[wp-trac] [WordPress Trac] #35869: Preview of menu items includes unnecessary slashes for users without unfiltered_html
WordPress Trac
noreply at wordpress.org
Fri Feb 19 10:22:54 UTC 2016
#35869: Preview of menu items includes unnecessary slashes for users without
unfiltered_html
--------------------------+-----------------------------
Reporter: ocean90 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version:
Severity: normal | Keywords: needs-patch
Focuses: |
--------------------------+-----------------------------
Noticed while testing #27355.
Assign an author the `edit_theme_options` cap and enter "foo'foo" into the
input field for a menu item title: For some reasons the preview will have
slashes.
Comment by [comment:ticket:27355:80 westonruter]:
> I narrowed this down to the following line in
`WP_Customize_Nav_Menu_Item_Setting::sanitize()`:
>
> {{{#!php
> <?php
> $menu_item_value['title'] = apply_filters( 'title_save_pre',
$menu_item_value['title'] );
> }}}
>
> The the `wp_filter_kses` function is adding the slash which applies on
this `title_save_pre` filter. For some reason, the function does:
>
> {{{#!php
> <?php
> return addslashes( wp_kses( stripslashes( $data ), current_filter() ) );
> }}}
>
> Which is the reason for the slash being injected, because `addslashes()`
adds slashes before apostrophes, even though there wasn't a slash that got
stripped originally by `stripslashes`. So, to me this function and
(`wp_filter_post_kses` like it) looks like it is doing the wrong thing.
The easiest way I see to fix the issue is to bypass those KSES functions
altogether with something like [attachment:nav-menu-item-kses-filter-
fix.diff].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35869>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list