Theme Customizer: Properly escape customize settings when sending values to JS. Add WP_Customize_Setting->js_value(). fixes #20687, see #19910.

git-svn-id: http://core.svn.wordpress.org/trunk@20809 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/class-wp-customize-setting.php

@@ -230,6 +230,22 @@ class WP_Customize_Setting {
 		return $this->multidimensional_get( $values, $this->id_data[ 'keys' ], $this->default );
 	}
 
+	/**
+	 * Escape the parameter's value for use in JavaScript.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @return mixed The requested escaped value.
+	 */
+	public function js_value() {
+		$value = $this->value();
+
+		if ( is_string( $value ) )
+			return html_entity_decode( $value, ENT_QUOTES, 'UTF-8');
+
+		return $value;
+	}
+
 	/**
 	 * Check if the theme supports the setting and check user capabilities.
 	 *

wp-includes/class-wp-customize.php

@@ -213,7 +213,7 @@ final class WP_Customize {
 		);
 
 		foreach ( $this->settings as $id => $setting ) {
-			$settings['values'][ $id ] = $setting->value();
+			$settings['values'][ $id ] = $setting->js_value();
 		}
 
 		?>

wp-includes/customize-controls.php

@@ -108,7 +108,7 @@ do_action( 'customize_controls_print_scripts' );
 
 	foreach ( $this->settings as $id => $setting ) {
 		$settings['settings'][ $id ] = array(
-			'value'     => $setting->value(),
+			'value'     => $setting->js_value(),
 			'transport' => $setting->transport,
 		);
 	}