Update wp.a11y.speak() to sanitize HTML before display.

Props iandunn, adamsilverstein, sstoqnov, peterwilsoncc

Built from https://develop.svn.wordpress.org/trunk@45979


git-svn-id: http://core.svn.wordpress.org/trunk@45790 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-admin/js/customize-nav-menus.js

@@ -3456,7 +3456,7 @@
 	 */
 	function displayNavMenuName( name ) {
 		name = name || '';
-		name = $( '<div>' ).text( name ).html(); // Emulate esc_html() which is used in wp-admin/nav-menus.php.
+		name = wp.sanitize.stripTagsAndEncodeText( name ); // Remove any potential tags from name.
 		name = $.trim( name );
 		return name || api.Menus.data.l10n.unnamed;
 	}

wp-admin/js/post.js

@@ -795,7 +795,9 @@ jQuery(document).ready( function($) {
 			}
 
 			// Update "Status:" to currently selected status.
-			$('#post-status-display').html($('option:selected', postStatus).text());
+			$('#post-status-display').text(
+				wp.sanitize.stripTagsAndEncodeText( $('option:selected', postStatus).text() ) // Remove any potential tags from post status text.
+			);
 
 			// Show or hide the "Save Draft" button.
 			if ( $('option:selected', postStatus).val() == 'private' || $('option:selected', postStatus).val() == 'publish' ) {

wp-admin/js/updates.js

@@ -262,7 +262,8 @@
 
 		if ( 'undefined' !== typeof response.debug && window.console && window.console.log ) {
 			_.map( response.debug, function( message ) {
-				window.console.log( $( '<p />' ).html( message ).text() );
+				// Remove all HTML tags and write a message to the console.
+				window.console.log( wp.sanitize.stripTagsAndEncodeText( message ) );
 			} );
 		}
 	};

wp-includes/js/wp-a11y.js

@@ -27,8 +27,8 @@ window.wp = window.wp || {};
 		// Clear previous messages to allow repeated strings being read out.
 		clear();
 
-		// Ensure only text is sent to screen readers.
+		// Remove HTML tags, ensuring only text is sent to screen readers.
-		message = $( '<p>' ).html( message ).text();
+		message = wp.sanitize.stripTagsAndEncodeText( message );
 
 		/*
 		 * Safari 10+VoiceOver don't announce repeated, identical strings. We use

wp-includes/js/wp-a11y.min.js

@@ -1 +1 @@
-window.wp=window.wp||{},function(a,b){"use strict";function c(a,c){e(),a=b("<p>").html(a).text(),h===a&&(a+="\xa0"),h=a,g&&"assertive"===c?g.text(a):f&&f.text(a)}function d(a){a=a||"polite";var c=b("<div>",{id:"wp-a11y-speak-"+a,"aria-live":a,"aria-relevant":"additions text","aria-atomic":"true","class":"screen-reader-text wp-a11y-speak-region"});return b(document.body).append(c),c}function e(){b(".wp-a11y-speak-region").text("")}var f,g,h="";b(document).ready(function(){f=b("#wp-a11y-speak-polite"),g=b("#wp-a11y-speak-assertive"),f.length||(f=d("polite")),g.length||(g=d("assertive"))}),a.a11y=a.a11y||{},a.a11y.speak=c}(window.wp,window.jQuery);
+window.wp=window.wp||{},function(a,b){"use strict";function c(b,c){e(),b=a.sanitize.stripTagsAndEncodeText(b),h===b&&(b+="\xa0"),h=b,g&&"assertive"===c?g.text(b):f&&f.text(b)}function d(a){a=a||"polite";var c=b("<div>",{id:"wp-a11y-speak-"+a,"aria-live":a,"aria-relevant":"additions text","aria-atomic":"true","class":"screen-reader-text wp-a11y-speak-region"});return b(document.body).append(c),c}function e(){b(".wp-a11y-speak-region").text("")}var f,g,h="";b(document).ready(function(){f=b("#wp-a11y-speak-polite"),g=b("#wp-a11y-speak-assertive"),f.length||(f=d("polite")),g.length||(g=d("assertive"))}),a.a11y=a.a11y||{},a.a11y.speak=c}(window.wp,window.jQuery);

wp-includes/js/wp-sanitize.js

@@ -23,10 +23,20 @@
 		stripTags: function( text ) {
 			text = text || '';
 
