Make WordPress Core


Ignore:
Timestamp:
05/16/2023 03:21:39 PM (19 months ago)
Author:
audrasjb
Message:

Grouped backports to the 5.9 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.
  • I18N: Introduce sanitization function for locale.
  • Editor: Ensure block comments are of a valid form.
  • Editor: Remove shortcode support from block templates.

Merges [55760-55764] to the 5.9 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/5.9/tests/phpunit/tests/ajax/Attachments.php

    r51870 r55774  
    115115        $this->assertSame( $expected, $response['data'] );
    116116    }
     117
     118    public function test_wp_ajax_set_attachment_thumbnail_success() {
     119        // Become an administrator.
     120        $post    = $_POST;
     121        $user_id = self::factory()->user->create(
     122            array(
     123                'role'       => 'administrator',
     124                'user_login' => 'user_36578_administrator',
     125                'user_email' => 'user_36578_administrator@example.com',
     126            )
     127        );
     128        wp_set_current_user( $user_id );
     129        $_POST = array_merge( $_POST, $post );
     130
     131        // Upload the attachment itself.
     132        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     133        $contents = file_get_contents( $filename );
     134
     135        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     136        $attachment = $this->_make_attachment( $upload );
     137
     138        // Upload the thumbnail.
     139        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     140        $contents = file_get_contents( $filename );
     141
     142        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     143        $thumbnail = $this->_make_attachment( $upload );
     144
     145        // Set up a default request.
     146        $_POST['_ajax_nonce']  = wp_create_nonce( 'set-attachment-thumbnail' );
     147        $_POST['thumbnail_id'] = $thumbnail;
     148        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     149
     150        // Make the request.
     151        try {
     152            $this->_handleAjax( 'set-attachment-thumbnail' );
     153        } catch ( WPAjaxDieContinueException $e ) {
     154            unset( $e );
     155        }
     156
     157        // Get the response.
     158        $response = json_decode( $this->_last_response, true );
     159
     160        // Ensure everything is correct.
     161        $this->assertTrue( $response['success'] );
     162    }
     163
     164    public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
     165        // Become an administrator.
     166        $post    = $_POST;
     167        $user_id = self::factory()->user->create(
     168            array(
     169                'role'       => 'administrator',
     170                'user_login' => 'user_36578_administrator',
     171                'user_email' => 'user_36578_administrator@example.com',
     172            )
     173        );
     174        wp_set_current_user( $user_id );
     175        $_POST = array_merge( $_POST, $post );
     176
     177        // Upload the attachment itself.
     178        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     179        $contents = file_get_contents( $filename );
     180
     181        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     182        $attachment = $this->_make_attachment( $upload );
     183
     184        // Upload the thumbnail.
     185        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     186        $contents = file_get_contents( $filename );
     187
     188        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     189        $thumbnail = $this->_make_attachment( $upload );
     190
     191        // Set up a default request.
     192        $_POST['thumbnail_id'] = $thumbnail;
     193        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     194
     195        // Make the request.
     196        try {
     197            $this->_handleAjax( 'set-attachment-thumbnail' );
     198        } catch ( WPAjaxDieContinueException $e ) {
     199            unset( $e );
     200        }
     201
     202        // Get the response.
     203        $response = json_decode( $this->_last_response, true );
     204
     205        // Check that success is false without sending nonce.
     206        $this->assertFalse( $response['success'] );
     207    }
    117208}
Note: See TracChangeset for help on using the changeset viewer.