<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[46915] branches/5.0: Ensure that a user can publish_posts before making a post sticky.</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { white-space: pre-line; overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta" style="font-size: 105%">
<dt style="float: left; width: 6em; font-weight: bold">Revision</dt> <dd><a style="font-weight: bold" href="https://core.trac.wordpress.org/changeset/46915">46915</a><script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","description":"Review this Commit","action":{"@type":"ViewAction","url":"https://core.trac.wordpress.org/changeset/46915","name":"Review Commit"}}</script></dd>
<dt style="float: left; width: 6em; font-weight: bold">Author</dt> <dd>whyisjake</dd>
<dt style="float: left; width: 6em; font-weight: bold">Date</dt> <dd>2019-12-12 18:51:11 +0000 (Thu, 12 Dec 2019)</dd>
</dl>
<pre style='padding-left: 1em; margin: 2em 0; border-left: 2px solid #ccc; line-height: 1.25; font-size: 105%; font-family: sans-serif'>Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings <a href="https://core.trac.wordpress.org/changeset/46895">r46895</a> to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings <a href="https://core.trac.wordpress.org/changeset/46896">r46896</a> to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branches50srcwpincludesblocksphp">branches/5.0/src/wp-includes/blocks.php</a></li>
<li><a href="#branches50srcwpincludesdefaultfiltersphp">branches/5.0/src/wp-includes/default-filters.php</a></li>
<li><a href="#branches50srcwpincludesformattingphp">branches/5.0/src/wp-includes/formatting.php</a></li>
<li><a href="#branches50srcwpincludesksesphp">branches/5.0/src/wp-includes/kses.php</a></li>
<li><a href="#branches50srcwpincludesrestapiendpointsclasswprestpostscontrollerphp">branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php</a></li>
<li><a href="#branches50testsphpunittestsblocksblocktypephp">branches/5.0/tests/phpunit/tests/blocks/block-type.php</a></li>
<li><a href="#branches50testsphpunittestsksesphp">branches/5.0/tests/phpunit/tests/kses.php</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branches50testsphpunittestsblocksfilterphp">branches/5.0/tests/phpunit/tests/blocks/filter.php</a></li>
<li><a href="#branches50testsphpunittestsblocksserializationphp">branches/5.0/tests/phpunit/tests/blocks/serialization.php</a></li>
</ul>
<h3>Property Changed</h3>
<ul>
<li><a href="#branches50">branches/5.0/</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<span class="cx" style="display: block; padding: 0 10px">Index: branches/5.0
</span><span class="cx" style="display: block; padding: 0 10px">===================================================================
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">--- branches/5.0 2019-12-12 18:45:47 UTC (rev 46914)
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+++ branches/5.0 2019-12-12 18:51:11 UTC (rev 46915)
</ins><a id="branches50"></a>
<div class="propset"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Property changes: branches/5.0</h4>
<pre class="diff"><span>
</span></pre></div>
<a id="svnmergeinfo"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: svn:mergeinfo</h4></div>
<span class="cx" style="display: block; padding: 0 10px"> /branches/3.4:21757
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.8:42204
</span><span class="cx" style="display: block; padding: 0 10px"> /branches/4.9:43557,43622,44991
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-/trunk:42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42250-42251,42256-42261,42350,42354,42358,42362,42364-42368,42374,42388,42390,42401,42405,42417,42421,42423-42425,42430,42432-42433,42437,42441,42443-42444,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42642,42648,42652-42653,42665,42676,42687,42695,42697,42701-42702,42711,42713,42719,42722,42726,42728,42733,42739-42740,42744,42758,42772,42791-42792,42801,42807,42812,42814-42815,42817-42819,42823,42830,42837,42839,42841
