From 667f377cd0c42b26e0aca80e2b7cf3c369a5ef63 Mon Sep 17 00:00:00 2001 From: Weston Ruter Date: Thu, 17 Aug 2017 23:37:43 +0000 Subject: [PATCH] Widgets: Prevent visual Text widget from decoding encoded HTML. Also apply `the_editor_content` filters on widget `text` with `format_for_editor()` as is done for the post editor. Amends [40631]. Props westonruter, azaozz. See #35243. Fixes #41596. Built from https://develop.svn.wordpress.org/trunk@41260 git-svn-id: http://core.svn.wordpress.org/trunk@41100 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/js/widgets/text-widgets.js | 8 +++--- wp-admin/js/widgets/text-widgets.min.js | 2 +- wp-includes/version.php | 2 +- wp-includes/widgets/class-wp-widget-text.php | 30 +++++++++++++++++--- 4 files changed, 32 insertions(+), 10 deletions(-) diff --git a/wp-admin/js/widgets/text-widgets.js b/wp-admin/js/widgets/text-widgets.js index 3902aeddc0..7cf07513b7 100644 --- a/wp-admin/js/widgets/text-widgets.js +++ b/wp-admin/js/widgets/text-widgets.js @@ -81,7 +81,7 @@ wp.textWidgets = ( function( $ ) { // Sync input fields to hidden sync fields which actually get sent to the server. _.each( control.fields, function( fieldInput, fieldName ) { fieldInput.on( 'input change', function updateSyncField() { - var syncInput = control.syncContainer.find( 'input[type=hidden].' + fieldName ); + var syncInput = control.syncContainer.find( '.sync-input.' + fieldName ); if ( syncInput.val() !== fieldInput.val() ) { syncInput.val( fieldInput.val() ); syncInput.trigger( 'change' ); @@ -89,7 +89,7 @@ wp.textWidgets = ( function( $ ) { }); // Note that syncInput cannot be re-used because it will be destroyed with each widget-updated event. - fieldInput.val( control.syncContainer.find( 'input[type=hidden].' + fieldName ).val() ); + fieldInput.val( control.syncContainer.find( '.sync-input.' + fieldName ).val() ); }); }, @@ -145,11 +145,11 @@ wp.textWidgets = ( function( $ ) { var control = this, syncInput; if ( ! control.fields.title.is( document.activeElement ) ) { - syncInput = control.syncContainer.find( 'input[type=hidden].title' ); + syncInput = control.syncContainer.find( '.sync-input.title' ); control.fields.title.val( syncInput.val() ); } - syncInput = control.syncContainer.find( 'input[type=hidden].text' ); + syncInput = control.syncContainer.find( '.sync-input.text' ); if ( control.fields.text.is( ':visible' ) ) { if ( ! control.fields.text.is( document.activeElement ) ) { control.fields.text.val( syncInput.val() ); diff --git a/wp-admin/js/widgets/text-widgets.min.js b/wp-admin/js/widgets/text-widgets.min.js index 07d2912727..35313b4f1d 100644 --- a/wp-admin/js/widgets/text-widgets.min.js +++ b/wp-admin/js/widgets/text-widgets.min.js @@ -1 +1 @@ -wp.textWidgets=function(a){"use strict";var b={dismissedPointers:[],idBases:["text"]};return b.TextWidgetControl=Backbone.View.extend({events:{},initialize:function(b){var c=this;if(!b.el)throw new Error("Missing options.el");if(!b.syncContainer)throw new Error("Missing options.syncContainer");Backbone.View.prototype.initialize.call(c,b),c.syncContainer=b.syncContainer,c.$el.addClass("text-widget-fields"),c.$el.html(wp.template("widget-text-control-fields")),c.customHtmlWidgetPointer=c.$el.find(".wp-pointer.custom-html-widget-pointer"),c.customHtmlWidgetPointer.length&&(c.customHtmlWidgetPointer.find(".close").on("click",function(b){b.preventDefault(),c.customHtmlWidgetPointer.hide(),a("#"+c.fields.text.attr("id")+"-html").focus(),c.dismissPointers(["text_widget_custom_html"])}),c.customHtmlWidgetPointer.find(".add-widget").on("click",function(a){a.preventDefault(),c.customHtmlWidgetPointer.hide(),c.openAvailableWidgetsPanel()})),c.pasteHtmlPointer=c.