Theme Customizer: Properly escape customize settings when sending values to JS. Add WP_Customize_Setting->js_value(). fixes #20687, see #19910.

git-svn-id: http://core.svn.wordpress.org/trunk@20809 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2012-05-16 20:59:02 +00:00
parent b212ead08c
commit 507f3b2d0c
3 changed files with 18 additions and 2 deletions
--- a/wp-includes/class-wp-customize-setting.php
+++ b/wp-includes/class-wp-customize-setting.php
@@ -230,6 +230,22 @@ class WP_Customize_Setting {
 		return $this->multidimensional_get( $values, $this->id_data[ 'keys' ], $this->default );
 	}

+	/**
+	 * Escape the parameter's value for use in JavaScript.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @return mixed The requested escaped value.
+	 */
+	public function js_value() {
+		$value = $this->value();
+
+		if ( is_string( $value ) )
+			return html_entity_decode( $value, ENT_QUOTES, 'UTF-8');
+
+		return $value;
+	}
+
 	/**
 	 * Check if the theme supports the setting and check user capabilities.
 	 *