,42844,42851-42852,42860,42862,42864,42878-42879,42881,42888-42889,42892-42894,42930,42964-42965,42967,42971-42972,42977-42978,42980-42982,42985-42987,42989,42992,42994-42995,42998-42999,43001-43004,43007-43008,43011-43012,43014-43015,43025,43027,43030,43032,43034,43036,43039,43042,43044-43049,43051-43063,43065,43081,43085,43087-43089,43091,43104,43116,43118,43120-43121,43123,43125-43126,43131-43132,43135,43137,43139,43145-43148,43150,43154-43155,43158,43160,43162,43166,43168,43170,43172,43175,43180-43181,43183-43185,43189,43191,43193,43195,43197,43199,43201,43203,43206,43208,43210-43212,43216,43218,43220,43222-43223,43226,43228,43230,43232,43234,43236,43238,43242-43243,43245-43246,43248-43251,43256,43259-43260,43263,43265,43267,43269,43274-43275,43278-43279,43282,43284,43286,43290,43293,43299,43303-43304,43313,43315,43317,43331,43337,43343,43350,43353,43356,43361-43363,43365,43367,43370-43371,43373-43376,43379,43388,43390,43435,43437,43439-43440,43446-43447,43451,43454,43457,43460,
43462-43467,43469,43471,43475,43477-43478,43480,43486,43491,43493,43495,43499,43504,43506,43508,43511-43513,43518,43525,43527,43529,43531,43541,43550,43559,43561,43565,43567,43574,43578,43580,43584-43586,43589,43593,43597,43599,43601,43604-43605,43609,43636,43638,43645,43647,43653,43658-43659,43664,43673,44021,44048,44322,44338,44368-44371,44376-44382,44389,44391,44398-44399,44402-44403,44406,44408,44418,44432,44435,44437-44439,44441-44442,44833,44842,44993,45936,45971,45990,45997,46474-46478,46483,46485
</del><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+/trunk:42132,42134,42136,42138,42140,42144,42146,42148,42150,42152-42153,42155,42157,42159,42161,42163,42169,42171,42173,42175,42177,42181,42183,42185,42187,42189,42191,42193,42199,42203,42210,42214,42220,42222,42226,42242,42244,42247,42250-42251,42256-42261,42350,42354,42358,42362,42364-42368,42374,42388,42390,42401,42405,42417,42421,42423-42425,42430,42432-42433,42437,42441,42443-42444,42446-42447,42449,42451,42453,42457,42459,42462,42491,42521,42529,42531,42533,42536,42538,42541,42543,42545,42549,42566,42568,42570,42572,42574,42576,42579,42581-42582,42584-42585,42587-42588,42590,42592,42594-42595,42598-42599,42602,42604,42606,42611-42613,42615,42617,42624-42625,42639,42642,42648,42652-42653,42665,42676,42687,42695,42697,42701-42702,42711,42713,42719,42722,42726,42728,42733,42739-42740,42744,42758,42772,42791-42792,42801,42807,42812,42814-42815,42817-42819,42823,42830,42837,42839,42841
,42844,42851-42852,42860,42862,42864,42878-42879,42881,42888-42889,42892-42894,42930,42964-42965,42967,42971-42972,42977-42978,42980-42982,42985-42987,42989,42992,42994-42995,42998-42999,43001-43004,43007-43008,43011-43012,43014-43015,43025,43027,43030,43032,43034,43036,43039,43042,43044-43049,43051-43063,43065,43081,43085,43087-43089,43091,43104,43116,43118,43120-43121,43123,43125-43126,43131-43132,43135,43137,43139,43145-43148,43150,43154-43155,43158,43160,43162,43166,43168,43170,43172,43175,43180-43181,43183-43185,43189,43191,43193,43195,43197,43199,43201,43203,43206,43208,43210-43212,43216,43218,43220,43222-43223,43226,43228,43230,43232,43234,43236,43238,43242-43243,43245-43246,43248-43251,43256,43259-43260,43263,43265,43267,43269,43274-43275,43278-43279,43282,43284,43286,43290,43293,43299,43303-43304,43313,43315,43317,43331,43337,43343,43350,43353,43356,43361-43363,43365,43367,43370-43371,43373-43376,43379,43388,43390,43435,43437,43439-43440,43446-43447,43451,43454,43457,43460,
43462-43467,43469,43471,43475,43477-43478,43480,43486,43491,43493,43495,43499,43504,43506,43508,43511-43513,43518,43525,43527,43529,43531,43541,43550,43559,43561,43565,43567,43574,43578,43580,43584-43586,43589,43593,43597,43599,43601,43604-43605,43609,43636,43638,43645,43647,43653,43658-43659,43664,43673,44021,44048,44322,44338,44368-44371,44376-44382,44389,44391,44398-44399,44402-44403,44406,44408,44418,44432,44435,44437-44439,44441-44442,44833,44842,44993,45936,45971,45990,45997,46474-46478,46483,46485,46893-46896
</ins><span class="cx" style="display: block; padding: 0 10px">\ No newline at end of property
</span><a id="branches50srcwpincludesblocksphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/src/wp-includes/blocks.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/src/wp-includes/blocks.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/src/wp-includes/blocks.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -74,11 +74,11 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 5.0.0
</span><span class="cx" style="display: block; padding: 0 10px"> * @see parse_blocks()
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- * @param string $block_type Full Block type to look for.
