Index: /branches/5.2/src/js/_enqueues/admin/post.js
===================================================================
--- /branches/5.2/src/js/_enqueues/admin/post.js (revision 45988)
+++ /branches/5.2/src/js/_enqueues/admin/post.js (revision 45989)
@@ -796,5 +796,7 @@
// Update "Status:" to currently selected status.
- $('#post-status-display').html($('option:selected', postStatus).text());
+ $('#post-status-display').text(
+ wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text.
+ );
// Show or hide the "Save Draft" button.
Index: /branches/5.2/src/js/_enqueues/wp/a11y.js
===================================================================
--- /branches/5.2/src/js/_enqueues/wp/a11y.js (revision 45988)
+++ /branches/5.2/src/js/_enqueues/wp/a11y.js (revision 45989)
@@ -28,6 +28,6 @@
clear();
- // Ensure only text is sent to screen readers.
- message = $( '
' ).html( message ).text();
+ // Remove HTML tags, ensuring only text is sent to screen readers.
+ message = wp.sanitize.stripTagsAndEncodeText( message );
/*
Index: /branches/5.2/src/js/_enqueues/wp/customize/nav-menus.js
===================================================================
--- /branches/5.2/src/js/_enqueues/wp/customize/nav-menus.js (revision 45988)
+++ /branches/5.2/src/js/_enqueues/wp/customize/nav-menus.js (revision 45989)
@@ -3457,5 +3457,5 @@
function displayNavMenuName( name ) {
name = name || '';
- name = $( '
' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php.
+ name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name.
name = $.trim( name );
return name || api.Menus.data.l10n.unnamed;
Index: /branches/5.2/src/js/_enqueues/wp/sanitize.js
===================================================================
--- /branches/5.2/src/js/_enqueues/wp/sanitize.js (revision 45988)
+++ /branches/5.2/src/js/_enqueues/wp/sanitize.js (revision 45989)
@@ -24,8 +24,18 @@
text = text || '';
- return text
- .replace( /|$)/g, '' )
- .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
- .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
+ // Do the replacement.
+ var _text = text
+ .replace( /|$)/g, '' )
+ .replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
+ .replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
+
+ // If the initial text is not equal to the modified text,
+ // do the search-replace again, until there is nothing to be replaced.
+ if ( _text !== text ) {
+ return wp.sanitize.stripTags( _text );
+ }
+
+ // Return the text with stripped tags.
+ return _text;
},
@@ -42,5 +52,5 @@
try {
- textarea.innerHTML = _text;
+ textarea.textContent = _text;
_text = wp.sanitize.stripTags( textarea.value );
} catch ( er ) {}
Index: /branches/5.2/src/js/_enqueues/wp/updates.js
===================================================================
--- /branches/5.2/src/js/_enqueues/wp/updates.js (revision 45988)
+++ /branches/5.2/src/js/_enqueues/wp/updates.js (revision 45989)
@@ -263,5 +263,6 @@
if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) {
_.map( response.debug, function( message ) {
- window.console.log( $( '
' ).html( message ).text() );
+ // Remove all HTML tags and write a message to the console.
+ window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) );
} );
}
Index: /branches/5.2/src/wp-includes/script-loader.php
===================================================================
--- /branches/5.2/src/wp-includes/script-loader.php (revision 45988)
+++ /branches/5.2/src/wp-includes/script-loader.php (revision 45989)
@@ -880,5 +880,7 @@
);
- $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
+ $scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 );
+
+ $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 );
$scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
@@ -1483,5 +1485,5 @@
$scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
- $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 );
+ $scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 );
$scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
@@ -1581,5 +1583,5 @@
);
- $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 );
+ $scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 );
did_action( 'init' ) && $scripts->localize(
'post',
@@ -1694,5 +1696,5 @@
$scripts->set_translations( 'site-health' );
- $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 );
+ $scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 );
did_action( 'init' ) && $scripts->localize(
'updates',
Index: /branches/5.2/tests/phpunit/tests/dependencies/scripts.php
===================================================================
--- /branches/5.2/tests/phpunit/tests/dependencies/scripts.php (revision 45988)
+++ /branches/5.2/tests/phpunit/tests/dependencies/scripts.php (revision 45989)
@@ -693,5 +693,5 @@
$ver = get_bloginfo( 'version' );
- $expected = "\n";
+ $expected = "\n";
$expected .= "\n";
$expected .= "\n";
Index: /branches/5.2/tests/qunit/index.html
===================================================================
--- /branches/5.2/tests/qunit/index.html (revision 45988)
+++ /branches/5.2/tests/qunit/index.html (revision 45989)
@@ -77,4 +77,5 @@
++