WordPress.org

Make WordPress Core


Ignore:
Timestamp:
08/17/2017 11:36:53 PM (3 years ago)
Author:
westonruter
Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/widgets/text-widget.php

    r41251 r41260  
    448448     */
    449449    function test_form() {
    450         $widget = new WP_Widget_Text();
     450        add_filter( 'user_can_richedit', '__return_true' );
     451        $widget = new WP_Widget_Text();
     452        $widget->_set( 2 );
    451453        $instance = array(
    452454            'title' => 'Title',
     
    460462        $form = ob_get_clean();
    461463        $this->assertContains( 'class="visual" type="hidden" value=""', $form );
    462         $this->assertNotContains( 'class="visual" type="hidden" value="on"', $form );
     464        $this->assertNotContains( 'class="visual sync-input" type="hidden" value="on"', $form );
    463465
    464466        $instance = array(
     
    471473        $widget->form( $instance );
    472474        $form = ob_get_clean();
    473         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    474         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
     475        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     476        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
    475477
    476478        $instance = array(
     
    483485        $widget->form( $instance );
    484486        $form = ob_get_clean();
    485         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    486         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
    487 
    488         $instance = array(
    489             'title' => 'Title',
    490             'text' => 'Text',
     487        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     488        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
     489
     490        $instance = array(
     491            'title' => 'Title',
     492            'text' => 'This is some HTML Code: <code>&lt;strong&gt;BOLD!&lt;/strong&gt;</code>',
    491493            'filter' => true,
    492494            'visual' => true,
     
    496498        $widget->form( $instance );
    497499        $form = ob_get_clean();
    498         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    499         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
     500        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     501        $this->assertContains( '&lt;code&gt;&amp;lt;strong&amp;gt;BOLD!', $form );
     502        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
     503
     504        remove_filter( 'user_can_richedit', '__return_true' );
     505        add_filter( 'user_can_richedit', '__return_false' );
     506        $instance = array(
     507            'title' => 'Title',
     508            'text' => 'Evil:</textarea><script>alert("XSS")</script>',
     509            'filter' => true,
     510            'visual' => true,
     511        );
     512        $this->assertFalse( $widget->is_legacy_instance( $instance ) );
     513        ob_start();
     514        $widget->form( $instance );
     515        $form = ob_get_clean();
     516        $this->assertNotContains( 'Evil:</textarea>', $form );
     517        $this->assertContains( 'Evil:&lt;/textarea>', $form );
    500518    }
    501519
Note: See TracChangeset for help on using the changeset viewer.