WordPress.org

Make WordPress Core

Changeset 47959


Ignore:
Timestamp:
06/10/2020 05:58:07 PM (4 months ago)
Author:
desrosj
Message:

General: Backport several commits for release.

  • Embeds: Ensure that the title attribute is set correctly on embeds.
  • Editor: Prevent HTML decoding on by setting the proper editor context.
  • Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
  • Themes: Ensure a broken theme name is returned properly.
  • Administration: Add a new filter to extend set-screen-option.

Merges [47948-47951] to the 5.3 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Location:
branches/5.3
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • branches/5.3

  • branches/5.3/src/wp-admin/includes/media.php

    r46451 r47959  
    32133213    ?>
    32143214    </label>
    3215     <?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
     3215    <?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
    32163216
    32173217    </div>
  • branches/5.3/src/wp-admin/includes/misc.php

    r45932 r47959  
    680680                break;
    681681            default:
     682                if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
     683                    /**
     684                     * Filters a screen option value before it is set.
     685                     *
     686                     * The filter can also be used to modify non-standard [items]_per_page
     687                     * settings. See the parent function for a full list of standard options.
     688                     *
     689                     * Returning false to the filter will skip saving the current option.
     690                     *
     691                     * @since 2.8.0
     692                     * @since 5.4.2 Only applied to options ending with '_page',
     693                     *              or the 'layout_columns' option.
     694                     *
     695                     * @see set_screen_options()
     696                     *
     697                     * @param bool   $keep   Whether to save or skip saving the screen option value.
     698                     *                       Default false.
     699                     * @param string $option The option name.
     700                     * @param int    $value  The number of rows to use.
     701                     */
     702                    $value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
     703                }
     704
    682705                /**
    683706                 * Filters a screen option value before it is set.
    684707                 *
    685                  * The filter can also be used to modify non-standard [items]_per_page
    686                  * settings. See the parent function for a full list of standard options.
     708                 * The dynamic portion of the hook, `$option`, refers to the option name.
    687709                 *
    688710                 * Returning false to the filter will skip saving the current option.
    689711                 *
    690                  * @since 2.8.0
     712                 * @since 5.4.2
    691713                 *
    692714                 * @see set_screen_options()
    693715                 *
    694                  * @param bool     $keep   Whether to save or skip saving the screen option value. Default false.
    695                  * @param string   $option The option name.
    696                  * @param int      $value  The number of rows to use.
     716                 * @param bool   $keep   Whether to save or skip saving the screen option value.
     717                 *                       Default false.
     718                 * @param string $option The option name.
     719                 * @param int    $value  The number of rows to use.
    697720                 */
    698                 $value = apply_filters( 'set-screen-option', false, $option, $value );  // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
     721                $value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
    699722
    700723                if ( false === $value ) {
  • branches/5.3/src/wp-admin/themes.php

    r45932 r47959  
    409409    <?php foreach ( $broken_themes as $broken_theme ) : ?>
    410410        <tr>
    411             <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : $broken_theme->get_stylesheet(); ?></td>
     411            <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
    412412            <td><?php echo $broken_theme->errors()->get_error_message(); ?></td>
    413413            <?php
  • branches/5.3/src/wp-includes/comment-template.php

    r47916 r47959  
    594594 */
    595595function get_comment_excerpt( $comment_ID = 0 ) {
    596     $comment      = get_comment( $comment_ID );
    597     $comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
     596    $comment = get_comment( $comment_ID );
     597
     598    if ( ! post_password_required( $comment->comment_post_ID ) ) {
     599        $comment_text = strip_tags( str_replace( array( "\n", "\r" ), ' ', $comment->comment_content ) );
     600    } else {
     601        $comment_text = __( 'Password protected' );
     602    }
    598603
    599604    /* translators: Maximum number of words used in a comment excerpt. */
  • branches/5.3/src/wp-includes/default-filters.php

    r46900 r47959  
    575575add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' );
    576576
     577add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 );
    577578add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 );
    578 add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 20, 3 );
    579579add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 );
    580580add_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10, 3 );
  • branches/5.3/src/wp-includes/embed.php

    r46164 r47959  
    798798    $title = ! empty( $data->title ) ? $data->title : '';
    799799
    800     $pattern        = '`<iframe[^>]*?title=(\\\\\'|\\\\"|[\'"])([^>]*?)\1`i';
    801     $has_title_attr = preg_match( $pattern, $result, $matches );
    802 
    803     if ( $has_title_attr && ! empty( $matches[2] ) ) {
    804         $title = $matches[2];
     800    $pattern = '`<iframe([^>]*)>`i';
     801    if ( preg_match( $pattern, $result, $matches ) ) {
     802        $attrs = wp_kses_hair( $matches[1], wp_allowed_protocols() );
     803
     804        foreach ( $attrs as $attr => $item ) {
     805            $lower_attr = strtolower( $attr );
     806            if ( $lower_attr === $attr ) {
     807                continue;
     808            }
     809            if ( ! isset( $attrs[ $lower_attr ] ) ) {
     810                $attrs[ $lower_attr ] = $item;
     811                unset( $attrs[ $attr ] );
     812            }
     813        }
     814    }
     815
     816    if ( ! empty( $attrs['title']['value'] ) ) {
     817        $title = $attrs['title']['value'];
    805818    }
    806819
     
