Make WordPress Core


Ignore:
Timestamp:
05/16/2023 03:35:46 PM (12 months ago)
Author:
audrasjb
Message:

Grouped backports to the 5.7 branch.

  • Media: Prevent CSRF setting attachment thumbnails.
  • Embeds: Add protocol validation for WordPress Embed code.
  • I18N: Introduce sanitization function for locale.
  • Editor: Ensure block comments are of a valid form.

Merges [55760-55764] to the 5.7 branch.
Props dd32, isabel_brison, martinkrcho, matveb, ocean90, paulkevan, peterwilsoncc, timothyblynjacobs, xknown, youknowriad.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/5.7/tests/phpunit/tests/ajax/Attachments.php

    r49835 r55778  
    116116        $this->assertSame( $expected, $response['data'] );
    117117    }
     118
     119    public function test_wp_ajax_set_attachment_thumbnail_success() {
     120        // Become an administrator.
     121        $post    = $_POST;
     122        $user_id = self::factory()->user->create(
     123            array(
     124                'role'       => 'administrator',
     125                'user_login' => 'user_36578_administrator',
     126                'user_email' => 'user_36578_administrator@example.com',
     127            )
     128        );
     129        wp_set_current_user( $user_id );
     130        $_POST = array_merge( $_POST, $post );
     131
     132        // Upload the attachment itself.
     133        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     134        $contents = file_get_contents( $filename );
     135
     136        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     137        $attachment = $this->_make_attachment( $upload );
     138
     139        // Upload the thumbnail.
     140        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     141        $contents = file_get_contents( $filename );
     142
     143        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     144        $thumbnail = $this->_make_attachment( $upload );
     145
     146        // Set up a default request.
     147        $_POST['_ajax_nonce']  = wp_create_nonce( 'set-attachment-thumbnail' );
     148        $_POST['thumbnail_id'] = $thumbnail;
     149        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     150
     151        // Make the request.
     152        try {
     153            $this->_handleAjax( 'set-attachment-thumbnail' );
     154        } catch ( WPAjaxDieContinueException $e ) {
     155            unset( $e );
     156        }
     157
     158        // Get the response.
     159        $response = json_decode( $this->_last_response, true );
     160
     161        // Ensure everything is correct.
     162        $this->assertTrue( $response['success'] );
     163    }
     164
     165    public function test_wp_ajax_set_attachment_thumbnail_missing_nonce() {
     166        // Become an administrator.
     167        $post    = $_POST;
     168        $user_id = self::factory()->user->create(
     169            array(
     170                'role'       => 'administrator',
     171                'user_login' => 'user_36578_administrator',
     172                'user_email' => 'user_36578_administrator@example.com',
     173            )
     174        );
     175        wp_set_current_user( $user_id );
     176        $_POST = array_merge( $_POST, $post );
     177
     178        // Upload the attachment itself.
     179        $filename = DIR_TESTDATA . '/uploads/small-audio.mp3';
     180        $contents = file_get_contents( $filename );
     181
     182        $upload     = wp_upload_bits( wp_basename( $filename ), null, $contents );
     183        $attachment = $this->_make_attachment( $upload );
     184
     185        // Upload the thumbnail.
     186        $filename = DIR_TESTDATA . '/images/waffles.jpg';
     187        $contents = file_get_contents( $filename );
     188
     189        $upload    = wp_upload_bits( wp_basename( $filename ), null, $contents );
     190        $thumbnail = $this->_make_attachment( $upload );
     191
     192        // Set up a default request.
     193        $_POST['thumbnail_id'] = $thumbnail;
     194        $_POST['urls']         = array( wp_get_attachment_url( $attachment ) );
     195
     196        // Make the request.
     197        try {
     198            $this->_handleAjax( 'set-attachment-thumbnail' );
     199        } catch ( WPAjaxDieContinueException $e ) {
     200            unset( $e );
     201        }
     202
     203        // Get the response.
     204        $response = json_decode( $this->_last_response, true );
     205
     206        // Check that success is false without sending nonce.
     207        $this->assertFalse( $response['success'] );
     208    }
    118209}
Note: See TracChangeset for help on using the changeset viewer.