Make WordPress Core

Changeset 56839


Ignore:
Timestamp:
10/12/2023 12:56:38 PM (4 months ago)
Author:
jorbin
Message:

Editor: Harden the display of footnotes.

Props: jorgefilipecosta, peterwilsoncc, costdev, xknown, jorbin.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/blocks.php

    r56805 r56839  
    19471947    return null;
    19481948}
     1949
     1950/**
     1951 * Strips all HTML from the content of footnotes, and sanitizes the ID.
     1952 * This function expects slashed data on the footnotes content.
     1953 *
     1954 * @access private
     1955 * @since 6.3.2
     1956 *
     1957 * @param string $footnotes JSON encoded string of an array containing the content and ID of each footnote.
     1958 * @return string Filtered content without any HTML on the footnote content and with the sanitized id.
     1959 */
     1960function _wp_filter_post_meta_footnotes( $footnotes ) {
     1961    $footnotes_decoded   = json_decode( $footnotes, true );
     1962    if ( ! is_array( $footnotes_decoded ) ) {
     1963        return '';
     1964    }
     1965    $footnotes_sanitized = array();
     1966    foreach ( $footnotes_decoded as $footnote ) {
     1967        if ( ! empty( $footnote['content'] ) && ! empty( $footnote['id'] ) ) {
     1968            $footnotes_sanitized[] = array(
     1969                'id'      => sanitize_key( $footnote['id'] ),
     1970                'content' => wp_unslash( wp_filter_post_kses( wp_slash( $footnote['content'] ) ) ),
     1971            );
     1972        }
     1973    }
     1974    return wp_json_encode( $footnotes_sanitized );
     1975}
     1976
     1977/**
     1978 * Adds the filters to filter footnotes meta field.
     1979 *
     1980 * @access private
     1981 * @since 6.3.2
     1982 */
     1983function _wp_footnotes_kses_init_filters() {
     1984    add_filter( 'sanitize_post_meta_footnotes', '_wp_filter_post_meta_footnotes' );
     1985}
     1986
     1987/**
     1988 * Removes the filters that filter footnotes meta field.
     1989 *
     1990 * @access private
     1991 * @since 6.3.2
     1992 */
     1993function _wp_footnotes_remove_filters() {
     1994    remove_filter( 'sanitize_post_meta_footnotes', '_wp_filter_post_meta_footnotes' );
     1995}
     1996
     1997/**
     1998 * Registers the filter of footnotes meta field if the user does not have unfiltered_html capability.
     1999 *
     2000 * @access private
     2001 * @since 6.3.2
     2002 */
     2003function _wp_footnotes_kses_init() {
     2004    _wp_footnotes_remove_filters();
     2005    if ( ! current_user_can( 'unfiltered_html' ) ) {
     2006        _wp_footnotes_kses_init_filters();
     2007    }
     2008}
     2009
     2010/**
     2011 * Initializes footnotes meta field filters when imported data should be filtered.
     2012 *
     2013 * This filter is the last being executed on force_filtered_html_on_import.
     2014 * If the input of the filter is true it means we are in an import situation and should
     2015 * enable kses, independently of the user capabilities.
     2016 * So in that case we call _wp_footnotes_kses_init_filters;
     2017 *
     2018 * @access private
     2019 * @since 6.3.2
     2020 *
     2021 * @param string $arg Input argument of the filter.
     2022 * @return string Input argument of the filter.
     2023 */
     2024function _wp_footnotes_force_filtered_html_on_import_filter( $arg ) {
     2025    // force_filtered_html_on_import is true we need to init the global styles kses filters.
     2026    if ( $arg ) {
     2027        _wp_footnotes_kses_init_filters();
     2028    }
     2029    return $arg;
     2030}
     2031
     2032add_action( 'init', '_wp_footnotes_kses_init' );
     2033add_action( 'set_current_user', '_wp_footnotes_kses_init' );
     2034add_filter( 'force_filtered_html_on_import', '_wp_footnotes_force_filtered_html_on_import_filter', 999 );
Note: See TracChangeset for help on using the changeset viewer.