Changeset 47650 for branches/4.7/tests/phpunit/tests/customize/manager.php
- Timestamp:
- 04/29/2020 04:22:22 PM (4 years ago)
- Location:
- branches/4.7
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/4.7
- Property svn:mergeinfo changed
/trunk merged: 47633-47635,47637-47638
- Property svn:mergeinfo changed
-
branches/4.7/tests/phpunit/tests/customize/manager.php
r40338 r47650 887 887 888 888 /** 889 * Test saving changeset post without Kses or other content_save_pre filters mutating content. 890 * 891 * @covers WP_Customize_Manager::save_changeset_post() 892 */ 893 public function test_save_changeset_post_without_kses_corrupting_json() { 894 global $wp_customize; 895 $lesser_admin_user_id = self::factory()->user->create( array( 'role' => 'administrator' ) ); 896 897 $uuid = wp_generate_uuid4(); 898 $wp_customize = new WP_Customize_Manager( 899 array( 900 'changeset_uuid' => $uuid, 901 ) 902 ); 903 904 add_filter( 'map_meta_cap', array( $this, 'filter_map_meta_cap_to_disallow_unfiltered_html' ), 10, 2 ); 905 kses_init(); 906 add_filter( 'content_save_pre', 'capital_P_dangit' ); 907 add_post_type_support( 'customize_changeset', 'revisions' ); 908 909 $options = array( 910 'custom_html_1' => '<script>document.write(" Wordpress 1")</script>', 911 'custom_html_2' => '<script>document.write(" Wordpress 2")</script>', 912 'custom_html_3' => '<script>document.write(" Wordpress 3")</script>', 913 ); 914 915 // Populate setting as user who can bypass content_save_pre filter. 916 wp_set_current_user( self::$admin_user_id ); 917 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 918 $wp_customize->set_post_value( 'custom_html_1', $options['custom_html_1'] ); 919 $wp_customize->save_changeset_post( 920 array( 921 'status' => 'draft', 922 ) 923 ); 924 925 // Populate setting as user who cannot bypass content_save_pre filter. 926 wp_set_current_user( $lesser_admin_user_id ); 927 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 928 $wp_customize->set_post_value( 'custom_html_2', $options['custom_html_2'] ); 929 930 $wp_customize->save_changeset_post( 931 array( 932 'status' => 'draft', 933 ) 934 ); 935 936 /* 937 * Ensure that the unsanitized value (the "POST data") is preserved in the post content. 938 * The value is sent through the sanitize function when it is read from the changeset. 939 */ 940 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 941 $saved_data = json_decode( get_post( $wp_customize->changeset_post_id() )->post_content, true ); 942 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 943 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 944 945 /* 946 * Ensure that the unsanitized value (the "POST data") is preserved in the revisions' content. 947 * The value is sent through the sanitize function when it is read from the changeset. 948 */ 949 $revisions = wp_get_post_revisions( $wp_customize->changeset_post_id() ); 950 $revision = array_shift( $revisions ); 951 $saved_data = json_decode( $revision->post_content, true ); 952 $this->assertEquals( $options['custom_html_1'], $saved_data['custom_html_1']['value'] ); 953 $this->assertEquals( $options['custom_html_2'], $saved_data['custom_html_2']['value'] ); 954 955 /* 956 * Now when publishing the changeset, the unsanitized values will be read from the changeset 957 * and sanitized according to the capabilities of the users who originally updated each 958 * setting in the changeset to begin with. 959 */ 960 wp_set_current_user( $lesser_admin_user_id ); 961 $wp_customize = $this->get_manager_for_testing_json_corruption_protection( $uuid ); 962 $wp_customize->set_post_value( 'custom_html_3', $options['custom_html_3'] ); 963 $wp_customize->save_changeset_post( 964 array( 965 'status' => 'publish', 966 ) 967 ); 968 969 // User saved as one who can bypass content_save_pre filter. 970 $this->assertContains( '<script>', get_option( 'custom_html_1' ) ); 971 $this->assertContains( 'Wordpress', get_option( 'custom_html_1' ) ); // phpcs:ignore WordPress.WP.CapitalPDangit.Misspelled 972 973 // User saved as one who cannot bypass content_save_pre filter. 974 $this->assertNotContains( '<script>', get_option( 'custom_html_2' ) ); 975 $this->assertContains( 'WordPress', get_option( 'custom_html_2' ) ); 976 977 // User saved as one who also cannot bypass content_save_pre filter. 978 $this->assertNotContains( '<script>', get_option( 'custom_html_3' ) ); 979 $this->assertContains( 'WordPress', get_option( 'custom_html_3' ) ); 980 } 981 982 /** 983 * Get a manager for testing JSON corruption protection. 984 * 985 * @param string $uuid UUID. 986 * @return WP_Customize_Manager Manager. 987 */ 988 private function get_manager_for_testing_json_corruption_protection( $uuid ) { 989 global $wp_customize; 990 $wp_customize = new WP_Customize_Manager( 991 array( 992 'changeset_uuid' => $uuid, 993 ) 994 ); 995 for ( $i = 0; $i < 5; $i++ ) { 996 $wp_customize->add_setting( 997 sprintf( 'custom_html_%d', $i ), 998 array( 999 'type' => 'option', 1000 'sanitize_callback' => array( $this, 'apply_content_save_pre_filters_if_not_main_admin_user' ), 1001 ) 1002 ); 1003 } 1004 return $wp_customize; 1005 } 1006 1007 /** 1008 * Sanitize content with Kses if the current user is not the main admin. 1009 * 1010 * @since 5.4.1 1011 * 1012 * @param string $content Content to sanitize. 1013 * @return string Sanitized content. 1014 */ 1015 public function apply_content_save_pre_filters_if_not_main_admin_user( $content ) { 1016 if ( get_current_user_id() !== self::$admin_user_id ) { 1017 $content = apply_filters( 'content_save_pre', $content ); 1018 } 1019 return $content; 1020 } 1021 1022 /** 1023 * Filter map_meta_cap to disallow unfiltered_html. 1024 * 1025 * @since 5.4.1 1026 * 1027 * @param array $caps User's capabilities. 1028 * @param string $cap Requested cap. 1029 * @return array Caps. 1030 */ 1031 public function filter_map_meta_cap_to_disallow_unfiltered_html( $caps, $cap ) { 1032 if ( 'unfiltered_html' === $cap ) { 1033 $caps = array( 'do_not_allow' ); 1034 } 1035 return $caps; 1036 } 1037 1038 /** 889 1039 * Call count for customize_changeset_save_data filter. 890 1040 *
Note: See TracChangeset
for help on using the changeset viewer.