WordPress.org

Make WordPress Core


Ignore:
Timestamp:
08/17/2017 11:36:53 PM (3 years ago)
Author:
westonruter
Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/widgets/class-wp-widget-text.php

    r41251 r41260  
    333333     * @since 4.8.1 Restored original form to be displayed when in legacy mode.
    334334     * @see WP_Widget_Visual_Text::render_control_template_scripts()
     335     * @see _WP_Editors::editor()
    335336     *
    336337     * @param array $instance Current settings.
     
    347348        ?>
    348349        <?php if ( ! $this->is_legacy_instance( $instance ) ) : ?>
    349             <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
    350             <input id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text" type="hidden" value="<?php echo esc_attr( $instance['text'] ); ?>">
    351             <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter" type="hidden" value="on">
    352             <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="on">
     350            <?php
     351
     352            if ( user_can_richedit() ) {
     353                add_filter( 'the_editor_content', 'format_for_editor', 10, 2 );
     354                $default_editor = 'tinymce';
     355            } else {
     356                $default_editor = 'html';
     357            }
     358
     359            /** This filter is documented in wp-includes/class-wp-editor.php */
     360            $text = apply_filters( 'the_editor_content', $instance['text'], $default_editor );
     361
     362            // Reset filter addition.
     363            if ( user_can_richedit() ) {
     364                remove_filter( 'the_editor_content', 'format_for_editor' );
     365            }
     366
     367            // Prevent premature closing of textarea in case format_for_editor() didn't apply or the_editor_content filter did a wrong thing.
     368            $escaped_text = preg_replace( '#</textarea#i', '&lt;/textarea', $text );
     369
     370            ?>
     371            <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title sync-input" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
     372            <textarea id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text sync-input" hidden><?php echo $escaped_text; ?></textarea>
     373            <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter sync-input" type="hidden" value="on">
     374            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual sync-input" type="hidden" value="on">
    353375        <?php else : ?>
    354376            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="">
Note: See TracChangeset for help on using the changeset viewer.