$el.find(".wp-pointer.paste-html-pointer"),c.pasteHtmlPointer.length&&c.pasteHtmlPointer.find(".close").on("click",function(a){a.preventDefault(),c.pasteHtmlPointer.hide(),c.editor.focus(),c.dismissPointers(["text_widget_custom_html","text_widget_paste_html"])}),c.fields={title:c.$el.find(".title"),text:c.$el.find(".text")},_.each(c.fields,function(a,b){a.on("input change",function(){var d=c.syncContainer.find("input[type=hidden]."+b);d.val()!==a.val()&&(d.val(a.val()),d.trigger("change"))}),a.val(c.syncContainer.find("input[type=hidden]."+b).val())})},dismissPointers:function(a){_.each(a,function(a){wp.ajax.post("dismiss-wp-pointer",{pointer:a}),b.dismissedPointers.push(a)})},openAvailableWidgetsPanel:function(){var a;wp.customize.section.each(function(b){b.extended(wp.customize.Widgets.SidebarSection)&&b.expanded()&&(a=wp.customize.control("sidebars_widgets["+b.params.sidebarId+"]"))}),a&&setTimeout(function(){wp.customize.Widgets.availableWidgetsPanel.open(a),wp.customize.Widgets.availableWidgetsPanel.$search.val("HTML").trigger("keyup")})},updateFields:function(){var a,b=this;b.fields.title.is(document.activeElement)||(a=b.syncContainer.find("input[type=hidden].title"),b.fields.title.val(a.val())),a=b.syncContainer.find("input[type=hidden].text"),b.fields.text.is(":visible")?b.fields.text.is(document.activeElement)||b.fields.text.val(a.val()):b.editor&&!b.editorFocused&&a.val()!==b.fields.text.val()&&b.editor.setContent(wp.editor.autop(a.val()))},initializeEditor:function(){function c(){var e,k,l;if(document.getElementById(d)){if("undefined"==typeof window.tinymce)return void wp.editor.initialize(d,{quicktags:!0});if(tinymce.get(d)&&(i=tinymce.get(d).isHidden(),wp.editor.remove(d)),wp.editor.initialize(d,{tinymce:{wpautop:!0},quicktags:!0}),l=function(b){b.show(),b.find(".close").focus(),wp.a11y.speak(b.find("h3, p").map(function(){return a(this).text()}).get().join("\n\n"))},e=window.tinymce.get(d),!e)throw new Error("Failed to initialize editor");k=function(){a(e.getWin()).on("unload",function(){_.defer(c)}),i&&switchEditors.go(d,"html"),a("#"+d+"-html").on("click",function(){g.pasteHtmlPointer.hide(),-1===b.dismissedPointers.indexOf("text_widget_custom_html")&&l(g.customHtmlWidgetPointer)}),a("#"+d+"-tmce").on("click",function(){g.customHtmlWidgetPointer.hide()}),e.on("pastepreprocess",function(a){var c=a.content;-1===b.dismissedPointers.indexOf("text_widget_paste_html")&&c&&/<\w+.*?>/.test(c)&&_.delay(function(){l(g.pasteHtmlPointer)},250)})},e.initialized?k():e.on("init",k),g.editorFocused=!1,e.on("focus",function(){g.editorFocused=!0}),e.on("paste",function(){e.setDirty(!0),f()}),e.on("NodeChange",function(){j=!0}),e.on("NodeChange",_.debounce(f,h)),e.on("blur hide",function(){g.editorFocused=!1,f()}),g.editor=e}}var d,e,f,g=this,h=1e3,i=!1,j=!1;e=g.fields.text,d=e.attr("id"),f=function(){var a=300;g.editor.isDirty()&&(wp.customize&&wp.customize.state&&(wp.customize.state("processing").set(wp.customize.state("processing").get()+1),_.delay(function(){wp.customize.state("processing").set(wp.customize.state("processing").get()-1)},a)),g.editor.isHidden()||g.editor.save()),j&&(e.trigger("change"),j=!1)},g.syncContainer.closest(".widget").find("[name=savewidget]:first").on("click",function(){f()}),c()}}),b.widgetControls={},b.handleWidgetAdded=function(c,d){var e,f,g,h,i,j,k,l=50;e=d.find("> .widget-inside > .form, > .widget-inside > form"),f=e.find("> .id_base").val(),-1!==b.idBases.indexOf(f)&&(h=e.find(".widget-id").val(),b.widgetControls[h]||e.find(".visual").val()&&(j=a("
"),k=d.find(".widget-content:first"),k.before(j),g=new b.TextWidgetControl({el:j,syncContainer:k}),b.widgetControls[h]=g,(i=function(){d.hasClass("open")?g.initializeEditor():setTimeout(i,l)})()))},b.setupAccessibleMode=function(){var c,d,e,f,g;c=a(".editwidget > form"),0!==c.length&&(d=c.find("> .widget-control-actions > .id_base").val(),-1!==b.idBases.indexOf(d)&&c.find(".visual").val()&&(f=a("
