From 96c5ca19b661c650efbe17e9958b5bc9eb424ab4 Mon Sep 17 00:00:00 2001 From: Bernie Reiter Date: Tue, 14 Mar 2023 16:06:35 +0100 Subject: [PATCH] Add escaping to wp-text --- phpunit/directives/attributes/wp-text.php | 6 +++--- src/directives/attributes/wp-text.php | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/phpunit/directives/attributes/wp-text.php b/phpunit/directives/attributes/wp-text.php index 54d39495..56f5fb75 100644 --- a/phpunit/directives/attributes/wp-text.php +++ b/phpunit/directives/attributes/wp-text.php @@ -17,17 +17,17 @@ * @covers process_wp_text */ class Tests_Directives_WpText extends WP_UnitTestCase { - public function test_directive_sets_inner_html_based_on_attribute_value() { + public function test_directive_sets_inner_html_based_on_attribute_value_and_escapes_html() { $markup = '
'; $tags = new WP_Directive_Processor( $markup ); $tags->next_tag(); - $context_before = new WP_Directive_Context( array( 'myblock' => array( 'someText' => 'Lorem ipsum dolor sit.' ) ) ); + $context_before = new WP_Directive_Context( array( 'myblock' => array( 'someText' => 'The HTML tag
produces a line break.' ) ) ); $context = clone $context_before; process_wp_text( $tags, $context ); - $expected_markup = '
Lorem ipsum dolor sit.
'; + $expected_markup = '
The HTML tag <br> produces a line break.
'; $this->assertSame( $expected_markup, $tags->get_updated_html() ); $this->assertSame( $context_before->get_context(), $context->get_context(), 'wp-text directive changed context' ); } diff --git a/src/directives/attributes/wp-text.php b/src/directives/attributes/wp-text.php index 5c2f701c..30eb3b45 100644 --- a/src/directives/attributes/wp-text.php +++ b/src/directives/attributes/wp-text.php @@ -13,5 +13,5 @@ function process_wp_text( $tags, $context ) { } $text = evaluate( $value, $context->get_context() ); - $tags->set_inner_html( $text ); + $tags->set_inner_html( esc_html( $text ) ); }