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * @param string $block_name Full Block type to look for.
</ins><span class="cx" style="display: block; padding: 0 10px"> * @param int|string|WP_Post|null $post Optional. Post content, post ID, or post object. Defaults to global $post.
</span><span class="cx" style="display: block; padding: 0 10px"> * @return bool Whether the post content contains the specified block.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-function has_block( $block_type, $post = null ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+function has_block( $block_name, $post = null ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> if ( ! has_blocks( $post ) ) {
</span><span class="cx" style="display: block; padding: 0 10px"> return false;
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -90,7 +90,30 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- return false !== strpos( $post, '<!-- wp:' . $block_type . ' ' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ /*
+ * Normalize block name to include namespace, if provided as non-namespaced.
+ * This matches behavior for WordPress 5.0.0 - 5.3.0 in matching blocks by
+ * their serialized names.
+ */
+ if ( false === strpos( $block_name, '/' ) ) {
+ $block_name = 'core/' . $block_name;
+ }
+
+ // Test for existence of block by its fully qualified name.
+ $has_block = false !== strpos( $post, '<!-- wp:' . $block_name . ' ' );
+
+ if ( ! $has_block ) {
+ /*
+ * If the given block name would serialize to a different name, test for
+ * existence by the serialized form.
+ */
+ $serialized_block_name = strip_core_block_namespace( $block_name );
+ if ( $serialized_block_name !== $block_name ) {
+ $has_block = false !== strpos( $post, '<!-- wp:' . $serialized_block_name . ' ' );
+ }
+ }
+
+ return $has_block;
</ins><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -114,6 +137,207 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Given an array of attributes, returns a string in the serialized attributes
+ * format prepared for post content.
+ *
+ * The serialized result is a JSON-encoded string, with unicode escape sequence
+ * substitution for characters which might otherwise interfere with embedding
+ * the result in an HTML comment.
+ *
+ * @since 5.3.1
+ *
+ * @param array $attributes Attributes object.
+ * @return string Serialized attributes.
+ */
+function serialize_block_attributes( $block_attributes ) {
+ $encoded_attributes = json_encode( $block_attributes );
+ $encoded_attributes = preg_replace( '/--/', '\\u002d\\u002d', $encoded_attributes );
+ $encoded_attributes = preg_replace( '/</', '\\u003c', $encoded_attributes );
+ $encoded_attributes = preg_replace( '/>/', '\\u003e', $encoded_attributes );
+ $encoded_attributes = preg_replace( '/&/', '\\u0026', $encoded_attributes );
+ // Regex: /\\"/
+ $encoded_attributes = preg_replace( '/\\\\"/', '\\u0022', $encoded_attributes );
+
+ return $encoded_attributes;
+}
+
+/**
+ * Returns the block name to use for serialization. This will remove the default
+ * "core/" namespace from a block name.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Original block name.
+ * @return string Block name to use for serialization.
+ */
+function strip_core_block_namespace( $block_name = null ) {
+ if ( is_string( $block_name ) && 0 === strpos( $block_name, 'core/' ) ) {
+ return substr( $block_name, 5 );
+ }
+
+ return $block_name;
+}
+
+/**
+ * Returns the content of a block, including comment delimiters.
+ *
+ * @since 5.3.1
+ *
+ * @param string $block_name Block name.
+ * @param array $attributes Block attributes.
+ * @param string $content Block save content.
+ * @return string Comment-delimited block content.
+ */
+function get_comment_delimited_block_content( $block_name = null, $block_attributes, $block_content ) {
+ if ( is_null( $block_name ) ) {
+ return $block_content;
+ }
+
+ $serialized_block_name = strip_core_block_namespace( $block_name );
+ $serialized_attributes = empty( $block_attributes ) ? '' : serialize_block_attributes( $block_attributes ) . ' ';
+
+ if ( empty( $block_content ) ) {
+ return sprintf( '<!-- wp:%s %s/-->', $serialized_block_name, $serialized_attributes );
+ }
+
+ return sprintf(
+ '<!-- wp:%s %s-->%s<!-- /wp:%s -->',
+ $serialized_block_name,
+ $serialized_attributes,
+ $block_content,
+ $serialized_block_name
+ );
+}
+
+/**
+ * Returns the content of a block, including comment delimiters, serializing all
+ * attributes from the given parsed block.
+ *
+ * This should be used when preparing a block to be saved to post content.
