Make WordPress Core


Ignore:
Timestamp:
10/03/2017 03:43:01 AM (7 years ago)
Author:
westonruter
Message:

Customize: Provide validation feedback for invalid Custom Link URLs in nav menu items.

Props RMarks, EGregor, umangvaghela123, andrew.taylor, celloexpressions, westonruter, voldemortensen.
Fixes #32816.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/customize/nav-menu-item-setting.php

    r39393 r41697  
    473473        $this->assertNull( $setting->sanitize( 123 ) );
    474474
     475        $valid_urls = array(
     476            'http://example.com/',
     477            'https://foo.example.com/hello.html',
     478            'mailto:nobody@example.com?subject=hi',
     479            'ftp://example.com/',
     480            'ftps://example.com/',
     481            'news://news.server.example/example.group.this',
     482            'irc://irc.freenode.net/wordpress',
     483            'gopher://example.com',
     484            'nntp://news.server.example/example.group.this',
     485            'feed://example.com/',
     486            'telnet://example.com',
     487            'mms://example.com',
     488            'rtsp://example.com/',
     489            'svn://develop.svn.wordpress.org/trunk',
     490            'tel:000-000-000',
     491            'fax:000-000-000',
     492            'xmpp:user@host?message',
     493            'webcal://example.com',
     494            'urn:org.wordpress',
     495        );
     496        foreach ( $valid_urls as $valid_url ) {
     497            $url_setting = $setting->sanitize( array( 'url' => $valid_url ) );
     498            $this->assertInternalType( 'array', $url_setting );
     499            $this->assertEquals( $valid_url, $url_setting['url'] );
     500        }
     501
     502        $invalid_urls = array(
     503            'javascript:alert(1)',
     504            'unknown://something.out-there',
     505            'smtp://user:pass@mailserver.thing',
     506        );
     507        foreach ( $invalid_urls as $invalid_url ) {
     508            $url_setting = $setting->sanitize( array( 'url' => $invalid_url ) );
     509            $this->assertInstanceOf( 'WP_Error', $url_setting );
     510            $this->assertEquals( 'invalid_url', $url_setting->get_error_code() );
     511        }
     512
    475513        $unsanitized = array(
    476514            'object_id' => 'bad',
     
    480518            'type' => 'custom<b>',
    481519            'title' => '\o/ o\'o Hi<script>unfilteredHtml()</script>',
    482             'url' => 'javascript:alert(1)',
     520            'url' => '', // Note the javascript: protocol is checked above and results in a hard validation error, beyond mere sanitization.
    483521            'target' => '" onclick="',
    484522            'attr_title' => '\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>',
Note: See TracChangeset for help on using the changeset viewer.