Make WordPress Core


Ignore:
Timestamp:
12/12/2019 06:00:45 PM (5 years ago)
Author:
whyisjake
Message:

Prevent stored XSS in the block editor.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras,

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/blocks/block-type.php

    r46586 r46896  
    303303        // even if it detects a proper $post global it should still be false for a missing block.
    304304        $this->assertFalse( has_block( 'core/fake' ) );
     305    }
     306
     307    public function test_post_has_block_serialized_name() {
     308        $content = '<!-- wp:serialized /--><!-- wp:core/normalized /--><!-- wp:plugin/third-party /-->';
     309
     310        $this->assertTrue( has_block( 'core/serialized', $content ) );
     311
     312        /*
     313         * Technically, `has_block` should receive a "full" (normalized, parsed)
     314         * block name. But this test conforms to expected pre-5.3.1 behavior.
     315         */
     316        $this->assertTrue( has_block( 'serialized', $content ) );
     317        $this->assertTrue( has_block( 'core/normalized', $content ) );
     318        $this->assertTrue( has_block( 'normalized', $content ) );
     319        $this->assertFalse( has_block( 'plugin/normalized', $content ) );
     320        $this->assertFalse( has_block( 'plugin/serialized', $content ) );
     321        $this->assertFalse( has_block( 'third-party', $content ) );
     322        $this->assertFalse( has_block( 'core/third-party', $content ) );
    305323    }
    306324
Note: See TracChangeset for help on using the changeset viewer.