-			return text
+			// Do the replacement.
-				.replace( /<!--[\s\S]*?(-->|$)/g, '' )
+			var _text = text
-				.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
+					.replace( /<!--[\s\S]*?(-->|$)/g, '' )
-				.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
+					.replace( /<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/ig, '' )
+					.replace( /<\/?[a-z][\s\S]*?(>|$)/ig, '' );
+
+			// If the initial text is not equal to the modified text,
+			// do the search-replace again, until there is nothing to be replaced.
+			if ( _text !== text ) {
+				return wp.sanitize.stripTags( _text );
+			}
+
+			// Return the text with stripped tags.
+			return _text;
 		},
 
 		/**
@@ -41,7 +51,7 @@
 				textarea = document.createElement( 'textarea' );
 
 			try {
-				textarea.innerHTML = _text;
+				textarea.textContent = _text;
 				_text = wp.sanitize.stripTags( textarea.value );
 			} catch ( er ) {}
 

wp-includes/js/wp-sanitize.min.js

@@ -1 +1 @@
-!function(){window.wp=window.wp||{},wp.sanitize={stripTags:function(a){return a=a||"",a.replace(/<!--[\s\S]*?(-->|$)/g,"").replace(/<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/gi,"").replace(/<\/?[a-z][\s\S]*?(>|$)/gi,"")},stripTagsAndEncodeText:function(a){var b=wp.sanitize.stripTags(a),c=document.createElement("textarea");try{c.innerHTML=b,b=wp.sanitize.stripTags(c.value)}catch(d){}return b}}}();
+!function(){window.wp=window.wp||{},wp.sanitize={stripTags:function(a){a=a||"";var b=a.replace(/<!--[\s\S]*?(-->|$)/g,"").replace(/<(script|style)[^>]*>[\s\S]*?(<\/\1>|$)/gi,"").replace(/<\/?[a-z][\s\S]*?(>|$)/gi,"");return b!==a?wp.sanitize.stripTags(b):b},stripTagsAndEncodeText:function(a){var b=wp.sanitize.stripTags(a),c=document.createElement("textarea");try{c.textContent=b,b=wp.sanitize.stripTags(c.value)}catch(d){}return b}}}();

wp-includes/script-loader.php

@@ -880,7 +880,9 @@ function wp_default_scripts( &$scripts ) {
 		)
 	);
 
-	$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
+	$scripts->add( 'wp-sanitize', "/wp-includes/js/wp-sanitize$suffix.js", array(), false, 1 );
+
+	$scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery', 'wp-sanitize' ), false, 1 );
 
 	$scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
 
@@ -1487,7 +1489,7 @@ function wp_default_scripts( &$scripts ) {
 	$scripts->add( 'customize-widgets', "/wp-admin/js/customize-widgets$suffix.js", array( 'jquery', 'jquery-ui-sortable', 'jquery-ui-droppable', 'wp-backbone', 'customize-controls' ), false, 1 );
 	$scripts->add( 'customize-preview-widgets', "/wp-includes/js/customize-preview-widgets$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
 
-	$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu' ), false, 1 );
+	$scripts->add( 'customize-nav-menus', "/wp-admin/js/customize-nav-menus$suffix.js", array( 'jquery', 'wp-backbone', 'customize-controls', 'accordion', 'nav-menu', 'wp-sanitize' ), false, 1 );
 	$scripts->add( 'customize-preview-nav-menus', "/wp-includes/js/customize-preview-nav-menus$suffix.js", array( 'jquery', 'wp-util', 'customize-preview', 'customize-selective-refresh' ), false, 1 );
 
 	$scripts->add( 'wp-custom-header', "/wp-includes/js/wp-custom-header$suffix.js", array( 'wp-a11y' ), false, 1 );
@@ -1572,7 +1574,7 @@ function wp_default_scripts( &$scripts ) {
 			)
 		);
 
-		$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y' ), false, 1 );
+		$scripts->add( 'post', "/wp-admin/js/post$suffix.js", array( 'suggest', 'wp-lists', 'postbox', 'tags-box', 'underscore', 'word-count', 'wp-a11y', 'wp-sanitize' ), false, 1 );
 		did_action( 'init' ) && $scripts->localize(
 			'post',
 			'postL10n',
@@ -1700,7 +1702,7 @@ function wp_default_scripts( &$scripts ) {
 			)
 		);
 
-		$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y' ), false, 1 );
+		$scripts->add( 'updates', "/wp-admin/js/updates$suffix.js", array( 'jquery', 'wp-util', 'wp-a11y', 'wp-sanitize' ), false, 1 );
 		did_action( 'init' ) && $scripts->localize(
 			'updates',
 			'_wpUpdatesSettings',

wp-includes/version.php

@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.3-alpha-45971';
+$wp_version = '5.3-alpha-45979';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.