trim( $actual_output['description']['rendered'] ) );
+        $this->assertEquals( $expected_output['caption']['raw']         , $actual_output['caption']['raw'] );
+        $this->assertEquals( $expected_output['caption']['rendered']    , trim( $actual_output['caption']['rendered'] ) );
+        // Compare expected API output to WP internal values
+        $post = get_post( $actual_output['id'] );
+        $this->assertEquals( $expected_output['title']['raw'], $post->post_title );
+        $this->assertEquals( $expected_output['description']['raw'], $post->post_content );
+        $this->assertEquals( $expected_output['caption']['raw'], $post->post_excerpt );
+        // Update the post
+        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/media/%d', $actual_output['id'] ) );
+        foreach ( $input as $name => $value ) {
+            $request->set_param( $name, $value );
+        }
+        $response = $this->server->dispatch( $request );
+        $this->assertEquals( 200, $response->get_status() );
+        $actual_output = $response->get_data();
+        // Remove <p class="attachment"> from rendered description
+        // see https://core.trac.wordpress.org/ticket/38679
+        $content = $actual_output['description']['rendered'];
+        $content = explode( "\n", trim( $content ) );
+        if ( preg_match( '/^<p class="attachment">/', $content[0] ) ) {
+            $content = implode( "\n", array_slice( $content, 1 ) );
+            $actual_output['description']['rendered'] = $content;
+        }
+        // Compare expected API output to actual API output
+        $this->assertEquals( $expected_output['title']['raw']           , $actual_output['title']['raw'] );
+        $this->assertEquals( $expected_output['title']['rendered']      , trim( $actual_output['title']['rendered'] ) );
+        $this->assertEquals( $expected_output['description']['raw']     , $actual_output['description']['raw'] );
+        $this->assertEquals( $expected_output['description']['rendered'], trim( $actual_output['description']['rendered'] ) );
+        $this->assertEquals( $expected_output['caption']['raw']         , $actual_output['caption']['raw'] );
+        $this->assertEquals( $expected_output['caption']['rendered']    , trim( $actual_output['caption']['rendered'] ) );
+        // Compare expected API output to WP internal values
+        $post = get_post( $actual_output['id'] );
+        $this->assertEquals( $expected_output['title']['raw']  , $post->post_title );
+        $this->assertEquals( $expected_output['description']['raw'], $post->post_content );
+        $this->assertEquals( $expected_output['caption']['raw'], $post->post_excerpt );
+    }
+    public static function attachment_roundtrip_provider() {
+        return array(
+            array(
+                // Raw values.
+                array(
+                    'title'   => '\o/ ¯\_(ツ)_/¯ 🚢',
+                    'description' => '\o/ ¯\_(ツ)_/¯ 🚢',
+                    'caption' => '\o/ ¯\_(ツ)_/¯ 🚢',
+                ),
+                // Expected returned values.
+                array(
+                    'title' => array(
+                        'raw'      => '\o/ ¯\_(ツ)_/¯ 🚢',
+                        'rendered' => '\o/ ¯\_(ツ)_/¯ 🚢',
+                    ),
+                    'description' => array(
+                        'raw'      => '\o/ ¯\_(ツ)_/¯ 🚢',
+                        'rendered' => '<p>\o/ ¯\_(ツ)_/¯ 🚢</p>',
+                    ),
+                    'caption' => array(
+                        'raw'      => '\o/ ¯\_(ツ)_/¯ 🚢',
+                        'rendered' => '<p>\o/ ¯\_(ツ)_/¯ 🚢</p>',
+                    ),
+                )
+            ),
+            array(
+                // Raw values.
+                array(
+                    'title'   => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
+                    'description' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
+                    'caption' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
+                ),
+                // Expected returned values.
+                array(
+                    'title' => array(
+                        'raw'      => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
+                        'rendered' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
+                    ),
+                    'description' => array(
+                        'raw'      => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
+                        'rendered' => '<p>\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;</p>',
+                    ),
+                    'caption' => array(
+                        'raw'      => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
+                        'rendered' => '<p>\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;</p>',
+                    ),
+                ),
+            ),
+            array(
+                // Raw values.
+                array(
+                    'title'   => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                    'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                    'caption' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                ),
+                // Expected returned values.
+                array(
+                    'title' => array(
+                        'raw'      => 'div <strong>strong</strong> oh noes',
+                        'rendered' => 'div <strong>strong</strong> oh noes',
+                    ),