+ * Prefer `render_block` when preparing a block for display. Unlike
+ * `render_block`, this does not evaluate a block's `render_callback`, and will
+ * instead preserve the markup as parsed.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block A single parsed block object.
+ * @return string String of rendered HTML.
+ */
+function serialize_block( $block ) {
+ $block_content = '';
+
+ $index = 0;
+ foreach ( $block['innerContent'] as $chunk ) {
+ $block_content .= is_string( $chunk ) ? $chunk : serialize_block( $block['innerBlocks'][ $index++ ] );
+ }
+
+ if ( ! is_array( $block['attrs'] ) ) {
+ $block['attrs'] = array();
+ }
+
+ return get_comment_delimited_block_content(
+ $block['blockName'],
+ $block['attrs'],
+ $block_content
+ );
+}
+
+/**
+ * Returns a joined string of the aggregate serialization of the given parsed
+ * blocks.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block[] $blocks Parsed block objects.
+ * @return string String of rendered HTML.
+ */
+function serialize_blocks( $blocks ) {
+ return implode( '', array_map( 'serialize_block', $blocks ) );
+}
+
+/**
+ * Filters and sanitizes block content to remove non-allowable HTML from
+ * parsed block attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param string $text Text that may contain block content.
+ * @param array[]|string $allowed_html An array of allowed HTML elements
+ * and attributes, or a context name
+ * such as 'post'.
+ * @param string[] $allowed_protocols Array of allowed URL protocols.
+ * @return string The filtered and sanitized content result.
+ */
+function filter_block_content( $text, $allowed_html = 'post', $allowed_protocols = array() ) {
+ $result = '';
+
+ $blocks = parse_blocks( $text );
+ foreach ( $blocks as $block ) {
+ $block = filter_block_kses( $block, $allowed_html, $allowed_protocols );
+ $result .= serialize_block( $block );
+ }
+
+ return $result;
+}
+
+/**
+ * Filters and sanitizes a parsed block to remove non-allowable HTML from block
+ * attribute values.
+ *
+ * @since 5.3.1
+ *
+ * @param WP_Block_Parser_Block $block The parsed block object.
+ * @param array[]|string $allowed_html An array of allowed HTML
+ * elements and attributes, or a
+ * context name such as 'post'.
+ * @param string[] $allowed_protocols Allowed URL protocols.
+ * @return array The filtered and sanitized block object result.
+ */
+function filter_block_kses( $block, $allowed_html, $allowed_protocols = array() ) {
+ $block['attrs'] = filter_block_kses_value( $block['attrs'], $allowed_html, $allowed_protocols );
+
+ if ( is_array( $block['innerBlocks'] ) ) {
+ foreach ( $block['innerBlocks'] as $i => $inner_block ) {
+ $block['innerBlocks'][ $i ] = filter_block_kses( $inner_block, $allowed_html, $allowed_protocols );
+ }
+ }
+
+ return $block;
+}
+
+/**
+ * Filters and sanitizes a parsed block attribute value to remove non-allowable
+ * HTML.
+ *
+ * @since 5.3.1
+ *
+ * @param mixed $value The attribute value to filter.
+ * @param array[]|string $allowed_html An array of allowed HTML elements
+ * and attributes, or a context name
+ * such as 'post'.
+ * @param string[] $allowed_protocols Array of allowed URL protocols.
+ * @return array The filtered and sanitized result.
