Customize: Add additional filters to Customizer to prevent JSON corruption.

This solution extends the wp_insert_post_data filter to pass in addition to the slashed/sanitized/processed data, and the slashed/sanitized/unprocessed data, to also pass the initial slashed/unsanitized/unprocessed data which was passed into wp_insert_post(). This then allows plugins to have complete control over how sanitization is performed based on the post type.

Props westonruter, peterwilsoncc, sstoqnov, whyisjake, xknown.
 

Built from https://develop.svn.wordpress.org/trunk@47633


git-svn-id: http://core.svn.wordpress.org/trunk@47408 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
whyisjake 2020-04-29 15:14:10 +00:00
parent 3dc1e33fb5
commit 55cd633c37
3 changed files with 68 additions and 26 deletions

View File

@ -2928,17 +2928,12 @@ final class WP_Customize_Manager {
* WP_Customize_Setting::save(). * WP_Customize_Setting::save().
*/ */
// Prevent content filters from corrupting JSON in post_content. /*
$has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) ); * Update the changeset post. The publish_customize_changeset action will cause the settings in the
if ( $has_kses ) { * changeset to be saved via WP_Customize_Setting::save(). Updating a post with publish status will
kses_remove_filters(); * trigger WP_Customize_Manager::publish_changeset_values().
} */
$has_targeted_link_rel_filters = ( false !== has_filter( 'content_save_pre', 'wp_targeted_link_rel' ) ); add_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5, 3 );
if ( $has_targeted_link_rel_filters ) {
wp_remove_targeted_link_rel_filters();
}
// Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values().
if ( $changeset_post_id ) { if ( $changeset_post_id ) {
if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) { if ( $args['autosave'] && 'auto-draft' !== get_post_status( $changeset_post_id ) ) {
// See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability. // See _wp_translate_postdata() for why this is required as it will use the edit_post meta capability.
@ -2969,14 +2964,7 @@ final class WP_Customize_Manager {
$this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset. $this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset.
} }
} }
remove_filter( 'wp_insert_post_data', array( $this, 'preserve_insert_changeset_post_content' ), 5 );
// Restore removed content filters.
if ( $has_kses ) {
kses_init_filters();
}
if ( $has_targeted_link_rel_filters ) {
wp_init_targeted_link_rel_filters();
}
$this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents.
@ -2994,6 +2982,51 @@ final class WP_Customize_Manager {
return $response; return $response;
} }
/**
* Preserve the initial JSON post_content passed to save into the post.
*
* This is needed to prevent KSES and other {@see 'content_save_pre'} filters
* from corrupting JSON data.
*
* Note that WP_Customize_Manager::validate_setting_values() have already
* run on the setting values being serialized as JSON into the post content
* so it is pre-sanitized.
*
* Also, the sanitization logic is re-run through the respective
* WP_Customize_Setting::sanitize() method when being read out of the
* changeset, via WP_Customize_Manager::post_value(), and this sanitized
* value will also be sent into WP_Customize_Setting::update() for
* persisting to the DB.
*
* Multiple users can collaborate on a single changeset, where one user may
* have the unfiltered_html capability but another may not. A user with
* unfiltered_html may add a script tag to some field which needs to be kept
* intact even when another user updates the changeset to modify another field
* when they do not have unfiltered_html.
*
* @since 5.4.1
*
* @param array $data An array of slashed and processed post data.
* @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data.
* @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post().
* @return array Filtered post data.
*/
public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) {
if (
isset( $data['post_type'] ) &&
isset( $unsanitized_postarr['post_content'] ) &&
'customize_changeset' === $data['post_type'] ||
(
'revision' === $data['post_type'] &&
! empty( $data['post_parent'] ) &&
'customize_changeset' === get_post_type( $data['post_parent'] )
)
) {
$data['post_content'] = $unsanitized_postarr['post_content'];
}
return $data;
}
/** /**
* Trash or delete a changeset post. * Trash or delete a changeset post.
* *

View File

@ -3594,6 +3594,9 @@ function wp_get_recent_posts( $args = array(), $output = ARRAY_A ) {
function wp_insert_post( $postarr, $wp_error = false ) { function wp_insert_post( $postarr, $wp_error = false ) {
global $wpdb; global $wpdb;
// Capture original pre-sanitized array for passing into filters.
$unsanitized_postarr = $postarr;
$user_id = get_current_user_id(); $user_id = get_current_user_id();
$defaults = array( $defaults = array(
@ -3918,21 +3921,27 @@ function wp_insert_post( $postarr, $wp_error = false ) {
* Filters attachment post data before it is updated in or added to the database. * Filters attachment post data before it is updated in or added to the database.
* *
* @since 3.9.0 * @since 3.9.0
* @since 5.4.1 `$unsanitized_postarr` argument added.
* *
* @param array $data An array of sanitized attachment post data. * @param array $data An array of slashed, sanitized, and processed attachment post data.
* @param array $postarr An array of unsanitized attachment post data. * @param array $postarr An array of slashed and sanitized attachment post data, but not processed.
* @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed attachment post data
* as originally passed to wp_insert_post().
*/ */
$data = apply_filters( 'wp_insert_attachment_data', $data, $postarr ); $data = apply_filters( 'wp_insert_attachment_data', $data, $postarr, $unsanitized_postarr );
} else { } else {
/** /**
* Filters slashed post data just before it is inserted into the database. * Filters slashed post data just before it is inserted into the database.
* *
* @since 2.7.0 * @since 2.7.0
* @since 5.4.1 `$unsanitized_postarr` argument added.
* *
* @param array $data An array of slashed post data. * @param array $data An array of slashed, sanitized, and processed post data.
* @param array $postarr An array of sanitized, but otherwise unmodified post data. * @param array $postarr An array of sanitized (and slashed) but otherwise unmodified post data.
* @param array $unsanitized_postarr An array of slashed yet *unsanitized* and unprocessed post data as
* originally passed to wp_insert_post().
*/ */
$data = apply_filters( 'wp_insert_post_data', $data, $postarr ); $data = apply_filters( 'wp_insert_post_data', $data, $postarr, $unsanitized_postarr );
} }
$data = wp_unslash( $data ); $data = wp_unslash( $data );
$where = array( 'ID' => $post_ID ); $where = array( 'ID' => $post_ID );

View File

@ -13,7 +13,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '5.5-alpha-47632'; $wp_version = '5.5-alpha-47633';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.