"),g=c.find("> .widget-inside"),g.before(f),e=new b.TextWidgetControl({el:f,syncContainer:g}),e.initializeEditor()))},b.handleWidgetUpdated=function(a,c){var d,e,f,g;d=c.find("> .widget-inside > .form, > .widget-inside > form"),g=d.find("> .id_base").val(),-1!==b.idBases.indexOf(g)&&(e=d.find("> .widget-id").val(),f=b.widgetControls[e],f&&f.updateFields())},b.init=function(){var c=a(document);c.on("widget-added",b.handleWidgetAdded),c.on("widget-synced widget-updated",b.handleWidgetUpdated),a(function(){var c;"widgets"===window.pagenow&&(c=a(".widgets-holder-wrap:not(#available-widgets)").find("div.widget"),c.one("click.toggle-widget-expanded",function(){var c=a(this);b.handleWidgetAdded(new jQuery.Event("widget-added"),c)}),a(window).on("load",function(){b.setupAccessibleMode()}))})},b}(jQuery); \ No newline at end of file +wp.textWidgets=function(a){"use strict";var b={dismissedPointers:[],idBases:["text"]};return b.TextWidgetControl=Backbone.View.extend({events:{},initialize:function(b){var c=this;if(!b.el)throw new Error("Missing options.el");if(!b.syncContainer)throw new Error("Missing options.syncContainer");Backbone.View.prototype.initialize.call(c,b),c.syncContainer=b.syncContainer,c.$el.addClass("text-widget-fields"),c.$el.html(wp.template("widget-text-control-fields")),c.customHtmlWidgetPointer=c.$el.find(".wp-pointer.custom-html-widget-pointer"),c.customHtmlWidgetPointer.length&&(c.customHtmlWidgetPointer.find(".close").on("click",function(b){b.preventDefault(),c.customHtmlWidgetPointer.hide(),a("#"+c.fields.text.attr("id")+"-html").focus(),c.dismissPointers(["text_widget_custom_html"])}),c.customHtmlWidgetPointer.find(".add-widget").on("click",function(a){a.preventDefault(),c.customHtmlWidgetPointer.hide(),c.openAvailableWidgetsPanel()})),c.pasteHtmlPointer=c.$el.find(".wp-pointer.paste-html-pointer"),c.pasteHtmlPointer.length&&c.pasteHtmlPointer.find(".close").on("click",function(a){a.preventDefault(),c.pasteHtmlPointer.hide(),c.editor.focus(),c.dismissPointers(["text_widget_custom_html","text_widget_paste_html"])}),c.fields={title:c.$el.find(".title"),text:c.$el.find(".text")},_.each(c.fields,function(a,b){a.on("input change",function(){var d=c.syncContainer.find(".sync-input."+b);d.val()!==a.val()&&(d.val(a.val()),d.trigger("change"))}),a.val(c.syncContainer.find(".sync-input."+b).val())})},dismissPointers:function(a){_.each(a,function(a){wp.ajax.post("dismiss-wp-pointer",{pointer:a}),b.dismissedPointers.push(a)})},openAvailableWidgetsPanel:function(){var a;wp.customize.section.each(function(b){b.extended(wp.customize.Widgets.SidebarSection)&&b.expanded()&&(a=wp.customize.control("sidebars_widgets["+b.params.sidebarId+"]"))}),a&&setTimeout(function(){wp.customize.Widgets.availableWidgetsPanel.open(a),wp.customize.Widgets.availableWidgetsPanel.$search.val("HTML").trigger("keyup")})},updateFields:function(){var a,b=this;b.fields.title.is(document.activeElement)||(a=b.syncContainer.find(".sync-input.title"),b.fields.title.val(a.val())),a=b.syncContainer.find(".sync-input.text"),b.fields.text.is(":visible")?b.fields.text.is(document.activeElement)||b.fields.text.val(a.val()):b.editor&&!b.editorFocused&&a.val()!==b.fields.text.val()&&b.editor.setContent(wp.editor.autop(a.val()))},initializeEditor:function(){function c(){var e,k,l;if(document.getElementById(d)){if("undefined"==typeof window.tinymce)return void wp.editor.initialize(d,{quicktags:!0});if(tinymce.get(d)&&(i=tinymce.get(d).isHidden(),wp.editor.remove(d)),wp.editor.initialize(d,{tinymce:{wpautop:!0},quicktags:!0}),l=function(b){b.show(),b.find(".close").focus(),wp.a11y.speak(b.find("h3, p").map(function(){return a(this).text()}).get().join("\n\n"))},e=window.tinymce.get(d),!e)throw new Error("Failed to initialize editor");k=function(){a(e.getWin()).on("unload",function(){_.defer(c)}),i&&switchEditors.go(d,"html"),a("#"+d+"-html").on("click",function(){g.pasteHtmlPointer.hide(),-1===b.dismissedPointers.indexOf("text_widget_custom_html")&&l(g.customHtmlWidgetPointer)}),a("#"+d+"-tmce").on("click",function(){g.customHtmlWidgetPointer.hide()}),e.on("pastepreprocess",function(a){var c=a.content;-1===b.dismissedPointers.indexOf("text_widget_paste_html")&&c&&/<\w+.