+ */
+function filter_block_kses_value( $value, $allowed_html, $allowed_protocols = array() ) {
+ if ( is_array( $value ) ) {
+ foreach ( $value as $key => $inner_value ) {
+ $filtered_key = filter_block_kses_value( $key, $allowed_html, $allowed_protocols );
+ $filtered_value = filter_block_kses_value( $inner_value, $allowed_html, $allowed_protocols );
+
+ if ( $filtered_key !== $key ) {
+ unset( $value[ $key ] );
+ }
+
+ $value[ $filtered_key ] = $filtered_value;
+ }
+ } elseif ( is_string( $value ) ) {
+ return wp_kses( $value, $allowed_html, $allowed_protocols );
+ }
+
+ return $value;
+}
+
+/**
</ins><span class="cx" style="display: block; padding: 0 10px"> * Parses blocks out of a content string, and renders those appropriate for the excerpt.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * As the excerpt should be a small string of text relevant to the full post content,
</span></span></pre></div>
<a id="branches50srcwpincludesdefaultfiltersphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/src/wp-includes/default-filters.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/src/wp-includes/default-filters.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/src/wp-includes/default-filters.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -224,30 +224,31 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // Misc filters
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">-add_filter( 'option_ping_sites', 'privacy_ping_filter' );
-add_filter( 'option_blog_charset', '_wp_specialchars' ); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
-add_filter( 'option_blog_charset', '_canonical_charset' );
-add_filter( 'option_home', '_config_wp_home' );
-add_filter( 'option_siteurl', '_config_wp_siteurl' );
-add_filter( 'tiny_mce_before_init', '_mce_set_direction' );
-add_filter( 'teeny_mce_before_init', '_mce_set_direction' );
-add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
-add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
-add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
-add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );
-add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );
-add_filter( 'comment_email', 'antispambot' );
-add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' );
-add_filter( 'option_category_base', '_wp_filter_taxonomy_base' );
-add_filter( 'the_posts', '_close_comments_for_old_posts', 10, 2);
-add_filter( 'comments_open', '_close_comments_for_old_post', 10, 2 );
-add_filter( 'pings_open', '_close_comments_for_old_post', 10, 2 );
-add_filter( 'editable_slug', 'urldecode' );
-add_filter( 'editable_slug', 'esc_textarea' );
-add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' );
-add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' );
-add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' );
-add_filter( 'title_save_pre', 'trim' );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+add_filter( 'option_ping_sites', 'privacy_ping_filter' );
+add_filter( 'option_blog_charset', '_wp_specialchars' ); // IMPORTANT: This must not be wp_specialchars() or esc_html() or it'll cause an infinite loop
+add_filter( 'option_blog_charset', '_canonical_charset' );
+add_filter( 'option_home', '_config_wp_home' );
+add_filter( 'option_siteurl', '_config_wp_siteurl' );
+add_filter( 'tiny_mce_before_init', '_mce_set_direction' );
+add_filter( 'teeny_mce_before_init', '_mce_set_direction' );
+add_filter( 'pre_kses', 'wp_pre_kses_less_than' );
+add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+add_filter( 'sanitize_title', 'sanitize_title_with_dashes', 10, 3 );
+add_action( 'check_comment_flood', 'check_comment_flood_db', 10, 4 );
+add_filter( 'comment_flood_filter', 'wp_throttle_comment_flood', 10, 3 );
+add_filter( 'pre_comment_content', 'wp_rel_nofollow', 15 );
+add_filter( 'comment_email', 'antispambot' );
+add_filter( 'option_tag_base', '_wp_filter_taxonomy_base' );
+add_filter( 'option_category_base', '_wp_filter_taxonomy_base' );
+add_filter( 'the_posts', '_close_comments_for_old_posts', 10, 2 );
+add_filter( 'comments_open', '_close_comments_for_old_post', 10, 2 );
+add_filter( 'pings_open', '_close_comments_for_old_post', 10, 2 );
+add_filter( 'editable_slug', 'urldecode' );
+add_filter( 'editable_slug', 'esc_textarea' );
+add_filter( 'nav_menu_meta_box_object', '_wp_nav_menu_meta_box_object' );
+add_filter( 'pingback_ping_source_uri', 'pingback_ping_source_uri' );
+add_filter( 'xmlrpc_pingback_error', 'xmlrpc_pingback_error' );
+add_filter( 'title_save_pre', 'trim' );
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> add_action( 'transition_comment_status', '_clear_modified_cache_on_transition_comment_status', 10, 2 );
</span><span class="cx" style="display: block; padding: 0 10px">
</span></span></pre></div>
<a id="branches50srcwpincludesformattingphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/src/wp-includes/formatting.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/src/wp-includes/formatting.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/src/wp-includes/formatting.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -4403,6 +4403,31 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> /**
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ * Remove non-allowable HTML from parsed block attribute values when filtering
+ * in the post context.
+ *
+ * @since 5.3.1
+ *
+ * @param string $string Content to be run through KSES.
+ * @param array[]|string $allowed_html An array of allowed HTML elements
+ * and attributes, or a context name
+ * such as 'post'.
+ * @param string[] $allowed_protocols Array of allowed URL protocols.
+ * @return string Filtered text to run through KSES.
+ */
+function wp_pre_kses_block_attributes( $string, $allowed_html, $allowed_protocols ) {
+ /*
+ * `filter_block_content` is expected to call `wp_kses`. Temporarily remove
+ * the filter to avoid recursion.
