- Sanitize and render HTML in captions when showing a gallery preview (wpView).
- Encode/escape HTML entered in the text field in the wpLink dialog.

Props iseulde, kraftbj, jnylen0, shawarkhan.
Fixes #32616.
Built from https://develop.svn.wordpress.org/trunk@35341


git-svn-id: http://core.svn.wordpress.org/trunk@35307 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Andrew Ozz 2015-10-21 20:38:26 +00:00
parent 28c77bec72
commit 4cdddd401a
6 changed files with 26 additions and 6 deletions

View File

@ -732,7 +732,26 @@
* and a view for embeddable URLs. * and a view for embeddable URLs.
*/ */
( function( window, views, media, $ ) { ( function( window, views, media, $ ) {
var base, gallery, av, embed; var base, gallery, av, embed,
schema, parser, serializer;
function verifyHTML( string ) {
var settings = {};
if ( ! window.tinymce ) {
return string.replace( /<[^>]+>/g, '' );
}
if ( ! string || ( string.indexOf( '<' ) === -1 && string.indexOf( '>' ) === -1 ) ) {
return string;
}
schema = schema || new window.tinymce.html.Schema( settings );
parser = parser || new window.tinymce.html.DomParser( settings, schema );
serializer = serializer || new window.tinymce.html.Serializer( settings, schema );
return serializer.serialize( parser.parse( string, { forced_root_block: false } ) );
}
base = { base = {
state: [], state: [],
@ -783,6 +802,7 @@
} ); } );
self.render( self.template( { self.render( self.template( {
verifyHTML: verifyHTML,
attachments: attachments, attachments: attachments,
columns: attrs.columns ? parseInt( attrs.columns, 10 ) : media.galleryDefaults.columns columns: attrs.columns ? parseInt( attrs.columns, 10 ) : media.galleryDefaults.columns
} ) ); } ) );

File diff suppressed because one or more lines are too long

View File

@ -382,7 +382,7 @@ var wpLink;
editor.dom.setAttribs( link, attrs ); editor.dom.setAttribs( link, attrs );
} else { } else {
if ( text ) { if ( text ) {
editor.selection.setNode( editor.dom.create( 'a', attrs, text ) ); editor.selection.setNode( editor.dom.create( 'a', attrs, editor.dom.encode( text ) ) );
} else { } else {
editor.execCommand( 'mceInsertLink', false, attrs ); editor.execCommand( 'mceInsertLink', false, attrs );
} }

File diff suppressed because one or more lines are too long

View File

@ -1216,7 +1216,7 @@ function wp_print_media_templates() {
</dt> </dt>
<# if ( attachment.caption ) { #> <# if ( attachment.caption ) { #>
<dd class="wp-caption-text gallery-caption"> <dd class="wp-caption-text gallery-caption">
{{ attachment.caption }} {{{ data.verifyHTML( attachment.caption ) }}}
</dd> </dd>
<# } #> <# } #>
</dl> </dl>

View File

@ -4,7 +4,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '4.4-alpha-35340'; $wp_version = '4.4-alpha-35341';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.