Make WordPress Core


Ignore:
Timestamp:
07/13/2021 05:57:04 AM (3 years ago)
Author:
peterwilsoncc
Message:

Widgets: Validate HTML before saving block widgets.

Props talldanwp, noisysocks, kevin940726, peterwilsoncc.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/class-wp-customize-widgets.php

    r51232 r51414  
    14201420            $widget_object = $wp_widget_factory->get_widget_object( $id_base );
    14211421            if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
     1422                if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
     1423                    // The content of the 'block' widget is not filtered on the
     1424                    // fly while editing. Filter the content here to prevent
     1425                    // vulnerabilities.
     1426                    $value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
     1427                }
     1428
    14221429                return $value['raw_instance'];
    14231430            }
Note: See TracChangeset for help on using the changeset viewer.