WordPress.org
Get WordPress

Make WordPress Core

Changeset 47963 for branches/5.1


Ignore:
Timestamp:
06/10/2020 06:18:25 PM (5 years ago)
Author:
desrosj
Message:

General: Backport several commits for release.

  • Embeds: Ensure that the title attribute is set correctly on embeds.
  • Editor: Prevent HTML decoding on by setting the proper editor context.
  • Formatting: Ensure that wp_validate_redirect() sanitizes a wider variety of characters.
  • Themes: Ensure a broken theme name is returned properly.
  • Administration: Add a new filter to extend set-screen-option.

Merges [47947-47951] to the 5.1 branch.
Props xknown, sstoqnov, vortfu, SergeyBiryukov, whyisjake.

Location:
branches/5.1
Files:
8 edited

Legend:

Unmodified
Added
Removed

  • branches/5.1

  • branches/5.1/src/wp-admin/includes/media.php

    r44634 r47963  
    30403040                                                        ?>
    30413041    </label>
    3042     <?php wp_editor( $post->post_content, 'attachment_content', $editor_args ); ?>
     3042    <?php wp_editor( format_to_edit( $post->post_content ), 'attachment_content', $editor_args ); ?>
    30433043
    30443044    </div>

  • branches/5.1/src/wp-admin/includes/misc.php

    r44789 r47963  
    640640                break;
    641641            default:
     642                if ( '_page' === substr( $option, -5 ) || 'layout_columns' === $option ) {
     643                    /**
     644                     * Filters a screen option value before it is set.
     645                     *
     646                     * The filter can also be used to modify non-standard [items]_per_page
     647                     * settings. See the parent function for a full list of standard options.
     648                     *
     649                     * Returning false to the filter will skip saving the current option.
     650                     *
     651                     * @since 2.8.0
     652                     * @since 5.4.2 Only applied to options ending with '_page',
     653                     *              or the 'layout_columns' option.
     654                     *
     655                     * @see set_screen_options()
     656                     *
     657                     * @param bool   $keep   Whether to save or skip saving the screen option value.
     658                     *                       Default false.
     659                     * @param string $option The option name.
     660                     * @param int    $value  The number of rows to use.
     661                     */
     662                    $value = apply_filters( 'set-screen-option', false, $option, $value ); // phpcs:ignore WordPress.NamingConventions.ValidHookName.UseUnderscores
     663                }
     664
    642665                /**
    643666                 * Filters a screen option value before it is set.
    644667                 *
    645                  * The filter can also be used to modify non-standard [items]_per_page
    646                  * settings. See the parent function for a full list of standard options.
     668                 * The dynamic portion of the hook, `$option`, refers to the option name.
    647669                 *
    648670                 * Returning false to the filter will skip saving the current option.
    649671                 *
    650                  * @since 2.8.0
     672                 * @since 5.4.2
    651673                 *
    652674                 * @see set_screen_options()
    653675                 *
    654                  * @param bool     $keep   Whether to save or skip saving the screen option value. Default false.
    655                  * @param string   $option The option name.
    656                  * @param int      $value  The number of rows to use.
     676                 * @param bool   $keep   Whether to save or skip saving the screen option value.
     677                 *                       Default false.
     678                 * @param string $option The option name.
     679                 * @param int    $value  The number of rows to use.
    657680                 */
    658                 $value = apply_filters( 'set-screen-option', false, $option, $value );
     681                $value = apply_filters( "set_screen_option_{$option}", false, $option, $value );
    659682
    660683                if ( false === $value ) {

  • branches/5.1/src/wp-admin/themes.php

    r44717 r47963  
    365365    <?php foreach ( $broken_themes as $broken_theme ) : ?>
    366366        <tr>
    367             <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : $broken_theme->get_stylesheet(); ?></td>
     367            <td><?php echo $broken_theme->get( 'Name' ) ? $broken_theme->display( 'Name' ) : esc_html( $broken_theme->get_stylesheet() ); ?></td>
    368368            <td><?php echo $broken_theme->errors()->get_error_message(); ?></td>
    369369            <?php

  • branches/5.1/src/wp-includes/default-filters.php

    r46907 r47963  
    574574add_filter( 'the_excerpt_embed', 'wp_embed_excerpt_attachment' );
    575575
     576add_filter( 'oembed_dataparse', 'wp_filter_oembed_iframe_title_attribute', 5, 3 );
    576577add_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10, 3 );
    577578add_filter( 'oembed_response_data', 'get_oembed_response_data_rich', 10, 4 );