+ */
+ remove_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10 );
+ $string = filter_block_content( $string, $allowed_html, $allowed_protocols );
+ add_filter( 'pre_kses', 'wp_pre_kses_block_attributes', 10, 3 );
+
+ return $string;
+}
+
+/**
</ins><span class="cx" style="display: block; padding: 0 10px"> * WordPress implementation of PHP sprintf() with filters.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span><span class="cx" style="display: block; padding: 0 10px"> * @since 2.5.0
</span></span></pre></div>
<a id="branches50srcwpincludesksesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/src/wp-includes/kses.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/src/wp-includes/kses.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/src/wp-includes/kses.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -1408,9 +1408,9 @@
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> function wp_kses_bad_protocol_once($string, $allowed_protocols, $count = 1 ) {
</span><span class="cx" style="display: block; padding: 0 10px"> $string = preg_replace( '/(�*58(?![;0-9])|�*3a(?![;a-f0-9]))/i', '$1;', $string );
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 );
- if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {
- $string = trim( $string2[1] );
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $string2 = preg_split( '/:|�*58;|�*3a;|:/i', $string, 2 );
+ if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) {
+ $string = trim( $string2[1] );
</ins><span class="cx" style="display: block; padding: 0 10px"> $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols );
</span><span class="cx" style="display: block; padding: 0 10px"> if ( 'feed:' == $protocol ) {
</span><span class="cx" style="display: block; padding: 0 10px"> if ( $count > 2 )
</span></span></pre></div>
<a id="branches50srcwpincludesrestapiendpointsclasswprestpostscontrollerphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/src/wp-includes/rest-api/endpoints/class-wp-rest-posts-controller.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -491,7 +491,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to create posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -646,7 +646,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_cannot_edit_others', __( 'Sorry, you are not allowed to update posts as this user.' ), array( 'status' => rest_authorization_required_code() ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) ) {
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ if ( ! empty( $request['sticky'] ) && ! current_user_can( $post_type->cap->edit_others_posts ) && ! current_user_can( $post_type->cap->publish_posts ) ) {
</ins><span class="cx" style="display: block; padding: 0 10px"> return new WP_Error( 'rest_cannot_assign_sticky', __( 'Sorry, you are not allowed to make posts sticky.' ), array( 'status' => rest_authorization_required_code() ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -944,7 +944,7 @@
</span><span class="cx" style="display: block; padding: 0 10px"> * @return stdClass|WP_Error Post object or WP_Error.
</span><span class="cx" style="display: block; padding: 0 10px"> */
</span><span class="cx" style="display: block; padding: 0 10px"> protected function prepare_item_for_database( $request ) {
</span><del style="background-color: #fdd; text-decoration:none; display:block; padding: 0 10px">- $prepared_post = new stdClass;
</del><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $prepared_post = new stdClass();
</ins><span class="cx" style="display: block; padding: 0 10px">
</span><span class="cx" style="display: block; padding: 0 10px"> // Post ID.
</span><span class="cx" style="display: block; padding: 0 10px"> if ( isset( $request['id'] ) ) {
</span></span></pre></div>
<a id="branches50testsphpunittestsblocksblocktypephp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/tests/phpunit/tests/blocks/block-type.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/tests/phpunit/tests/blocks/block-type.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/tests/phpunit/tests/blocks/block-type.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -304,6 +304,24 @@
</span><span class="cx" style="display: block; padding: 0 10px"> $this->assertFalse( has_block( 'core/fake' ) );
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ public function test_post_has_block_serialized_name() {
+ $content = '<!-- wp:serialized /--><!-- wp:core/normalized /--><!-- wp:plugin/third-party /-->';
+
+ $this->assertTrue( has_block( 'core/serialized', $content ) );
+
+ /*
+ * Technically, `has_block` should receive a "full" (normalized, parsed)
+ * block name. But this test conforms to expected pre-5.3.1 behavior.
+ */
+ $this->assertTrue( has_block( 'serialized', $content ) );
+ $this->assertTrue( has_block( 'core/normalized', $content ) );
+ $this->assertTrue( has_block( 'normalized', $content ) );
+ $this->assertFalse( has_block( 'plugin/normalized', $content ) );
+ $this->assertFalse( has_block( 'plugin/serialized', $content ) );
+ $this->assertFalse( has_block( 'third-party', $content ) );
+ $this->assertFalse( has_block( 'core/third-party', $content ) );
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> /**
</span><span class="cx" style="display: block; padding: 0 10px"> * Renders a test block without content.
</span><span class="cx" style="display: block; padding: 0 10px"> *
</span></span></pre></div>
<a id="branches50testsphpunittestsblocksfilterphp"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: branches/5.0/tests/phpunit/tests/blocks/filter.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/tests/phpunit/tests/blocks/filter.php (rev 0)
+++ branches/5.0/tests/phpunit/tests/blocks/filter.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -0,0 +1,97 @@
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+<?php
+/**
+ * Block filtering tests.