    821834    }
    822835
    823     if ( $has_title_attr ) {
    824         // Remove the old title, $matches[1]: quote, $matches[2]: title attribute value.
    825         $result = str_replace( ' title=' . $matches[1] . $matches[2] . $matches[1], '', $result );
    826     }
    827 
     836    if ( isset( $attrs['title'] ) ) {
     837        unset( $attrs['title'] );
     838        $attr_string = join( ' ', wp_list_pluck( $attrs, 'whole' ) );
     839        $result      = str_replace( $matches[0], '<iframe ' . trim( $attr_string ) . '>', $result );
     840    }
    828841    return str_ireplace( '<iframe ', sprintf( '<iframe title="%s" ', esc_attr( $title ) ), $result );
    829842}
  • branches/5.3/src/wp-includes/pluggable.php

    r46477 r47959  
    13921392     */
    13931393    function wp_validate_redirect( $location, $default = '' ) {
    1394         $location = trim( $location, " \t\n\r\0\x08\x0B" );
    1395         // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    1396         if ( substr( $location, 0, 2 ) == '//' ) {
     1394        $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
     1395        // Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
     1396        if ( '//' === substr( $location, 0, 2 ) ) {
    13971397            $location = 'http:' . $location;
    13981398        }
  • branches/5.3/tests/phpunit/tests/blocks/render.php

    r45139 r47959  
    290290    }
    291291
     292    public function test_render_latest_comments_on_password_protected_post() {
     293        $post_id      = self::factory()->post->create(
     294            array(
     295                'post_password' => 'password',
     296            )
     297        );
     298        $comment_text = wp_generate_password( 10, false );
     299        self::factory()->comment->create(
     300            array(
     301                'comment_post_ID' => $post_id,
     302                'comment_content' => $comment_text,
     303            )
     304        );
     305        $comments = do_blocks( '<!-- wp:latest-comments {"commentsToShow":1,"displayExcerpt":true} /-->' );
     306
     307        $this->assertNotContains( $comment_text, $comments );
     308    }
     309
    292310    /**
    293311     * @ticket 45109
  • branches/5.3/tests/phpunit/tests/oembed/filterResult.php

    r42343 r47959  
    103103        $this->assertEquals( '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"></iframe>', $actual );
    104104    }
     105
     106    public function _data_oembed_test_strings() {
     107        return array(
     108            array(
     109                '<blockquote></blockquote><iframe title=""></iframe>',
     110                '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola"></iframe>',
     111            ),
     112            array(
     113                '<blockquote class="foo" id="bar"><strong><a href="" target=""></a></strong></blockquote><iframe width=123></iframe>',
     114                '<blockquote class="wp-embedded-content"><a href=""></a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola" width="123"></iframe>',
     115            ),
     116            array(
     117                '<blockquote><iframe width="100"></iframe></blockquote><iframe stitle="aaaa"></iframe>',
     118                '<blockquote class="wp-embedded-content"><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola" width="100"></iframe></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola"></iframe>',
     119            ),
     120            array(
     121                "<blockquote><iframe title=' width=\"'></iframe></blockquote><iframe title='' height=' title=' width=\"'' heigt='123'\"></iframe>",
     122                '<blockquote class="wp-embedded-content"><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title=" width=&quot;"></iframe></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title=" width=&quot;" height=\' title=\' width="\'\' heigt=\'123\'"></iframe>',
     123            ),
     124        );
     125    }
     126
     127    /**
     128     * @dataProvider _data_oembed_test_strings
     129     */
     130    public function test_wp_filter_pre_oembed_custom_result( $html, $expected ) {
     131        $data   = (object) [
     132            'type'  => 'rich',
     133            'title' => 'Hola',
     134            'html'  => $html,
     135        ];
     136        $actual = _wp_oembed_get_object()->data2html( $data, 'https://untrusted.localhost' );
     137        $this->assertEquals( $expected, $actual );
     138    }
    105139}
Note: See TracChangeset for help on using the changeset viewer.