  • branches/5.1/src/wp-includes/embed.php

    r44928 r47963  
    780780    return $node->asXML();
    781781}
     782
     783/**
     784 * Filters the given oEmbed HTML to make sure iframes have a title attribute.
     785 *
     786 * @since 5.2.0
     787 *
     788 * @param string $result The oEmbed HTML result.
     789 * @param object $data   A data object result from an oEmbed provider.
     790 * @param string $url    The URL of the content to be embedded.
     791 * @return string The filtered oEmbed result.
     792 */
     793function wp_filter_oembed_iframe_title_attribute( $result, $data, $url ) {
     794    if ( false === $result || ! in_array( $data->type, array( 'rich', 'video' ), true ) ) {
     795        return $result;
     796    }
     797
     798    $title = ! empty( $data->title ) ? $data->title : '';
     799
     800    $pattern = '`<iframe([^>]*)>`i';
     801    if ( preg_match( $pattern, $result, $matches ) ) {
     802        $attrs = wp_kses_hair( $matches[1], wp_allowed_protocols() );
     803
     804        foreach ( $attrs as $attr => $item ) {
     805            $lower_attr = strtolower( $attr );
     806            if ( $lower_attr === $attr ) {
     807                continue;
     808            }
     809            if ( ! isset( $attrs[ $lower_attr ] ) ) {
     810                $attrs[ $lower_attr ] = $item;
     811                unset( $attrs[ $attr ] );
     812            }
     813        }
     814    }
     815
     816    if ( ! empty( $attrs['title']['value'] ) ) {
     817        $title = $attrs['title']['value'];
     818    }
     819
     820    /**
     821     * Filters the title attribute of the given oEmbed HTML iframe.
     822     *
     823     * @since 5.2.0
     824     *
     825     * @param string $title  The title attribute.
     826     * @param string $result The oEmbed HTML result.
     827     * @param object $data   A data object result from an oEmbed provider.
     828     * @param string $url    The URL of the content to be embedded.
     829     */
     830    $title = apply_filters( 'oembed_iframe_title_attribute', $title, $result, $data, $url );
     831
     832    if ( '' === $title ) {
     833        return $result;
     834    }
     835
     836    if ( isset( $attrs['title'] ) ) {
     837        unset( $attrs['title'] );
     838        $attr_string = join( ' ', wp_list_pluck( $attrs, 'whole' ) );
     839        $result      = str_replace( $matches[0], '<iframe ' . trim( $attr_string ) . '>', $result );
     840    }
     841    return str_ireplace( '<iframe ', sprintf( '<iframe title="%s" ', esc_attr( $title ) ), $result );
     842}
     843
    782844
    783845/**

  • branches/5.1/src/wp-includes/pluggable.php

    r46490 r47963  
    13751375     */
    13761376    function wp_validate_redirect( $location, $default = '' ) {
    1377         $location = trim( $location, " \t\n\r\0\x08\x0B" );
    1378         // browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'
    1379         if ( substr( $location, 0, 2 ) == '//' ) {
     1377        $location = wp_sanitize_redirect( trim( $location, " \t\n\r\0\x08\x0B" ) );
     1378        // Browsers will assume 'http' is your protocol, and will obey a redirect to a URL starting with '//'.
     1379        if ( '//' === substr( $location, 0, 2 ) ) {
    13801380            $location = 'http:' . $location;
    13811381        }

  • branches/5.1/tests/phpunit/tests/oembed/filterResult.php

    r42343 r47963  
    103103        $this->assertEquals( '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted"></iframe>', $actual );
    104104    }
     105
     106    public function _data_oembed_test_strings() {
     107        return array(
     108            array(
     109                '<blockquote></blockquote><iframe title=""></iframe>',
     110                '<blockquote class="wp-embedded-content"></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola"></iframe>',
     111            ),
     112            array(
     113                '<blockquote class="foo" id="bar"><strong><a href="" target=""></a></strong></blockquote><iframe width=123></iframe>',
     114                '<blockquote class="wp-embedded-content"><a href=""></a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola" width="123"></iframe>',
     115            ),
     116            array(
     117                '<blockquote><iframe width="100"></iframe></blockquote><iframe stitle="aaaa"></iframe>',
     118                '<blockquote class="wp-embedded-content"><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola" width="100"></iframe></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title="Hola"></iframe>',
     119            ),
     120            array(
     121                "<blockquote><iframe title=' width=\"'></iframe></blockquote><iframe title='' height=' title=' width=\"'' heigt='123'\"></iframe>",
     122                '<blockquote class="wp-embedded-content"><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title=" width=&quot;"></iframe></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; clip: rect(1px, 1px, 1px, 1px);" title=" width=&quot;" height=\' title=\' width="\'\' heigt=\'123\'"></iframe>',
     123            ),
     124        );
     125    }
     126
     127    /**
     128     * @dataProvider _data_oembed_test_strings
     129     */
     130    public function test_wp_filter_pre_oembed_custom_result( $html, $expected ) {
     131        $data   = (object) array(
     132            'type'  => 'rich',
     133            'title' => 'Hola',
     134            'html'  => $html,
     135        );
     136        $actual = _wp_oembed_get_object()->data2html( $data, 'https://untrusted.localhost' );
     137        $this->assertEquals( $expected, $actual );
     138    }
    105139}
Note: See TracChangeset for help on using the changeset viewer.