Changeset 57754
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/block-bindings/post-meta.php
r57641 r57754 35 35 } 36 36 37 // Check if the meta field is protected. 38 if ( is_protected_meta( $source_args['key'], 'post' ) ) { 39 return null; 40 } 41 42 // Check if the meta field is registered to be shown in REST. 43 $meta_keys = get_registered_meta_keys( 'post', $block_instance->context['postType'] ); 44 // Add fields registered for all subtypes. 45 $meta_keys = array_merge( $meta_keys, get_registered_meta_keys( 'post', '' ) ); 46 if ( empty( $meta_keys[ $source_args['key'] ]['show_in_rest'] ) ) { 47 return null; 48 } 49 37 50 return get_post_meta( $post_id, $source_args['key'], true ); 38 51 } -
trunk/tests/phpunit/tests/block-bindings/render.php
r57641 r57754 199 199 ); 200 200 } 201 202 /** 203 * Tests if the block content is sanitized when unsafe HTML is passed. 204 * 205 * @ticket 60651 206 * 207 * @covers ::register_block_bindings_source 208 */ 209 public function test_source_value_with_unsafe_html_is_sanitized() { 210 $get_value_callback = function () { 211 return '<script>alert("Unsafe HTML")</script>'; 212 }; 213 214 register_block_bindings_source( 215 self::SOURCE_NAME, 216 array( 217 'label' => self::SOURCE_LABEL, 218 'get_value_callback' => $get_value_callback, 219 ) 220 ); 221 222 $block_content = <<<HTML 223 <!-- wp:paragraph {"metadata":{"bindings":{"content":{"source":"test/source"}}}} --> 224 <p>This should not appear</p> 225 <!-- /wp:paragraph --> 226 HTML; 227 $parsed_blocks = parse_blocks( $block_content ); 228 $block = new WP_Block( $parsed_blocks[0] ); 229 $result = $block->render(); 230 231 $this->assertSame( 232 '<p>alert("Unsafe HTML")</p>', 233 trim( $result ), 234 'The block content should be updated with the value returned by the source.' 235 ); 236 } 201 237 }
Note: See TracChangeset
for help on using the changeset viewer.