+                    'description' => array(
+                        'raw'      => '<div>div</div> <strong>strong</strong> oh noes',
+                        'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
+                    ),
+                    'caption' => array(
+                        'raw'      => '<div>div</div> <strong>strong</strong> oh noes',
+                        'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
+                    ),
+                )
+            ),
+            array(
+                // Raw values.
+                array(
+                    'title'   => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
+                    'description' => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
+                    'caption' => '<a href="#" target="_blank" data-unfiltered=true>link</a>',
+                ),
+                // Expected returned values.
+                array(
+                    'title' => array(
+                        'raw'      => '<a href="#">link</a>',
+                        'rendered' => '<a href="#">link</a>',
+                    ),
+                    'description' => array(
+                        'raw'      => '<a href="#" target="_blank">link</a>',
+                        'rendered' => '<p><a href="#" target="_blank">link</a></p>',
+                    ),
+                    'caption' => array(
+                        'raw'      => '<a href="#" target="_blank">link</a>',
+                        'rendered' => '<p><a href="#" target="_blank">link</a></p>',
+                    ),
+                )
+            ),
+        );
+    }
+    /**
+     * @dataProvider attachment_roundtrip_provider
+     */
+    public function test_post_roundtrip_as_author( $raw, $expected ) {
+        wp_set_current_user( self::$author_id );
+        $this->assertFalse( current_user_can( 'unfiltered_html' ) );
+        $this->verify_attachment_roundtrip( $raw, $expected );
+    }
+    public function test_attachment_roundtrip_as_editor_unfiltered_html() {
+        wp_set_current_user( self::$editor_id );
+        if ( is_multisite() ) {
+            $this->assertFalse( current_user_can( 'unfiltered_html' ) );
+            $this->verify_attachment_roundtrip( array(
+                'title'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'caption'     => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+            ), array(
+                'title' => array(
+                    'raw'      => 'div <strong>strong</strong> oh noes',
+                    'rendered' => 'div <strong>strong</strong> oh noes',
+                ),
+                'description' => array(
+                    'raw'      => '<div>div</div> <strong>strong</strong> oh noes',
+                    'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
+                ),
+                'caption' => array(
+                    'raw'      => '<div>div</div> <strong>strong</strong> oh noes',
+                    'rendered' => "<div>div</div>\n<p> <strong>strong</strong> oh noes</p>",
+                ),
+            ) );
+        } else {
+            $this->assertTrue( current_user_can( 'unfiltered_html' ) );
+            $this->verify_attachment_roundtrip( array(
+                'title'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'caption'     => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+            ), array(
+                'title' => array(
+                    'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                    'rendered' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                ),
+                'description' => array(
+                    'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                    'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
+                ),
+                'caption' => array(
+                    'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                    'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
+                ),
+            ) );
+        }
+    }
+    public function test_attachment_roundtrip_as_superadmin_unfiltered_html() {
+        wp_set_current_user( self::$superadmin_id );
+        $this->assertTrue( current_user_can( 'unfiltered_html' ) );
+        $this->verify_attachment_roundtrip( array(
+            'title'       => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+            'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+            'caption'     => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+        ), array(
+            'title' => array(
+                'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'rendered' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+            ),
+            'description' => array(
+                'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
+            ),
+            'caption' => array(
+                'raw'      => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
+                'rendered' => "<div>div</div>\n<p> <strong>strong</strong> <script>oh noes</script></p>",
+            ),
+        ) );
+    }
     public function test_delete_item() {
         wp_set_current_user( self::$editor_id );

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Make WordPress Core

Context Navigation

Changeset 39155 for trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php

Legend:

trunk/tests/phpunit/tests/rest-api/rest-attachments-controller.php

Download in other formats: