Changeset 47645
- Timestamp:
- 04/29/2020 04:05:32 PM (4 years ago)
- Location:
- branches/5.2
- Files:
-
- 12 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/5.2
- Property svn:mergeinfo changed
/trunk merged: 47633-47638
- Property svn:mergeinfo changed
-
branches/5.2/src/wp-includes/blocks/rss.php
r44810 r47645 81 81 82 82 $classes = 'grid' === $attributes['blockLayout'] ? ' is-grid columns-' . $attributes['columns'] : ''; 83 $list_items_markup = "<ul class='wp-block-rss{$classes}'>{$list_items}</ul>";83 $list_items_markup = sprintf( "<ul class='%s'>%s</ul>", esc_attr( 'wp-block-rss' . $classes ), $list_items ); 84 84 85 85 // PHP 5.2 compatibility. See: http://simplepie.org/wiki/faq/i_m_getting_memory_leaks. … … 94 94 */ 95 95 function register_block_core_rss() { 96 register_block_type( 'core/rss', 96 register_block_type( 97 'core/rss', 97 98 array( 98 99 'attributes' => array( -
branches/5.2/src/wp-includes/blocks/search.php
r44810 r47645 47 47 return sprintf( 48 48 '<form class="%s" role="search" method="get" action="%s">%s</form>', 49 $class,49 esc_attr( $class ), 50 50 esc_url( home_url( '/' ) ), 51 51 $label_markup . $input_markup . $button_markup -
branches/5.2/src/wp-includes/cache.php
r45161 r47645 696 696 echo '<ul>'; 697 697 foreach ( $this->cache as $group => $cache ) { 698 echo "<li><strong>Group:</strong> $group - ( ". number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>';698 echo '<li><strong>Group:</strong> ' . esc_html( $group ) . ' - ( ' . number_format( strlen( serialize( $cache ) ) / KB_IN_BYTES, 2 ) . 'k )</li>'; 699 699 } 700 700 echo '</ul>'; -
branches/5.2/src/wp-includes/class-wp-customize-manager.php
r45232 r47645 2887 2887 2888 2888 /* 2889 * Update the changeset post. The publish_customize_changeset action 2890 * will cause the settings in the changeset to be saved via2891 * WP_Customize_Setting::save().2889 * Update the changeset post. The publish_customize_changeset action will cause the settings in the 2890 * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will 2891 * trigger WP_Customize_Manager::publish_changeset_values(). 2892 2892 */ 2893 2894 // Prevent content filters from corrupting JSON in post_content. 2895 $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) ); 2896 if ( $has_kses ) { 2897 kses_remove_filters(); 2898 } 2899 $has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) ); 2900 if ( $has_targeted_link_rel_filters ) { 2901 wp_remove_targeted_link_rel_filters(); 2902 } 2903 2904 // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values(). 2893 add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 ); 2905 2894 if ( $changeset_post_id ) { 2906 2895 if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) { … … 2929 2918 } 2930 2919 } 2931 2932 // Restore removed content filters. 2933 if ( $has_kses ) { 2934 kses_init_filters(); 2935 } 2936 if ( $has_targeted_link_rel_filters ) { 2937 wp_init_targeted_link_rel_filters(); 2938 } 2920 remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 ); 2939 2921 2940 2922 $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. … … 2952 2934 2953 2935 return $response; 2936 } 2937 2938 /** 2939 * Preserve the initial JSON post_content passed to save into the post. 2940 * 2941 * This is needed to prevent KSES and other {@see 'content_save_pre'} filters 2942 * from corrupting JSON data. 2943 * 2944 * Note that WP_Customize_Manager::validate_setting_values() have already 2945 * run on the setting values being serialized as JSON into the post content 2946 * so it is pre-sanitized. 2947 * 2948 * Also, the sanitization logic is re-run through the respective 2949 * WP_Customize_Setting::sanitize() method when being read out of the 2950 * changeset, via WP_Customize_Manager::post_value(), and this sanitized 2951 * value will also be sent into WP_Customize_Setting::update() for 2952 * persisting to the DB. 2953 * 2954 * Multiple users can collaborate on a single changeset, where one user may 2955 * have the unfiltered_html capability but another may not. A user with 2956 * unfiltered_html may add a script tag to some field which needs to be kept 2957 * intact even when another user updates the changeset to modify another field 2958 * when they do not have unfiltered_html. 2959 * 2960 * @since 5.4.1 2961 * 2962 * @param array $data An array of slashed and processed post data. 2963 * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data. 2964 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post(). 2965 * @return array Filtered post data. 2966 */ 2967 public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) { 2968 if ( 2969 isset( $data['post_type'] ) && 2970 isset( $unsanitized_postarr['post_content'] ) && 2971 'customize_changeset' === $data['post_type'] || 2972 ( 2973 'revision' === $data['post_type'] && 2974 ! empty( $data['post_parent'] ) && 2975 'customize_changeset' === get_post_type( $data['post_parent'] ) 2976 ) 2977 ) { 2978 $data['post_content'] = $unsanitized_postarr['post_content']; 2979 } 2980 return $data; 2954 2981 } 2955 2982 -
branches/5.2/src/wp-includes/class-wp-query.php
r46479 r47645 798 798 } elseif ( $qv['p'] ) { 799 799 $this->is_single = true; 800 } elseif ( ( '' !== $qv['hour'] ) && ( '' !== $qv['minute'] ) && ( '' !== $qv['second'] ) && ( '' != $qv['year'] ) && ( '' != $qv['monthnum'] ) && ( '' != $qv['day'] ) ) {801 // If year, month, day, hour, minute, and second are set, a single802 // post is being queried.803 $this->is_single = true;804 800 } elseif ( '' != $qv['pagename'] || ! empty( $qv['page_id'] ) ) { 805 801 $this->is_page = true; -
branches/5.2/src/wp-includes/formatting.php
r46901 r47645 1999 1999 $filename_raw = $filename; 2000 2000 $special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', chr( 0 ) ); 2001 2002 // Check for support for utf8 in the installed PCRE library once and store the result in a static. 2003 static $utf8_pcre = null; 2004 if ( ! isset( $utf8_pcre ) ) { 2005 // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged 2006 $utf8_pcre = @preg_match( '/^./u', 'a' ); 2007 } 2008 2009 if ( ! seems_utf8( $filename ) ) { 2010 $_ext = pathinfo( $filename, PATHINFO_EXTENSION ); 2011 $_name = pathinfo( $filename, PATHINFO_FILENAME ); 2012 $filename = sanitize_title_with_dashes( $_name ) . '.' . $_ext; 2013 } 2014 2015 if ( $utf8_pcre ) { 2016 $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename ); 2017 } 2018 2001 2019 /** 2002 2020 * Filters the list of characters to remove from a filename. … … 2008 2026 */ 2009 2027 $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw ); 2010 $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );2011 2028 $filename = str_replace( $special_chars, '', $filename ); 2012 2029 $filename = str_replace( array( '%20', '+' ), '-', $filename ); -
branches/5.2/src/wp-includes/post.php
r45219 r47645 3386 3386 global $wpdb; 3387 3387 3388 // Capture original pre-sanitized array for passing into filters. 3389 $unsanitized_postarr = $postarr; 3390 3388 3391 $user_id = get_current_user_id(); 3389 3392 … … 3697 3700 * 3698 3701 * @since 3.9.0 3702 * @since 5.4.1 `$unsanitized_postarr` argument added. 3699 3703 * 3700 * @param array $data An array of sanitized attachment post data. 3701 * @param array $postarr An array of unsanitized attachment post data. 3704 * @param array $data An array of slashed, sanitized, and processed attachment post data. 3705 * @param array $postarr An array of slashed and sanitized attachment post data, but not processed. 3706 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data 3707 * as originally passed to wp_insert_post(). 3702 3708 */ 3703 $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr );3709 $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr, $unsanitized_postarr ); 3704 3710 } else { 3705 3711 /** … … 3707 3713 * 3708 3714 * @since 2.7.0 3715 * @since 5.4.1 `$unsanitized_postarr` argument added. 3709 3716 * 3710 * @param array $data An array of slashed post data. 3711 * @param array $postarr An array of sanitized, but otherwise unmodified post data. 3717 * @param array $data An array of slashed, sanitized, and processed post data. 3718 * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data. 3719 * @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as 3720 * originally passed to wp_insert_post(). 3712 3721 */ 3713 $data = apply_filters( 'wp_insert_post_data', $data, $postarr );3722 $data = apply_filters( 'wp_insert_post_data', $data, $postarr, $unsanitized_postarr ); 3714 3723 } 3715 3724 $data = wp_unslash( $data ); -
branches/5.2/src/wp-includes/user.php
r45204 r47645 1774 1774 1775 1775 if ( $update ) { 1776 if ( $user_email !== $old_user_data->user_email ) {1776 if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) { 1777 1777 $data['user_activation_key'] = ''; 1778 1778 } -
branches/5.2/tests/phpunit/tests/customize/manager.php
r44582 r47645 1162 1162 1163 1163 /** 1164 * Test saving changeset post without Kses or other content_save_pre filters mutating content. 1165 * 1166 * @covers WP_Customize_Manager::save_changeset_post() 1167 */ 1168 public function test_save_changeset_post_without_kses_corrupting_json() { 1169 global $wp_customize; 1170 $lesser_admin_user_id = self::factory()->user->create( array( 'role' => 'administrator' ) ); 1171 1172 $uuid = wp_generate_uuid4(); 1173 $wp_customize = new WP_Customize_Manager( 1174 array( 1175 'changeset_uuid' => $uuid, 1176 ) 1177 ); 1178 1179 add_filter( 'map_meta_cap', array( $this, 'filter_map_meta_cap_to_disallow_unfiltered_html' ), 10, 2 ); 1180 kses_init(); 1181 add_filter( 'content_save_pre', 'capital_P_dangit' ); 1182 add_post_type_support( 'customize_changeset', 'revisions' ); 1183 1184 $options = array( 1185 'custom_html_1' => '<script>document.write(" Wordpress 1")</script>', 1186 'custom_html_2' => '<script>document.write(" Wordpress 2")</script>', 1187 'custom_html_3' => '<script>document.write(" Wordpress 3")</script>', 1188 ); 1189 1190 // Populate setting as user who can bypass content_save_pre filter. 1191 wp_set_current_user( self::$admin_user_id ); 1192 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1193 $wp_customize->set_post_value( 'custom_html_1', $options['custom_html_1'] ); 1194 $wp_customize->save_changeset_post( 1195 array( 1196 'status' => 'draft', 1197 ) 1198 ); 1199 1200 // Populate setting as user who cannot bypass content_save_pre filter. 1201 wp_set_current_user( $lesser_admin_user_id ); 1202 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1203 $wp_customize->set_post_value( 'custom_html_2', $options['custom_html_2'] ); 1204 $wp_customize->save_changeset_post( 1205 array( 1206 'autosave' => true, 1207 ) 1208 ); 1209 1210 /* 1211 * Ensure that the unsanitized value (the "POST data") is preserved in the autosave revision. 1212 * The value is sent through the sanitize function when it is read from the changeset. 1213 */ 1214 $autosave_revision = wp_get_post_autosave( $wp_customize->changeset_post_id(), get_current_user_id() ); 1215 $saved_data = json_decode( $autosave_revision->post_content, true ); 1216 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1217 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1218 1219 // Update post to discard autosave. 1220 $wp_customize->save_changeset_post( 1221 array( 1222 'status' => 'draft', 1223 ) 1224 ); 1225 1226 /* 1227 * Ensure that the unsanitized value (the "POST data") is preserved in the post content. 1228 * The value is sent through the sanitize function when it is read from the changeset. 1229 */ 1230 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1231 $saved_data = json_decode( get_post( $wp_customize->changeset_post_id() )->post_content, true ); 1232 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1233 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1234 1235 /* 1236 * Ensure that the unsanitized value (the "POST data") is preserved in the revisions' content. 1237 * The value is sent through the sanitize function when it is read from the changeset. 1238 */ 1239 $revisions = wp_get_post_revisions( $wp_customize->changeset_post_id() ); 1240 $revision = array_shift( $revisions ); 1241 $saved_data = json_decode( $revision->post_content, true ); 1242 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 1243 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 1244 1245 /* 1246 * Now when publishing the changeset, the unsanitized values will be read from the changeset 1247 * and sanitized according to the capabilities of the users who originally updated each 1248 * setting in the changeset to begin with. 1249 */ 1250 wp_set_current_user( $lesser_admin_user_id ); 1251 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 1252 $wp_customize->set_post_value( 'custom_html_3', $options['custom_html_3'] ); 1253 $wp_customize->save_changeset_post( 1254 array( 1255 'status' => 'publish', 1256 ) 1257 ); 1258 1259 // User saved as one who can bypass content_save_pre filter. 1260 $this->assertContains( '<script>', get_option( 'custom_html_1' ) ); 1261 $this->assertContains( 'Wordpress', get_option( 'custom_html_1' ) ); // phpcs:ignore WordPress.WP.CapitalPDangit.Misspelled 1262 1263 // User saved as one who cannot bypass content_save_pre filter. 1264 $this->assertNotContains( '<script>', get_option( 'custom_html_2' ) ); 1265 $this->assertContains( 'WordPress', get_option( 'custom_html_2' ) ); 1266 1267 // User saved as one who also cannot bypass content_save_pre filter. 1268 $this->assertNotContains( '<script>', get_option( 'custom_html_3' ) ); 1269 $this->assertContains( 'WordPress', get_option( 'custom_html_3' ) ); 1270 } 1271 1272 /** 1273 * Get a manager for testing JSON corruption protection. 1274 * 1275 * @param string $uuid UUID. 1276 * @return WP_Customize_Manager Manager. 1277 */ 1278 private function get_manager_for_testing_json_corruption_protection( $uuid ) { 1279 global $wp_customize; 1280 $wp_customize = new WP_Customize_Manager( 1281 array( 1282 'changeset_uuid' => $uuid, 1283 ) 1284 ); 1285 for ( $i = 0; $i < 5; $i++ ) { 1286 $wp_customize->add_setting( 1287 sprintf( 'custom_html_%d', $i ), 1288 array( 1289 'type' => 'option', 1290 'sanitize_callback' => array( $this, 'apply_content_save_pre_filters_if_not_main_admin_user' ), 1291 ) 1292 ); 1293 } 1294 return $wp_customize; 1295 } 1296 1297 /** 1298 * Sanitize content with Kses if the current user is not the main admin. 1299 * 1300 * @since 5.4.1 1301 * 1302 * @param string $content Content to sanitize. 1303 * @return string Sanitized content. 1304 */ 1305 public function apply_content_save_pre_filters_if_not_main_admin_user( $content ) { 1306 if ( get_current_user_id() !== self::$admin_user_id ) { 1307 $content = apply_filters( 'content_save_pre', $content ); 1308 } 1309 return $content; 1310 } 1311 1312 /** 1313 * Filter map_meta_cap to disallow unfiltered_html. 1314 * 1315 * @since 5.4.1 1316 * 1317 * @param array $caps User's capabilities. 1318 * @param string $cap Requested cap. 1319 * @return array Caps. 1320 */ 1321 public function filter_map_meta_cap_to_disallow_unfiltered_html( $caps, $cap ) { 1322 if ( 'unfiltered_html' === $cap ) { 1323 $caps = array( 'do_not_allow' ); 1324 } 1325 return $caps; 1326 } 1327 1328 /** 1164 1329 * Call count for customize_changeset_save_data filter. 1165 1330 * -
branches/5.2/tests/phpunit/tests/formatting/SanitizeFileName.php
r42343 r47645 69 69 $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) ); 70 70 } 71 72 /** 73 * @dataProvider data_wp_filenames 74 */ 75 function test_replaces_invalid_utf8_characters( $input, $expected ) { 76 $this->assertEquals( $expected, sanitize_file_name( $input ) ); 77 } 78 79 function data_wp_filenames() { 80 return array( 81 array( urldecode( '%B1myfile.png' ), 'myfile.png' ), 82 array( urldecode( '%B1myfile' ), 'myfile' ), 83 array( 'demo bar.png', 'demo-bar.png' ), 84 array( 'demo' . json_decode( '"\u00a0"' ) . 'bar.png', 'demo-bar.png' ), 85 ); 86 } 71 87 } -
branches/5.2/tests/phpunit/tests/user.php
r44645 r47645 978 978 } 979 979 980 function test_changing_email_invalidates_password_reset_key() {980 public function test_changing_email_invalidates_password_reset_key() { 981 981 global $wpdb; 982 982 … … 1003 1003 'user_nicename' => 'cat', 1004 1004 'user_email' => 'foo@bar.dev', 1005 ); 1006 wp_update_user( $userdata ); 1007 1008 $user = get_userdata( $user->ID ); 1009 $this->assertEmpty( $user->user_activation_key ); 1010 } 1011 1012 public function test_changing_password_invalidates_password_reset_key() { 1013 global $wpdb; 1014 1015 $user = $this->author; 1016 $wpdb->update( $wpdb->users, array( 'user_activation_key' => 'key' ), array( 'ID' => $user->ID ) ); 1017 clean_user_cache( $user ); 1018 1019 $user = get_userdata( $user->ID ); 1020 $this->assertEquals( 'key', $user->user_activation_key ); 1021 1022 $userdata = array( 1023 'ID' => $user->ID, 1024 'user_pass' => 'password', 1005 1025 ); 1006 1026 wp_update_user( $userdata );
Note: See TracChangeset
for help on using the changeset viewer.