Changeset 39190
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/rest-api/endpoints/class-wp-rest-terms-controller.php
r39126 r39190 381 381 $prepared_term = $this->prepare_item_for_database( $request ); 382 382 383 $term = wp_insert_term( $prepared_term->name, $this->taxonomy, $prepared_term);383 $term = wp_insert_term( addslashes( $prepared_term->name ), $this->taxonomy, wp_slash( (array) $prepared_term ) ); 384 384 if ( is_wp_error( $term ) ) { 385 385 /* … … 492 492 // Only update the term if we haz something to update. 493 493 if ( ! empty( $prepared_term ) ) { 494 $update = wp_update_term( $term->term_id, $term->taxonomy, (array) $prepared_term);494 $update = wp_update_term( $term->term_id, $term->taxonomy, wp_slash( (array) $prepared_term ) ); 495 495 496 496 if ( is_wp_error( $update ) ) { … … 822 822 'type' => 'string', 823 823 'context' => array( 'view', 'edit' ), 824 'arg_options' => array(825 'sanitize_callback' => 'wp_filter_post_kses',826 ),827 824 ), 828 825 'link' => array( -
trunk/tests/phpunit/tests/rest-api/rest-tags-controller.php
r39126 r39190 11 11 */ 12 12 class WP_Test_REST_Tags_Controller extends WP_Test_REST_Controller_Testcase { 13 protected static $superadmin; 13 14 protected static $administrator; 15 protected static $editor; 14 16 protected static $subscriber; 15 17 16 18 public static function wpSetUpBeforeClass( $factory ) { 19 self::$superadmin = $factory->user->create( array( 20 'role' => 'administrator', 21 'user_login' => 'superadmin', 22 ) ); 17 23 self::$administrator = $factory->user->create( array( 18 24 'role' => 'administrator', 25 ) ); 26 self::$editor = $factory->user->create( array( 27 'role' => 'editor', 19 28 ) ); 20 29 self::$subscriber = $factory->user->create( array( 21 30 'role' => 'subscriber', 22 31 ) ); 32 if ( is_multisite() ) { 33 update_site_option( 'site_admins', array( 'superadmin' ) ); 34 } 23 35 } 24 36 … … 618 630 } 619 631 632 public function verify_tag_roundtrip( $input = array(), $expected_output = array() ) { 633 // Create the tag 634 $request = new WP_REST_Request( 'POST', '/wp/v2/tags' ); 635 foreach ( $input as $name => $value ) { 636 $request->set_param( $name, $value ); 637 } 638 $response = $this->server->dispatch( $request ); 639 $this->assertEquals( 201, $response->get_status() ); 640 $actual_output = $response->get_data(); 641 642 // Compare expected API output to actual API output 643 $this->assertEquals( $expected_output['name'], $actual_output['name'] ); 644 $this->assertEquals( $expected_output['description'], $actual_output['description'] ); 645 646 // Compare expected API output to WP internal values 647 $tag = get_term_by( 'id', $actual_output['id'], 'post_tag' ); 648 $this->assertEquals( $expected_output['name'], $tag->name ); 649 $this->assertEquals( $expected_output['description'], $tag->description ); 650 651 // Update the tag 652 $request = new WP_REST_Request( 'PUT', sprintf( '/wp/v2/tags/%d', $actual_output['id'] ) ); 653 foreach ( $input as $name => $value ) { 654 $request->set_param( $name, $value ); 655 } 656 $response = $this->server->dispatch( $request ); 657 $this->assertEquals( 200, $response->get_status() ); 658 $actual_output = $response->get_data(); 659 660 // Compare expected API output to actual API output 661 $this->assertEquals( $expected_output['name'], $actual_output['name'] ); 662 $this->assertEquals( $expected_output['description'], $actual_output['description'] ); 663 664 // Compare expected API output to WP internal values 665 $tag = get_term_by( 'id', $actual_output['id'], 'post_tag' ); 666 $this->assertEquals( $expected_output['name'], $tag->name ); 667 $this->assertEquals( $expected_output['description'], $tag->description ); 668 } 669 670 public function test_tag_roundtrip_as_editor() { 671 wp_set_current_user( self::$editor ); 672 $this->assertEquals( ! is_multisite(), current_user_can( 'unfiltered_html' ) ); 673 $this->verify_tag_roundtrip( array( 674 'name' => '\o/ ¯\_(ツ)_/¯', 675 'description' => '\o/ ¯\_(ツ)_/¯', 676 ), array( 677 'name' => '\o/ ¯\_(ツ)_/¯', 678 'description' => '\o/ ¯\_(ツ)_/¯', 679 ) ); 680 } 681 682 public function test_tag_roundtrip_as_editor_html() { 683 wp_set_current_user( self::$editor ); 684 if ( is_multisite() ) { 685 $this->assertFalse( current_user_can( 'unfiltered_html' ) ); 686 $this->verify_tag_roundtrip( array( 687 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 688 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 689 ), array( 690 'name' => 'div strong', 691 'description' => 'div <strong>strong</strong>', 692 ) ); 693 } else { 694 $this->assertTrue( current_user_can( 'unfiltered_html' ) ); 695 $this->verify_tag_roundtrip( array( 696 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 697 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 698 ), array( 699 'name' => 'div strong', 700 'description' => 'div <strong>strong</strong> oh noes', 701 ) ); 702 } 703 } 704 705 public function test_tag_roundtrip_as_superadmin() { 706 wp_set_current_user( self::$superadmin ); 707 $this->assertTrue( current_user_can( 'unfiltered_html' ) ); 708 $this->verify_tag_roundtrip( array( 709 'name' => '\\\&\\\ & &invalid; < < &lt;', 710 'description' => '\\\&\\\ & &invalid; < < &lt;', 711 ), array( 712 'name' => '\\\&\\\ & &invalid; < < &lt;', 713 'description' => '\\\&\\\ & &invalid; < < &lt;', 714 ) ); 715 } 716 717 public function test_tag_roundtrip_as_superadmin_html() { 718 wp_set_current_user( self::$superadmin ); 719 $this->assertTrue( current_user_can( 'unfiltered_html' ) ); 720 $this->verify_tag_roundtrip( array( 721 'name' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 722 'description' => '<div>div</div> <strong>strong</strong> <script>oh noes</script>', 723 ), array( 724 'name' => 'div strong', 725 'description' => 'div <strong>strong</strong> oh noes', 726 ) ); 727 } 728 620 729 public function test_delete_item() { 621 730 wp_set_current_user( self::$administrator );
Note: See TracChangeset
for help on using the changeset viewer.