WordPress.org

Make WordPress Core


Ignore:
Timestamp:
09/19/2017 07:43:34 AM (2 years ago)
Author:
ocean90
Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Merge of [41260] to the 4.8 branch.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

Location:
branches/4.8
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.8

  • branches/4.8/tests/phpunit/tests/widgets/text-widget.php

    r41391 r41392  
    447447     */
    448448    function test_form() {
    449         $widget = new WP_Widget_Text();
     449        add_filter( 'user_can_richedit', '__return_true' );
     450        $widget = new WP_Widget_Text();
     451        $widget->_set( 2 );
    450452        $instance = array(
    451453            'title' => 'Title',
     
    459461        $form = ob_get_clean();
    460462        $this->assertContains( 'class="visual" type="hidden" value=""', $form );
    461         $this->assertNotContains( 'class="visual" type="hidden" value="on"', $form );
     463        $this->assertNotContains( 'class="visual sync-input" type="hidden" value="on"', $form );
    462464
    463465        $instance = array(
     
    470472        $widget->form( $instance );
    471473        $form = ob_get_clean();
    472         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    473         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
     474        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     475        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
    474476
    475477        $instance = array(
     
    482484        $widget->form( $instance );
    483485        $form = ob_get_clean();
    484         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    485         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
    486 
    487         $instance = array(
    488             'title' => 'Title',
    489             'text' => 'Text',
     486        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     487        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
     488
     489        $instance = array(
     490            'title' => 'Title',
     491            'text' => 'This is some HTML Code: <code>&lt;strong&gt;BOLD!&lt;/strong&gt;</code>',
    490492            'filter' => true,
    491493            'visual' => true,
     
    495497        $widget->form( $instance );
    496498        $form = ob_get_clean();
    497         $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
    498         $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
     499        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
     500        $this->assertContains( '&lt;code&gt;&amp;lt;strong&amp;gt;BOLD!', $form );
     501        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
     502
     503        remove_filter( 'user_can_richedit', '__return_true' );
     504        add_filter( 'user_can_richedit', '__return_false' );
     505        $instance = array(
     506            'title' => 'Title',
     507            'text' => 'Evil:</textarea><script>alert("XSS")</script>',
     508            'filter' => true,
     509            'visual' => true,
     510        );
     511        $this->assertFalse( $widget->is_legacy_instance( $instance ) );
     512        ob_start();
     513        $widget->form( $instance );
     514        $form = ob_get_clean();
     515        $this->assertNotContains( 'Evil:</textarea>', $form );
     516        $this->assertContains( 'Evil:&lt;/textarea>', $form );
    499517    }
    500518
Note: See TracChangeset for help on using the changeset viewer.