From 2f288c306cd3eb13907f97767b86519b835b26a3 Mon Sep 17 00:00:00 2001
From: Gary Pendergast <gary@pento.net>
Date: Tue, 15 Jan 2019 00:43:49 +0000
Subject: [PATCH] Widgets: Remove unnecessary `sanitize_text_field()` calls in
 core widget `::form()` methods.

This sanitisation only needs to be run in `::update()` to correctly clean up the input.

Props welcher, greenshady.
Fixes #42461.


Built from https://develop.svn.wordpress.org/trunk@44589


git-svn-id: http://core.svn.wordpress.org/trunk@44420 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/version.php                            | 2 +-
 wp-includes/widgets/class-wp-widget-archives.php   | 3 +--
 wp-includes/widgets/class-wp-widget-calendar.php   | 3 +--
 wp-includes/widgets/class-wp-widget-categories.php | 3 +--
 wp-includes/widgets/class-wp-widget-meta.php       | 3 +--
 5 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/wp-includes/version.php b/wp-includes/version.php
index 2c62e9e963..eb5d9f3624 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.1-beta1-44588';
+$wp_version = '5.1-beta1-44589';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
diff --git a/wp-includes/widgets/class-wp-widget-archives.php b/wp-includes/widgets/class-wp-widget-archives.php
index 4d0581ade6..ab6e0d9ab2 100644
--- a/wp-includes/widgets/class-wp-widget-archives.php
+++ b/wp-includes/widgets/class-wp-widget-archives.php
@@ -179,9 +179,8 @@ class WP_Widget_Archives extends WP_Widget {
 				'dropdown' => '',
 			)
 		);
-		$title    = sanitize_text_field( $instance['title'] );
 		?>
-		<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label> <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
+		<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label> <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>" /></p>
 		<p>
 			<input class="checkbox" type="checkbox"<?php checked( $instance['dropdown'] ); ?> id="<?php echo $this->get_field_id( 'dropdown' ); ?>" name="<?php echo $this->get_field_name( 'dropdown' ); ?>" /> <label for="<?php echo $this->get_field_id( 'dropdown' ); ?>"><?php _e( 'Display as dropdown' ); ?></label>
 			<br/>
diff --git a/wp-includes/widgets/class-wp-widget-calendar.php b/wp-includes/widgets/class-wp-widget-calendar.php
index 08de0775f9..572be171fc 100644
--- a/wp-includes/widgets/class-wp-widget-calendar.php
+++ b/wp-includes/widgets/class-wp-widget-calendar.php
@@ -94,10 +94,9 @@ class WP_Widget_Calendar extends WP_Widget {
 	 */
 	public function form( $instance ) {
 		$instance = wp_parse_args( (array) $instance, array( 'title' => '' ) );
-		$title    = sanitize_text_field( $instance['title'] );
 		?>
 		<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label>
-		<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
+		<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>" /></p>
 		<?php
 	}
 }
diff --git a/wp-includes/widgets/class-wp-widget-categories.php b/wp-includes/widgets/class-wp-widget-categories.php
index 9cf7a011e3..780993e3d9 100644
--- a/wp-includes/widgets/class-wp-widget-categories.php
+++ b/wp-includes/widgets/class-wp-widget-categories.php
@@ -160,13 +160,12 @@ class WP_Widget_Categories extends WP_Widget {
 	public function form( $instance ) {
 		//Defaults
 		$instance     = wp_parse_args( (array) $instance, array( 'title' => '' ) );
-		$title        = sanitize_text_field( $instance['title'] );
 		$count        = isset( $instance['count'] ) ? (bool) $instance['count'] : false;
 		$hierarchical = isset( $instance['hierarchical'] ) ? (bool) $instance['hierarchical'] : false;
 		$dropdown     = isset( $instance['dropdown'] ) ? (bool) $instance['dropdown'] : false;
 		?>
 		<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label>
-		<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
+		<input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>" /></p>
 
 		<p><input type="checkbox" class="checkbox" id="<?php echo $this->get_field_id( 'dropdown' ); ?>" name="<?php echo $this->get_field_name( 'dropdown' ); ?>"<?php checked( $dropdown ); ?> />
 		<label for="<?php echo $this->get_field_id( 'dropdown' ); ?>"><?php _e( 'Display as dropdown' ); ?></label><br />
diff --git a/wp-includes/widgets/class-wp-widget-meta.php b/wp-includes/widgets/class-wp-widget-meta.php
index c02fbeb41f..320ab138d4 100644
--- a/wp-includes/widgets/class-wp-widget-meta.php
+++ b/wp-includes/widgets/class-wp-widget-meta.php
@@ -113,9 +113,8 @@ class WP_Widget_Meta extends WP_Widget {
 	 */
 	public function form( $instance ) {
 		$instance = wp_parse_args( (array) $instance, array( 'title' => '' ) );
-		$title    = sanitize_text_field( $instance['title'] );
 		?>
-			<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label> <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $title ); ?>" /></p>
+			<p><label for="<?php echo $this->get_field_id( 'title' ); ?>"><?php _e( 'Title:' ); ?></label> <input class="widefat" id="<?php echo $this->get_field_id( 'title' ); ?>" name="<?php echo $this->get_field_name( 'title' ); ?>" type="text" value="<?php echo esc_attr( $instance['title'] ); ?>" /></p>
 		<?php
 	}
 }