*?>/.test(c)&&_.delay(function(){l(g.pasteHtmlPointer)},250)})},e.initialized?k():e.on("init",k),g.editorFocused=!1,e.on("focus",function(){g.editorFocused=!0}),e.on("paste",function(){e.setDirty(!0),f()}),e.on("NodeChange",function(){j=!0}),e.on("NodeChange",_.debounce(f,h)),e.on("blur hide",function(){g.editorFocused=!1,f()}),g.editor=e}}var d,e,f,g=this,h=1e3,i=!1,j=!1;e=g.fields.text,d=e.attr("id"),f=function(){var a=300;g.editor.isDirty()&&(wp.customize&&wp.customize.state&&(wp.customize.state("processing").set(wp.customize.state("processing").get()+1),_.delay(function(){wp.customize.state("processing").set(wp.customize.state("processing").get()-1)},a)),g.editor.isHidden()||g.editor.save()),j&&(e.trigger("change"),j=!1)},g.syncContainer.closest(".widget").find("[name=savewidget]:first").on("click",function(){f()}),c()}}),b.widgetControls={},b.handleWidgetAdded=function(c,d){var e,f,g,h,i,j,k,l=50;e=d.find("> .widget-inside > .form, > .widget-inside > form"),f=e.find("> .id_base").val(),-1!==b.idBases.indexOf(f)&&(h=e.find(".widget-id").val(),b.widgetControls[h]||e.find(".visual").val()&&(j=a("
"),k=d.find(".widget-content:first"),k.before(j),g=new b.TextWidgetControl({el:j,syncContainer:k}),b.widgetControls[h]=g,(i=function(){d.hasClass("open")?g.initializeEditor():setTimeout(i,l)})()))},b.setupAccessibleMode=function(){var c,d,e,f,g;c=a(".editwidget > form"),0!==c.length&&(d=c.find("> .widget-control-actions > .id_base").val(),-1!==b.idBases.indexOf(d)&&c.find(".visual").val()&&(f=a("
"),g=c.find("> .widget-inside"),g.before(f),e=new b.TextWidgetControl({el:f,syncContainer:g}),e.initializeEditor()))},b.handleWidgetUpdated=function(a,c){var d,e,f,g;d=c.find("> .widget-inside > .form, > .widget-inside > form"),g=d.find("> .id_base").val(),-1!==b.idBases.indexOf(g)&&(e=d.find("> .widget-id").val(),f=b.widgetControls[e],f&&f.updateFields())},b.init=function(){var c=a(document);c.on("widget-added",b.handleWidgetAdded),c.on("widget-synced widget-updated",b.handleWidgetUpdated),a(function(){var c;"widgets"===window.pagenow&&(c=a(".widgets-holder-wrap:not(#available-widgets)").find("div.widget"),c.one("click.toggle-widget-expanded",function(){var c=a(this);b.handleWidgetAdded(new jQuery.Event("widget-added"),c)}),a(window).on("load",function(){b.setupAccessibleMode()}))})},b}(jQuery); \ No newline at end of file diff --git a/wp-includes/version.php b/wp-includes/version.php index 8968125e74..d7a0e4306c 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -4,7 +4,7 @@ * * @global string $wp_version */ -$wp_version = '4.9-alpha-41259'; +$wp_version = '4.9-alpha-41260'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-includes/widgets/class-wp-widget-text.php b/wp-includes/widgets/class-wp-widget-text.php index ef9e349aa4..a79e0daa6c 100644 --- a/wp-includes/widgets/class-wp-widget-text.php +++ b/wp-includes/widgets/class-wp-widget-text.php @@ -332,6 +332,7 @@ class WP_Widget_Text extends WP_Widget { * @since 4.8.0 Form only contains hidden inputs which are synced with JS template. * @since 4.8.1 Restored original form to be displayed when in legacy mode. * @see WP_Widget_Visual_Text::render_control_template_scripts() + * @see _WP_Editors::editor() * * @param array $instance Current settings. * @return void @@ -346,10 +347,31 @@ class WP_Widget_Text extends WP_Widget { ); ?> is_legacy_instance( $instance ) ) : ?> - - - - + + + + +