Widgets: Prevent visual Text widget from decoding encoded HTML.

Also apply `the_editor_content` filters on widget `text` with `format_for_editor()` as is done for the post editor. Amends [40631]. Props westonruter, azaozz. See #35243. Fixes #41596. Built from https://develop.svn.wordpress.org/trunk@41260 git-svn-id: http://core.svn.wordpress.org/trunk@41100 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2017-08-17 23:37:43 +00:00 · 2017-08-17 23:37:43 +00:00 · 667f377cd0
parent b1d28c5e90
commit 667f377cd0
4 changed files with 32 additions and 10 deletions
--- a/wp-admin/js/widgets/text-widgets.js
+++ b/wp-admin/js/widgets/text-widgets.js
@ -81,7 +81,7 @@ wp.textWidgets = ( function( $ ) {
 			// Sync input fields to hidden sync fields which actually get sent to the server.
 			_.each( control.fields, function( fieldInput, fieldName ) {
 				fieldInput.on( 'input change', function updateSyncField() {
-					var syncInput = control.syncContainer.find( 'input[type=hidden].' + fieldName );
+					var syncInput = control.syncContainer.find( '.sync-input.' + fieldName );
 					if ( syncInput.val() !== fieldInput.val() ) {
 						syncInput.val( fieldInput.val() );
 						syncInput.trigger( 'change' );
@ -89,7 +89,7 @@ wp.textWidgets = ( function( $ ) {
 				});
 				// Note that syncInput cannot be re-used because it will be destroyed with each widget-updated event.
-				fieldInput.val( control.syncContainer.find( 'input[type=hidden].' + fieldName ).val() );
+				fieldInput.val( control.syncContainer.find( '.sync-input.' + fieldName ).val() );
 			});
 		},
@ -145,11 +145,11 @@ wp.textWidgets = ( function( $ ) {
 			var control = this, syncInput;
 			if ( ! control.fields.title.is( document.activeElement ) ) {
-				syncInput = control.syncContainer.find( 'input[type=hidden].title' );
+				syncInput = control.syncContainer.find( '.sync-input.title' );
 				control.fields.title.val( syncInput.val() );
 			}
-			syncInput = control.syncContainer.find( 'input[type=hidden].text' );
+			syncInput = control.syncContainer.find( '.sync-input.text' );
 			if ( control.fields.text.is( ':visible' ) ) {
 				if ( ! control.fields.text.is( document.activeElement ) ) {
 					control.fields.text.val( syncInput.val() );
--- a/wp-admin/js/widgets/text-widgets.min.js
+++ b/wp-admin/js/widgets/text-widgets.min.js
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -4,7 +4,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '4.9-alpha-41259';
+$wp_version = '4.9-alpha-41260';
 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
--- a/wp-includes/widgets/class-wp-widget-text.php
+++ b/wp-includes/widgets/class-wp-widget-text.php
@ -332,6 +332,7 @@ class WP_Widget_Text extends WP_Widget {
 	 * @since 4.8.0 Form only contains hidden inputs which are synced with JS template.
 	 * @since 4.8.1 Restored original form to be displayed when in legacy mode.
 	 * @see WP_Widget_Visual_Text::render_control_template_scripts()
 	 * @see _WP_Editors::editor()
 	 *
 	 * @param array $instance Current settings.
 	 * @return void
@ -346,10 +347,31 @@ class WP_Widget_Text extends WP_Widget {
 		);
 		?>
 		<?php if ( ! $this->is_legacy_instance( $instance ) ) : ?>
-			<input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
+			<?php
-			<input id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text" type="hidden" value="<?php echo esc_attr( $instance['text'] ); ?>">
+
-			<input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter" type="hidden" value="on">
+			if ( user_can_richedit() ) {
-			<input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="on">
+				add_filter( 'the_editor_content', 'format_for_editor', 10, 2 );
 				$default_editor = 'tinymce';
 			} else {
 				$default_editor = 'html';
 			}
 			/** This filter is documented in wp-includes/class-wp-editor.php */
 			$text = apply_filters( 'the_editor_content', $instance['text'], $default_editor );
 			// Reset filter addition.
 			if ( user_can_richedit() ) {
 				remove_filter( 'the_editor_content', 'format_for_editor' );
 			}
 			// Prevent premature closing of textarea in case format_for_editor() didn't apply or the_editor_content filter did a wrong thing.
 			$escaped_text = preg_replace( '#</textarea#i', '&lt;/textarea', $text );
 			?>
 			<input id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" class="title sync-input" type="hidden" value="<?php echo esc_attr( $instance['title'] ); ?>">
 			<textarea id="<?php echo $this->get_field_id( 'text' ); ?>" name="<?php echo $this->get_field_name( 'text' ); ?>" class="text sync-input" hidden><?php echo $escaped_text; ?></textarea>
 			<input id="<?php echo $this->get_field_id( 'filter' ); ?>" name="<?php echo $this->get_field_name( 'filter' ); ?>" class="filter sync-input" type="hidden" value="on">
 			<input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual sync-input" type="hidden" value="on">
 		<?php else : ?>
 			<input id="<?php echo $this->get_field_id( 'visual' ); ?>" name="<?php echo $this->get_field_name( 'visual' ); ?>" class="visual" type="hidden" value="">
 			<p>