Make WordPress Core


Ignore:
Timestamp:
05/16/2023 03:13:50 PM (10 months ago)
Author:
audrasjb
Message:

Grouped backports to the 6.1 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.
  • I18N: Introduce sanitization function for locale.
  • Editor: Ensure block comments are of a valid form.
  • Editor: Remove shortcode support from block templates.

Merges [55760-55764] to the 6.1 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/6.1/tests/phpunit/tests/ajax/Attachments.php

    r53701 r55771  
    104104        $this->assertSame( $expected, $response['data'] );
    105105    }
     106
     107    public function test_wp_ajax_set_attachment_thumbnail_success() {
     108        // Become an administrator.
     109        $post    = $_POST;
     110        $user_id = self::factory()->user->create(
     111            array(
     112                'role'       => 'administrator',
     113                'user_login' => 'user_36578_administrator',
     114                'user_email' => 'user_36578_administrator@example.com',
     115            )
     116        );
     117        wp_set_current_user( $user_id );
     118        $_POST = array_merge( $_POST, $post );
     119
     120        // Upload the attachment itself.
     121        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     122        $contents = file_get_contents( $filename );
     123
     124        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     125        $attachment = $this->_make_attachment( $upload );
     126
     127        // Upload the thumbnail.
     128        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     129        $contents = file_get_contents( $filename );
     130
     131        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     132        $thumbnail = $this->_make_attachment( $upload );
     133
     134        // Set up a default request.
     135        $_POST['_ajax_nonce']  = wp_create_nonce( 'set-attachment-thumbnail' );
     136        $_POST['thumbnail_id'] = $thumbnail;
     137        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     138
     139        // Make the request.
     140        try {
     141            $this->_handleAjax( 'set-attachment-thumbnail' );
     142        } catch ( WPAjaxDieContinueException $e ) {
     143            unset( $e );
     144        }
     145
     146        // Get the response.
     147        $response = json_decode( $this->_last_response, true );
     148
     149        // Ensure everything is correct.
     150        $this->assertTrue( $response['success'] );
     151    }
     152
     153    public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
     154        // Become an administrator.
     155        $post    = $_POST;
     156        $user_id = self::factory()->user->create(
     157            array(
     158                'role'       => 'administrator',
     159                'user_login' => 'user_36578_administrator',
     160                'user_email' => 'user_36578_administrator@example.com',
     161            )
     162        );
     163        wp_set_current_user( $user_id );
     164        $_POST = array_merge( $_POST, $post );
     165
     166        // Upload the attachment itself.
     167        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     168        $contents = file_get_contents( $filename );
     169
     170        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     171        $attachment = $this->_make_attachment( $upload );
     172
     173        // Upload the thumbnail.
     174        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     175        $contents = file_get_contents( $filename );
     176
     177        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     178        $thumbnail = $this->_make_attachment( $upload );
     179
     180        // Set up a default request.
     181        $_POST['thumbnail_id'] = $thumbnail;
     182        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     183
     184        // Make the request.
     185        try {
     186            $this->_handleAjax( 'set-attachment-thumbnail' );
     187        } catch ( WPAjaxDieContinueException $e ) {
     188            unset( $e );
     189        }
     190
     191        // Get the response.
     192        $response = json_decode( $this->_last_response, true );
     193
     194        // Check that success is false without sending nonce.
     195        $this->assertFalse( $response['success'] );
     196    }
    106197}
Note: See TracChangeset for help on using the changeset viewer.