+ *
+ * @package WordPress
+ * @subpackage Blocks
+ * @since 5.3.1
+ */
+
+/**
+ * Tests for block filtering functions
+ *
+ * @since 5.3.1
+ *
+ * @group blocks
+ */
+class WP_Test_Block_Filter extends WP_UnitTestCase {
+
+ /**
+ * An allowable tag name for all users, regardless of capability.
+ *
+ * @var string
+ */
+ protected static $allowed_tag = 'b';
+
+ /**
+ * @dataProvider data_filter_block_content
+ */
+ function test_filter_block_content( $content, $expected_filtered ) {
+ // Always filter on direct call to `filter_block_content`, `wp_kses`.
+ $this->assertEquals( $expected_filtered, filter_block_content( $content ) );
+ $this->assertEquals( $expected_filtered, wp_kses( $content, array( self::$allowed_tag => array() ) ) );
+
+ // With `unfiltered_html` (no KSES filtering), original content of saved post should remain intact.
+ kses_remove_filters();
+ $post = self::factory()->post->create_and_get( wp_slash( array( 'post_content' => $content ) ) );
+ $this->assertEquals( $content, $post->post_content );
+
+ // Without `unfiltered_html` (KSES filtering), expect saved post content to match expected filtered.
+ kses_init_filters();
+ $post = self::factory()->post->create_and_get( wp_slash( array( 'post_content' => $content ) ) );
+ $this->assertEquals( $expected_filtered, $post->post_content );
+ }
+
+ function data_filter_block_content() {
+ return array(
+ // Non-block content.
+ array(
+ '<b>Original content</b>',
+ '<b>Original content</b>',
+ ),
+
+ // Block content with no block attributes.
+ array(
+ '<!-- wp:example /-->',
+ '<!-- wp:example /-->',
+ ),
+
+ // Block with attributes including filterable HTML.
+ array(
+ '<!-- wp:example {"key":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"} /-->',
+ '<!-- wp:example {"key":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"} /-->',
+ ),
+
+ // Inner blocks using attributes including filterable HTML.
+ array(
+ '<!-- wp:outer --><!-- wp:inner {"key":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"} /--><!-- /wp:outer -->',
+ '<!-- wp:outer --><!-- wp:inner {"key":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"} /--><!-- /wp:outer -->',
+ ),
+
+ // Block with safe attributes.
+ array(
+ '<!-- wp:example {"object":{"object":{"ok":true},"array":[{"ok":true},[],"ok",10,true,false,null],"string":"ok","number":10,"true":true,"false":false,"null":null},"array":[{"ok":true},[],"ok",10,true,false,null],"string":"ok","number":10,"true":true,"false":false,"null":null} /-->',
+ '<!-- wp:example {"object":{"object":{"ok":true},"array":[{"ok":true},[],"ok",10,true,false,null],"string":"ok","number":10,"true":true,"false":false,"null":null},"array":[{"ok":true},[],"ok",10,true,false,null],"string":"ok","number":10,"true":true,"false":false,"null":null} /-->',
+ ),
+
+ // Block with unsafe nested object attributes.
+ array(
+ '<!-- wp:example {"object":{"one":{"unsafe":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"},"two":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"}} /-->',
+ '<!-- wp:example {"object":{"one":{"unsafe":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"},"two":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"}} /-->',
+ ),
+
+ // Block with unsafe nested array attributes.
+ array(
+ '<!-- wp:example {"array":[{"one":{"unsafe":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"},"two":"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"},["\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"],"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e"]} /-->',
+ '<!-- wp:example {"array":[{"one":{"unsafe":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"},"two":"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"},["\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"],"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e"]} /-->',
+ ),
+
+ // Block with unsafe object keys.
+ array(
+ '<!-- wp:example {"object":{"\\u003cmarquee\\u003e\\u003c/marquee\\u003e\\u003c' . self::$allowed_tag . '\\u003e\\u003c/' . self::$allowed_tag . '\\u003e":"value"}} /-->',
+ '<!-- wp:example {"object":{"\\u003c' . self::$allowed_tag . '\\u003e\\u003c\\/' . self::$allowed_tag . '\\u003e":"value"}} /-->',
+ ),
+ );
+ }
+
+}
</ins></span></pre></div>
<a id="branches50testsphpunittestsblocksserializationphp"></a>
<div class="addfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Added: branches/5.0/tests/phpunit/tests/blocks/serialization.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/tests/phpunit/tests/blocks/serialization.php (rev 0)
+++ branches/5.0/tests/phpunit/tests/blocks/serialization.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -0,0 +1,60 @@
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+<?php
+/**
+ * Block serialization tests.
