WordPress.org

Make WordPress Core


Ignore:
Timestamp:
07/13/2021 05:57:04 AM (4 months ago)
Author:
peterwilsoncc
Message:

Widgets: Validate HTML before saving block widgets.

Props talldanwp, noisysocks, kevin940726, peterwilsoncc.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/widgets/class-wp-widget-block.php

    r51249 r51414  
    179179     */
    180180    public function update( $new_instance, $old_instance ) {
    181         $instance            = array_merge( $this->default_instance, $old_instance );
    182         $instance['content'] = $new_instance['content'];
     181        $instance = array_merge( $this->default_instance, $old_instance );
     182
     183        if ( current_user_can( 'unfiltered_html' ) ) {
     184            $instance['content'] = $new_instance['content'];
     185        } else {
     186            $instance['content'] = wp_kses_post( $new_instance['content'] );
     187        }
    183188
    184189        return $instance;
Note: See TracChangeset for help on using the changeset viewer.