Changeset 41392 for branches/4.8/tests/phpunit/tests/widgets/text-widget.php

Timestamp:

09/19/2017 07:43:34 AM (7 years ago)

Author:

ocean90

Message:

Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply the_editor_content filters on widget text with format_for_editor() as is done for the post editor.

Merge of [41260] to the 4.8 branch.

Amends [40631].
Props westonruter, azaozz.
See #35243.
Fixes #41596.

Location:

branches/4.8

Files:

• . (modified) (1 prop)
• tests/phpunit/tests/widgets/text-widget.php (modified) (5 diffs)

branches/4.8/tests/phpunit/tests/widgets/text-widget.php

@@ -447 +447 @@
      */
     function test_form() {
-        $widget = new WP_Widget_Text();
+        add_filter( 'user_can_richedit', '__return_true' );
+        $widget = new WP_Widget_Text();
+        $widget->_set( 2 );
         $instance = array(
             'title' => 'Title',
@@ -459 +461 @@
         $form = ob_get_clean();
         $this->assertContains( 'class="visual" type="hidden" value=""', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value="on"', $form );
 
         $instance = array(
@@ -470 +472 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
 
         $instance = array(
@@ -482 +484 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
-
-        $instance = array(
-            'title' => 'Title',
-            'text' => 'Text',
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
+
+        $instance = array(
+            'title' => 'Title',
+            'text' => 'This is some HTML Code: <code>&lt;strong&gt;BOLD!&lt;/strong&gt;</code>',
             'filter' => true,
             'visual' => true,
@@ -495 +497 @@
         $widget->form( $instance );
         $form = ob_get_clean();
-        $this->assertContains( 'class="visual" type="hidden" value="on"', $form );
-        $this->assertNotContains( 'class="visual" type="hidden" value=""', $form );
+        $this->assertContains( 'class="visual sync-input" type="hidden" value="on"', $form );
+        $this->assertContains( '&lt;code&gt;&amp;lt;strong&amp;gt;BOLD!', $form );
+        $this->assertNotContains( 'class="visual sync-input" type="hidden" value=""', $form );
+
+        remove_filter( 'user_can_richedit', '__return_true' );
+        add_filter( 'user_can_richedit', '__return_false' );
+        $instance = array(
+            'title' => 'Title',
+            'text' => 'Evil:</textarea><script>alert("XSS")</script>',
+            'filter' => true,
+            'visual' => true,
+        );
+        $this->assertFalse( $widget->is_legacy_instance( $instance ) );
+        ob_start();
+        $widget->form( $instance );
+        $form = ob_get_clean();
+        $this->assertNotContains( 'Evil:</textarea>', $form );
+        $this->assertContains( 'Evil:&lt;/textarea>', $form );
     }