WordPress.org

Make WordPress Core

Changeset 51414


Ignore:
Timestamp:
07/13/2021 05:57:04 AM (2 months ago)
Author:
peterwilsoncc
Message:

Widgets: Validate HTML before saving block widgets.

Props talldanwp, noisysocks, kevin940726, peterwilsoncc.

Location:
trunk/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r51232 r51414  
    14201420            $widget_object = $wp_widget_factory->get_widget_object( $id_base );
    14211421            if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
     1422                if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
     1423                    // The content of the 'block' widget is not filtered on the
     1424                    // fly while editing. Filter the content here to prevent
     1425                    // vulnerabilities.
     1426                    $value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
     1427                }
     1428
    14221429                return $value['raw_instance'];
    14231430            }
  • trunk/src/wp-includes/widgets/class-wp-widget-block.php

    r51249 r51414  
    179179     */
    180180    public function update( $new_instance, $old_instance ) {
    181         $instance            = array_merge( $this->default_instance, $old_instance );
    182         $instance['content'] = $new_instance['content'];
     181        $instance = array_merge( $this->default_instance, $old_instance );
     182
     183        if ( current_user_can( 'unfiltered_html' ) ) {
     184            $instance['content'] = $new_instance['content'];
     185        } else {
     186            $instance['content'] = wp_kses_post( $new_instance['content'] );
     187        }
    183188
    184189        return $instance;
Note: See TracChangeset for help on using the changeset viewer.