Widgets: Validate HTML before saving block widgets.
Props talldanwp, noisysocks, kevin940726, peterwilsoncc. Built from https://develop.svn.wordpress.org/trunk@51414 git-svn-id: http://core.svn.wordpress.org/trunk@51025 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
parent
a5cfc54fec
commit
34119e2c95
|
@ -1419,6 +1419,13 @@ final class WP_Customize_Widgets {
|
|||
if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) {
|
||||
$widget_object = $wp_widget_factory->get_widget_object( $id_base );
|
||||
if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
|
||||
if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
|
||||
// The content of the 'block' widget is not filtered on the
|
||||
// fly while editing. Filter the content here to prevent
|
||||
// vulnerabilities.
|
||||
$value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
|
||||
}
|
||||
|
||||
return $value['raw_instance'];
|
||||
}
|
||||
}
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
*
|
||||
* @global string $wp_version
|
||||
*/
|
||||
$wp_version = '5.9-alpha-51413';
|
||||
$wp_version = '5.9-alpha-51414';
|
||||
|
||||
/**
|
||||
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
|
||||
|
|
|
@ -178,8 +178,13 @@ class WP_Widget_Block extends WP_Widget {
|
|||
* @return array Settings to save or bool false to cancel saving.
|
||||
*/
|
||||
public function update( $new_instance, $old_instance ) {
|
||||
$instance = array_merge( $this->default_instance, $old_instance );
|
||||
$instance['content'] = $new_instance['content'];
|
||||
$instance = array_merge( $this->default_instance, $old_instance );
|
||||
|
||||
if ( current_user_can( 'unfiltered_html' ) ) {
|
||||
$instance['content'] = $new_instance['content'];
|
||||
} else {
|
||||
$instance['content'] = wp_kses_post( $new_instance['content'] );
|
||||
}
|
||||
|
||||
return $instance;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue