Changeset 41260

Timestamp:

08/17/2017 11:36:53 PM (6 years ago)

Author:

westonruter

Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

Location:

trunk

Files:

• src/wp-admin/js/widgets/text-widgets.js (modified) (3 diffs)
• src/wp-includes/widgets/class-wp-widget-text.php (modified) (2 diffs)
• tests/phpunit/tests/widgets/text-widget.php (modified) (5 diffs)

trunk/src/wp-admin/js/widgets/text-widgets.js

@@ -82 +82 @@
             _.each( control.fields, function( fieldInput, fieldName ) {
                 fieldInput.on( 'input change', function updateSyncField() {
-                    var syncInput = control.syncContainer.find( 'input[type=hidden].' + fieldName );
+                    var syncInput = control.syncContainer.find( '.sync-input.' + fieldName );
                     if ( syncInput.val() !== fieldInput.val() ) {
                         syncInput.val( fieldInput.val() );
@@ -90 +90 @@
 
                 // Note that syncInput cannot be re-used because it will be destroyed with each widget-updated event.
-                fieldInput.val( control.syncContainer.find( 'input[type=hidden].' + fieldName ).val() );
+                fieldInput.val( control.syncContainer.find( '.sync-input.' + fieldName ).val() );
             });
         },
@@ -146 +146 @@
 
             if ( ! control.fields.title.is( document.activeElement ) ) {
-                syncInput = control.syncContainer.find( 'input[type=hidden].title' );
+                syncInput = control.syncContainer.find( '.sync-input.title' );
                 control.fields.title.val( syncInput.val() );
             }
 
-            syncInput = control.syncContainer.find( 'input[type=hidden].text' );
+            syncInput = control.syncContainer.find( '.sync-input.text' );
             if ( control.fields.text.is( ':visible' ) ) {
                 if ( ! control.fields.text.is( document.activeElement ) ) {

trunk/src/wp-includes/widgets/class-wp-widget-text.php

@@ -333 +333 @@
      * @since 4.8.1 Restored original form to be displayed when in legacy mode.
      * @see WP_Widget_Visual_Text::render_control_template_scripts()
+     * @see _WP_Editors::editor()
      *
      * @param array $instance Current settings.
@@ -347 +348 @@
         ?>
         <?php if ( ! $this->is_legacy_instance( $instance ) ) : ?>
-            <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
-            <input id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text" type="hidden" value="<?php echo esc_attr( $instance['text'] ); ?>">
-            <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter" type="hidden" value="on">
-            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="on">
+            <?php
+
+            if ( user_can_richedit() ) {
+                add_filter( 'the_editor_content', 'format_for_editor', 10, 2 );
+                $default_editor = 'tinymce';
+            } else {
+                $default_editor = 'html';
+            }
+
+            /** This filter is documented in wp-includes/class-wp-editor.php */
+            $text = apply_filters( 'the_editor_content', $instance['text'], $default_editor );
+
+            // Reset filter addition.
+            if ( user_can_richedit() ) {
+                remove_filter( 'the_editor_content', 'format_for_editor' );
+            }
+
+            // Prevent premature closing of textarea in case format_for_editor() didn't apply or the_editor_content filter did a wrong thing.
+            $escaped_text = preg_replace( '#</textarea#i', '&lt;/textarea', $text );
+
+            ?>
+            <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title sync-input" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
+            <textarea id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text sync-input" hidden><?php echo $escaped_text; ?></textarea>
+            <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter sync-input" type="hidden" value="on">
+            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual sync-input" type="hidden" value="on">
         <?php else : ?>
             <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="">

trunk/tests/phpunit/tests/widgets/text-widget.php

@@ -448 +448 @@
      */
     function test_form() {
-        $widget = new WP_Widget_Text();
+        add_filter( 'user_can_richedit', '__return_true' );
+        $widget = new WP_Widget_Text();
+        $widget->_set( 2 );
         $instance = array(
             'title' => 'Title',
@@ -460 +462 @@
         $form = ob_get_clean();
         $this->assertContains( 'class="visual" type="hidden" value=""', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value="on"', $form );
 
         $instance = array(
@@ -471 +473 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
 
         $instance = array(
@@ -483 +485 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
-
-        $instance = array(
-            'title' => 'Title',
-            'text' => 'Text',
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
+
+        $instance = array(
+            'title' => 'Title',
+            'text' => 'This is some HTML Code: <code>&lt;strong&gt;BOLD!&lt;/strong&gt;</code>',
             'filter' => true,
             'visual' => true,
@@ -496 +498 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertContains( '&lt;code&gt;&amp;lt;strong&amp;gt;BOLD!', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
+
+        remove_filter( 'user_can_richedit', '__return_true' );
+        add_filter( 'user_can_richedit', '__return_false' );
+        $instance = array(
+            'title' => 'Title',
+            'text' => 'Evil:</textarea><script>alert("XSS")</script>',
+            'filter' => true,
+            'visual' => true,
+        );
+        $this->assertFalse( $widget->is_legacy_instance( $instance ) );
+        ob_start();
+        $widget->form( $instance );
+        $form = ob_get_clean();
+        $this->assertNotContains( 'Evil:</textarea>', $form );
+        $this->assertContains( 'Evil:&lt;/textarea>', $form );
     }