WordPress.org

Make WordPress Core

Changeset 45979


Ignore:
Timestamp:
09/04/2019 05:11:22 PM (3 weeks ago)
Author:
whyisjake
Message:

Update wp.a11y.speak() to sanitize HTML before display.

Props iandunn, adamsilverstein, sstoqnov, peterwilsoncc

Location:
trunk
Files:
8 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/js/_enqueues/admin/post.js

    r44896 r45979  
    796796
    797797            // Update "Status:" to currently selected status.
    798             $('#post-status-display').html($('option:selected', postStatus).text());
     798            $('#post-status-display').text(
     799                wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text.
     800            );
    799801
    800802            // Show or hide the "Save Draft" button.
  • trunk/src/js/_enqueues/wp/a11y.js

    r43347 r45979  
    2828        clear();
    2929
    30         // Ensure only text is sent to screen readers.
    31         message = $( '<p>' ).html( message ).text();
     30        // Remove HTML tags, ensuring only text is sent to screen readers.
     31        message = wp.sanitize.stripTagsAndEncodeText( message );
    3232
    3333        /*
  • trunk/src/js/_enqueues/wp/customize/nav-menus.js

    r45869 r45979  
    34573457    function displayNavMenuName( name ) {
    34583458        name = name || '';
    3459         name = $( '<div>' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php.
     3459        name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name.
    34603460        name = $.trim( name );
    34613461        return name || api.Menus.data.l10n.unnamed;
  • trunk/src/js/_enqueues/wp/sanitize.js

    r43347 r45979  
    2424            text = text || '';
    2525
    26             return text
    27                 .replace( /<!--[\s\S]*?(-->|$)/g, '' )
    28                 .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
    29                 .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
     26            // Do the replacement.
     27            var _text = text
     28                    .replace( /<!--[\s\S]*?(-->|$)/g, '' )
     29                    .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
     30                    .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
     31
     32            // If the initial text is not equal to the modified text,
     33            // do the search-replace again, until there is nothing to be replaced.
     34            if ( _text !== text ) {
     35                return wp.sanitize.stripTags( _text );
     36            }
     37
     38            // Return the text with stripped tags.
     39            return _text;
    3040        },
    3141
     
    4252
    4353            try {
    44                 textarea.innerHTML = _text;
     54                textarea.textContent = _text;
    4555                _text = wp.sanitize.stripTags( textarea.value );
    4656            } catch ( er ) {}
  • trunk/src/js/_enqueues/wp/updates.js

    r45793 r45979  
    263263        if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) {
    264264            _.map( response.debug, function( message ) {
    265                 window.console.log( $( '<p />' ).html( message ).text() );
     265                // Remove all HTML tags and write a message to the console.
     266                window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) );
    266267            } );
    267268        }
  • trunk/src/wp-includes/script-loader.php

    r45934 r45979  
    881881    );
    882882
    883     $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
     883    $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 );
     884
     885    $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 );
    884886
    885887    $scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
     
    14881490    $scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
    14891491
    1490     $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 );
     1492    $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 );
    14911493    $scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
    14921494
     
    15731575        );
    15741576
    1575         $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 );
     1577        $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 );
    15761578        did_action( 'init' ) && $scripts->localize(
    15771579            'post',
     
    17011703        );
    17021704
    1703         $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 );
     1705        $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 );
    17041706        did_action( 'init' ) && $scripts->localize(
    17051707            'updates',
  • trunk/tests/phpunit/tests/dependencies/scripts.php

    r45458 r45979  
    693693
    694694        $ver       = get_bloginfo( 'version' );
    695         $expected  = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-a11y&amp;ver={$ver}'></script>\n";
     695        $expected  = "<script type='text/javascript' src='/wp-admin/load-scripts.php?c=0&amp;load%5Bchunk_0%5D=jquery-core,jquery-migrate,wp-sanitize,wp-a11y&amp;ver={$ver}'></script>\n";
    696696        $expected .= "<script type='text/javascript'>\nconsole.log(\"before\");\n</script>\n";
    697697        $expected .= "<script type='text/javascript' src='http://example.com'></script>\n";
  • trunk/tests/qunit/index.html

    r45930 r45979  
    7777        <script src="../../build/wp-includes/js/customize-models.js"></script>
    7878        <script src="../../build/wp-includes/js/shortcode.js"></script>
     79+       <script src="../../build/wp-includes/js/wp-sanitize.js"></script>
    7980        <script src="../../build/wp-admin/js/customize-controls.js"></script>
    8081        <script src="../../build/wp-includes/js/api-request.js"></script>
Note: See TracChangeset for help on using the changeset viewer.