IntenseWebs/WordPress
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Widgets: Validate HTML before saving block widgets.

Browse Source 
Props talldanwp, noisysocks, kevin940726, peterwilsoncc.

Built from https://develop.svn.wordpress.org/trunk@51414


git-svn-id: http://core.svn.wordpress.org/trunk@51025 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson
2021-07-13 05:59:01 +00:00
parent a5cfc54fec
commit 34119e2c95
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
wp-includes/class-wp-customize-widgets.php
View File

@@ -1419,6 +1419,13 @@ final class WP_Customize_Widgets {
if ( isset( $value['raw_instance'] ) && $id_base && wp_use_widgets_block_editor() ) {
$widget_object = $wp_widget_factory->get_widget_object( $id_base );
if ( ! empty( $widget_object->widget_options['show_instance_in_rest'] ) ) {
if ( 'block' === $id_base && ! current_user_can( 'unfiltered_html' ) ) {
// The content of the 'block' widget is not filtered on the
// fly while editing. Filter the content here to prevent
// vulnerabilities.
$value['raw_instance']['content'] = wp_kses_post( $value['raw_instance']['content'] );
}
return $value['raw_instance'];
}
}