+ *
+ * @package WordPress
+ * @subpackage Blocks
+ * @since 5.3.1
+ */
+
+/**
+ * Tests for block serialization functions
+ *
+ * @since 5.3.1
+ *
+ * @group blocks
+ */
+class WP_Test_Block_Serialization extends WP_UnitTestCase {
+
+ /**
+ * @dataProvider data_serialize_identity_from_parsed
+ */
+ function test_serialize_identity_from_parsed( $original ) {
+ $blocks = parse_blocks( $original );
+
+ $actual = serialize_blocks( $blocks );
+ $expected = $original;
+
+ $this->assertEquals( $expected, $actual );
+ }
+
+ function data_serialize_identity_from_parsed() {
+ return array(
+ // Void block.
+ array( '<!-- wp:void /-->' ),
+
+ // Freeform content ($block_name = null).
+ array( 'Example.' ),
+
+ // Block with content.
+ array( '<!-- wp:content -->Example.<!-- /wp:content -->' ),
+
+ // Block with attributes.
+ array( '<!-- wp:attributes {"key":"value"} /-->' ),
+
+ // Block with inner blocks.
+ array( "<!-- wp:outer --><!-- wp:inner {\"key\":\"value\"} -->Example.<!-- /wp:inner -->\n\nExample.\n\n<!-- wp:void /--><!-- /wp:outer -->" ),
+
+ // Block with attribute values that may conflict with HTML comment.
+ array( '<!-- wp:attributes {"key":"\\u002d\\u002d\\u003c\\u003e\\u0026\\u0022"} /-->' ),
+ );
+ }
+
+ function test_serialized_block_name() {
+ $this->assertEquals( null, strip_core_block_namespace( null ) );
+ $this->assertEquals( 'example', strip_core_block_namespace( 'example' ) );
+ $this->assertEquals( 'example', strip_core_block_namespace( 'core/example' ) );
+ $this->assertEquals( 'plugin/example', strip_core_block_namespace( 'plugin/example' ) );
+ }
+
+}
</ins></span></pre></div>
<a id="branches50testsphpunittestsksesphp"></a>
<div class="modfile"><h4 style="background-color: #eee; color: inherit; margin: 1em 0; padding: 1.3em; font-size: 115%">Modified: branches/5.0/tests/phpunit/tests/kses.php</h4>
<pre class="diff"><span>
<span class="info" style="display: block; padding: 0 10px; color: #888">--- branches/5.0/tests/phpunit/tests/kses.php 2019-12-12 18:45:47 UTC (rev 46914)
+++ branches/5.0/tests/phpunit/tests/kses.php 2019-12-12 18:51:11 UTC (rev 46915)
</span><span class="lines" style="display: block; padding: 0 10px; color: #888">@@ -170,6 +170,28 @@
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px"> }
</span><span class="cx" style="display: block; padding: 0 10px">
</span><ins style="background-color: #dfd; text-decoration:none; display:block; padding: 0 10px">+ $bad_not_normalized = array(
+ 'dummy:alert(1)',
+ 'javascript:alert(1)',
+ 'javascript&CoLon;alert(1)',
+ 'javascript&COLON;alert(1);',
+ 'javascript:alert(1);',
+ 'javascript:alert(1);',
+ 'javascript:alert(1);',
+ 'jav ascript&COLON;alert(1);',
+ 'javascript:javascript:alert(1);',
+ 'javascript:javascript:alert(1);',
+ 'javascript:javascript:alert(1);',
+ 'javascript:javascript:alert(1);',
+ 'javascript:alert(1)',
+ );
+ foreach ( $bad_not_normalized as $k => $x ) {
+ $result = wp_kses_bad_protocol( $x, wp_allowed_protocols() );
+ if ( ! empty( $result ) && 'alert(1);' !== $result && 'alert(1)' !== $result ) {
+ $this->fail( "wp_kses_bad_protocol failed on $k, $x. Result: $result" );
+ }
+ }
+
</ins><span class="cx" style="display: block; padding: 0 10px"> $safe = array(
</span><span class="cx" style="display: block; padding: 0 10px"> 'dummy:alert(1)',
</span><span class="cx" style="display: block; padding: 0 10px"> 'HTTP://example.org/',
</span></span></pre>
</div>
</div>
</body>
</html>