Changeset 41392 for branches/4.8/src/wp-includes/widgets/class-wp-widget-text.php

Timestamp:

09/19/2017 07:43:34 AM (8 years ago)

Author:

ocean90

Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Merge of [41260] to the 4.8 branch.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

Location:

branches/4.8

Files:

• . (modified) (1 prop)
• src/wp-includes/widgets/class-wp-widget-text.php (modified) (2 diffs)

branches/4.8/src/wp-includes/widgets/class-wp-widget-text.php

@@ -336 +336 @@
      * @access public
      * @see WP_Widget_Visual_Text::render_control_template_scripts()
+     * @see _WP_Editors::editor()
      *
      * @param array $instance Current settings.
@@ -350 +351 @@
         ?>
         <?php if ( ! $this->is_legacy_instance( $instance ) ) : ?>
-            <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
-            <input id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text" type="hidden" value="<?php echo esc_attr( $instance['text'] ); ?>">
-            <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter" type="hidden" value="on">
-            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="on">
+            <?php
+
+            if ( user_can_richedit() ) {
+                add_filter( 'the_editor_content', 'format_for_editor', 10, 2 );
+                $default_editor = 'tinymce';
+            } else {
+                $default_editor = 'html';
+            }
+
+            /** This filter is documented in wp-includes/class-wp-editor.php */
+            $text = apply_filters( 'the_editor_content', $instance['text'], $default_editor );
+
+            // Reset filter addition.
+            if ( user_can_richedit() ) {
+                remove_filter( 'the_editor_content', 'format_for_editor' );
+            }
+
+            // Prevent premature closing of textarea in case format_for_editor() didn't apply or the_editor_content filter did a wrong thing.
+            $escaped_text = preg_replace( '#</textarea#i', '&lt;/textarea', $text );
+
+            ?>
+            <input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title sync-input" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
+            <textarea id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text sync-input" hidden><?php echo $escaped_text; ?></textarea>
+            <input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter sync-input" type="hidden" value="on">
+            <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual sync-input" type="hidden" value="on">
         <?php else : ?>
             <input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="">