Note that parent::sanitize() erroneously does wp_unslash() on $value, but
we remove that in this override.
/**
* Test sanitize method.
*
* @see WP_Customize_Nav_Menu_Item_Setting::sanitize()
*/
function test_sanitize()
{
do_action('customize_register', $this->wp_customize);
$menu_id = wp_create_nav_menu('Primary');
$setting = new WP_Customize_Nav_Menu_Item_Setting($this->wp_customize, 'nav_menu_item[123]');
$this->assertNull($setting->sanitize('not an array'));
$this->assertNull($setting->sanitize(123));
$unsanitized = array('object_id' => 'bad', 'object' => '<b>hello</b>', 'menu_item_parent' => 'asdasd', 'position' => -123, 'type' => 'custom<b>', 'title' => '\\o/ o\'o Hi<script>unfilteredHtml()</script>', 'url' => 'javascript:alert(1)', 'target' => '" onclick="', 'attr_title' => '\\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>', 'description' => '\\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>', 'classes' => 'hello " inject="', 'xfn' => 'hello " inject="', 'status' => 'forbidden', 'original_title' => 'Hi<script>unfilteredHtml()</script>', 'nav_menu_term_id' => 'heilo', '_invalid' => false);
$expected_sanitized = array('object_id' => 0, 'object' => 'bhellob', 'menu_item_parent' => 0, 'position' => -123, 'type' => 'customb', 'title' => current_user_can('unfiltered_html') ? '\\o/ o\'o Hi<script>unfilteredHtml()</script>' : '\\o/ o\'o HiunfilteredHtml()', 'url' => '', 'target' => 'onclick', 'attr_title' => current_user_can('unfiltered_html') ? '\\o/ o\'o <b>bolded</b><script>unfilteredHtml()</script>' : '\\o/ o\'o <b>bolded</b>unfilteredHtml()', 'description' => current_user_can('unfiltered_html') ? '\\o/ o\'o <b>Hello world</b><script>unfilteredHtml()</script>' : '\\o/ o\'o <b>Hello world</b>unfilteredHtml()', 'classes' => 'hello inject', 'xfn' => 'hello inject', 'status' => 'draft', 'original_title' => 'Hi', 'nav_menu_term_id' => 0);
$sanitized = $setting->sanitize($unsanitized);
$this->assertEqualSets(array_keys($unsanitized), array_keys($sanitized));
foreach ($expected_sanitized as $key => $value) {
$this->assertEquals($value, $sanitized[$key], "Expected {$key} to be sanitized.");
}
$nav_menu_item_id = wp_update_nav_menu_item($menu_id, 0, wp_slash(array('menu-item-object-id' => $unsanitized['object_id'], 'menu-item-object' => $unsanitized['object'], 'menu-item-parent-id' => $unsanitized['menu_item_parent'], 'menu-item-position' => $unsanitized['position'], 'menu-item-type' => $unsanitized['type'], 'menu-item-title' => $unsanitized['title'], 'menu-item-url' => $unsanitized['url'], 'menu-item-description' => $unsanitized['description'], 'menu-item-attr-title' => $unsanitized['attr_title'], 'menu-item-target' => $unsanitized['target'], 'menu-item-classes' => $unsanitized['classes'], 'menu-item-xfn' => $unsanitized['xfn'], 'menu-item-status' => $unsanitized['status'])));
$post = get_post($nav_menu_item_id);
$nav_menu_item = wp_setup_nav_menu_item(clone $post);
$this->assertEquals($expected_sanitized['object_id'], $nav_menu_item->object_id);
$this->assertEquals($expected_sanitized['object'], $nav_menu_item->object);
$this->assertEquals($expected_sanitized['menu_item_parent'], $nav_menu_item->menu_item_parent);
$this->assertEquals($expected_sanitized['position'], $post->menu_order);
$this->assertEquals($expected_sanitized['type'], $nav_menu_item->type);
$this->assertEquals($expected_sanitized['title'], $post->post_title);
$this->assertEquals($expected_sanitized['url'], $nav_menu_item->url);
$this->assertEquals($expected_sanitized['description'], $post->post_content);
$this->assertEquals($expected_sanitized['attr_title'], $post->post_excerpt);
$this->assertEquals($expected_sanitized['target'], $nav_menu_item->target);
$this->assertEquals($expected_sanitized['classes'], implode(' ', $nav_menu_item->classes));
$this->assertEquals($expected_sanitized['xfn'], $nav_menu_item->xfn);
$this->assertEquals($expected_sanitized['status'], $post->post_status);
}
/**
* Test sanitize method.
*
* @see WP_Customize_Nav_Menu_Item_Setting::sanitize()
*/
function test_sanitize()
{
do_action('customize_register', $this->wp_customize);
$setting = new WP_Customize_Nav_Menu_Item_Setting($this->wp_customize, 'nav_menu_item[123]');
$this->assertNull($setting->sanitize('not an array'));
$this->assertNull($setting->sanitize(123));
$unsanitized = array('object_id' => 'bad', 'object' => '<b>hello</b>', 'menu_item_parent' => 'asdasd', 'position' => -123, 'type' => 'custom<b>', 'title' => 'Hi<script>alert(1)</script>', 'url' => 'javascript:alert(1)', 'target' => '" onclick="', 'attr_title' => '<b>evil</b>', 'description' => '<b>Hello world</b>', 'classes' => 'hello " inject="', 'xfn' => 'hello " inject="', 'status' => 'forbidden', 'original_title' => 'Hi<script>alert(1)</script>', 'nav_menu_term_id' => 'heilo');
$sanitized = $setting->sanitize($unsanitized);
$this->assertEqualSets(array_keys($unsanitized), array_keys($sanitized));
$this->assertEquals(0, $sanitized['object_id']);
$this->assertEquals('bhellob', $sanitized['object']);
$this->assertEquals(0, $sanitized['menu_item_parent']);
$this->assertEquals(0, $sanitized['position']);
$this->assertEquals('customb', $sanitized['type']);
$this->assertEquals('Hi', $sanitized['title']);
$this->assertEquals('', $sanitized['url']);
$this->assertEquals('onclick', $sanitized['target']);
$this->assertEquals('evil', $sanitized['attr_title']);
$this->assertEquals('Hello world', $sanitized['description']);
$this->assertEquals('hello inject', $sanitized['classes']);
$this->assertEquals('hello inject', $sanitized['xfn']);
$this->assertEquals('publish', $sanitized['status']);
$this->assertEquals('Hi', $sanitized['original_title']);
$this->assertEquals(0, $sanitized['nav_menu_term_id']);
}
