WordPress.org

Make WordPress Core

Changeset 39190


Ignore:
Timestamp:
11/10/2016 02:09:40 AM (4 years ago)
Author:
joehoyle
Message:

REST API: unfiltered_html and slashing: terms.

Follow-up to #38609 and #38704; handle slashes correctly for taxonomy terms.

Props westonruter, jnylen0.
Fixes #38726, see #38609.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php

    r39126 r39190  
    381381        $prepared_term = $this->prepare_item_for_database( $request );
    382382
    383         $term = wp_insert_term( $prepared_term->name, $this->taxonomy, $prepared_term );
     383        $term = wp_insert_term( addslashes( $prepared_term->name ), $this->taxonomy, wp_slash( (array) $prepared_term ) );
    384384        if ( is_wp_error( $term ) ) {
    385385            /*
     
    492492        // Only update the term if we haz something to update.
    493493        if ( ! empty( $prepared_term ) ) {
    494             $update = wp_update_term( $term->term_id, $term->taxonomy, (array) $prepared_term );
     494            $update = wp_update_term( $term->term_id, $term->taxonomy, wp_slash( (array) $prepared_term ) );
    495495
    496496            if ( is_wp_error( $update ) ) {
     
    822822                    'type'         => 'string',
    823823                    'context'      => array( 'view', 'edit' ),
    824                     'arg_options'  => array(
    825                         'sanitize_callback' => 'wp_filter_post_kses',
    826                     ),
    827824                ),
    828825                'link'        => array(
  • trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php

    r39126 r39190  
    1111 */
    1212class WP_Test_REST_Tags_Controller extends WP_Test_REST_Controller_Testcase {
     13    protected static $superadmin;
    1314    protected static $administrator;
     15    protected static $editor;
    1416    protected static $subscriber;
    1517
    1618    public static function wpSetUpBeforeClass( $factory ) {
     19        self::$superadmin = $factory->user->create( array(
     20            'role'       => 'administrator',
     21            'user_login' => 'superadmin',
     22        ) );
    1723        self::$administrator = $factory->user->create( array(
    1824            'role' => 'administrator',
     25        ) );
     26        self::$editor = $factory->user->create( array(
     27            'role' => 'editor',
    1928        ) );
    2029        self::$subscriber = $factory->user->create( array(
    2130            'role' => 'subscriber',
    2231        ) );
     32        if ( is_multisite() ) {
     33            update_site_option( 'site_admins', array( 'superadmin' ) );
     34        }
    2335    }
    2436
     
    618630    }
    619631
     632    public function verify_tag_roundtrip( $input = array(), $expected_output = array() ) {
     633        // Create the tag
     634        $request = new WP_REST_Request( 'POST', '/wp/v2/tags' );
     635        foreach ( $input as $name => $value ) {
     636            $request->set_param( $name, $value );
     637        }
     638        $response = $this->server->dispatch( $request );
     639        $this->assertEquals( 201, $response->get_status() );
     640        $actual_output = $response->get_data();
     641
     642        // Compare expected API output to actual API output
     643        $this->assertEquals( $expected_output['name'], $actual_output['name'] );
     644        $this->assertEquals( $expected_output['description'], $actual_output['description'] );
     645
     646        // Compare expected API output to WP internal values
     647        $tag = get_term_by( 'id', $actual_output['id'], 'post_tag' );
     648        $this->assertEquals( $expected_output['name'], $tag->name );
     649        $this->assertEquals( $expected_output['description'], $tag->description );
     650
     651        // Update the tag
     652        $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/tags/%d', $actual_output['id'] ) );
     653        foreach ( $input as $name => $value ) {
     654            $request->set_param( $name, $value );
     655        }
     656        $response = $this->server->dispatch( $request );
     657        $this->assertEquals( 200, $response->get_status() );
     658        $actual_output = $response->get_data();
     659
     660        // Compare expected API output to actual API output
     661        $this->assertEquals( $expected_output['name'], $actual_output['name'] );
     662        $this->assertEquals( $expected_output['description'], $actual_output['description'] );
     663
     664        // Compare expected API output to WP internal values
     665        $tag = get_term_by( 'id', $actual_output['id'], 'post_tag' );
     666        $this->assertEquals( $expected_output['name'], $tag->name );
     667        $this->assertEquals( $expected_output['description'], $tag->description );
     668    }
     669
     670    public function test_tag_roundtrip_as_editor() {
     671        wp_set_current_user( self::$editor );
     672        $this->assertEquals( ! is_multisite(), current_user_can( 'unfiltered_html' ) );
     673        $this->verify_tag_roundtrip( array(
     674            'name'        => '\o/ ¯\_(ツ)_/¯',
     675            'description' => '\o/ ¯\_(ツ)_/¯',
     676        ), array(
     677            'name'        => '\o/ ¯\_(ツ)_/¯',
     678            'description' => '\o/ ¯\_(ツ)_/¯',
     679        ) );
     680    }
     681
     682    public function test_tag_roundtrip_as_editor_html() {
     683        wp_set_current_user( self::$editor );
     684        if ( is_multisite() ) {
     685            $this->assertFalse( current_user_can( 'unfiltered_html' ) );
     686            $this->verify_tag_roundtrip( array(
     687                'name'        => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     688                'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     689            ), array(
     690                'name'        => 'div strong',
     691                'description' => 'div <strong>strong</strong>',
     692            ) );
     693        } else {
     694            $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     695            $this->verify_tag_roundtrip( array(
     696                'name'        => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     697                'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     698            ), array(
     699                'name'        => 'div strong',
     700                'description' => 'div <strong>strong</strong> oh noes',
     701            ) );
     702        }
     703    }
     704
     705    public function test_tag_roundtrip_as_superadmin() {
     706        wp_set_current_user( self::$superadmin );
     707        $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     708        $this->verify_tag_roundtrip( array(
     709            'name'        => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     710            'description' => '\\\&\\\ &amp; &invalid; < &lt; &amp;lt;',
     711        ), array(
     712            'name'        => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
     713            'description' => '\\\&amp;\\\ &amp; &amp;invalid; &lt; &lt; &amp;lt;',
     714        ) );
     715    }
     716
     717    public function test_tag_roundtrip_as_superadmin_html() {
     718        wp_set_current_user( self::$superadmin );
     719        $this->assertTrue( current_user_can( 'unfiltered_html' ) );
     720        $this->verify_tag_roundtrip( array(
     721            'name'        => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     722            'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>',
     723        ), array(
     724            'name'        => 'div strong',
     725            'description' => 'div <strong>strong</strong> oh noes',
     726        ) );
     727    }
     728
    620729    public function test_delete_item() {
    621730        wp_set_current_user( self::$administrator );
Note: See TracChangeset for help on using the changeset viewer.