Message info
 
To:wp-svn@lists.automattic.com From:m@wordpress.org Subject:[wp-svn] [20882] trunk: Theme Customizer: Improve accuracy of identifying internal urls. Date:Thu, 24 May 2012 19:17:49 +0000 (UTC)
 

Revision
20882
Author
koopersmith
Date
2012-05-24 19:17:49 +0000 (Thu, 24 May 2012)

Log Message

Theme Customizer: Improve accuracy of identifying internal urls. see #20507, #19910.

The 'customize_preview_link' filter has been replaced by 'customize_allowed_urls'.
Improved accuracy when checking for wp-admin.
Improved accuracy when attempting to match the schemes of the control and preview frames.
Improved accuracy of internal link whitelist.

Modified Paths

Diff

Modified: trunk/wp-admin/customize.php (20881 => 20882)


--- trunk/wp-admin/customize.php	2012-05-24 18:05:36 UTC (rev 20881)
+++ trunk/wp-admin/customize.php	2012-05-24 19:17:49 UTC (rev 20882)
@@ -101,15 +101,17 @@
 	// preview over ssl if the customizer is being loaded over ssl. This avoids
 	// insecure content warnings. This is not attempted if the admin and frontend
 	// are on different domains to avoid the case where the frontend doesn't have
-	// ssl certs. Domain mapping plugins can force ssl in these conditions using
-	// the customize_preview_link filter.
+	// ssl certs. Domain mapping plugins can allow other urls in these conditions
+	// using the customize_allowed_urls filter.
+
+	$allowed_urls = array( home_url('/') );
 	$admin_origin = parse_url( admin_url() );
-	$home_origin = parse_url( home_url() );
-	$scheme = null;
+	$home_origin  = parse_url( home_url() );
+
 	if ( is_ssl() && ( $admin_origin[ 'host' ] == $home_origin[ 'host' ] ) )
-		$scheme = 'https';
+		$allowed_urls[] = home_url( '/', 'https' );
 
-	$preview_url = apply_filters( 'customize_preview_link',  home_url( '/', $scheme ) );
+	$allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) );
 
 	$settings = array(
 		'theme'    => array(
@@ -117,9 +119,10 @@
 			'active'     => $wp_customize->is_theme_active(),
 		),
 		'url'      => array(
-			'preview'  => esc_url( $preview_url ),
+			'preview'  => esc_url( home_url( '/' ) ),
 			'parent'   => esc_url( admin_url() ),
 			'ajax'     => esc_url( admin_url( 'admin-ajax.php', 'relative' ) ),
+			'allowed'  => array_map( 'esc_url', $allowed_urls ),
 		),
 		'settings' => array(),
 		'controls' => array(),

Modified: trunk/wp-includes/js/customize-controls.dev.js (20881 => 20882)


--- trunk/wp-includes/js/customize-controls.dev.js	2012-05-24 18:05:36 UTC (rev 20881)
+++ trunk/wp-includes/js/customize-controls.dev.js	2012-05-24 19:17:49 UTC (rev 20882)
@@ -272,7 +272,8 @@
 		 *  - url       - the URL of preview frame
 		 */
 		initialize: function( params, options ) {
-			var self = this;
+			var self = this,
+				rscheme = /^https?/;
 
 			$.extend( this, options || {} );
 
@@ -314,7 +315,8 @@
 				};
 			})( this );
 
-			this.container = api.ensure( params.container );
+			this.container   = api.ensure( params.container );
+			this.allowedUrls = params.allowedUrls;
 
 			api.Messenger.prototype.initialize.call( this, params.url );
 
@@ -322,13 +324,42 @@
 			// to the current window's location, not the url's.
 			this.origin.unlink( this.url ).set( window.location.href );
 
+			this.add( 'scheme', this.origin() ).link( this.origin ).setter( function( to ) {
+				var match = to.match( rscheme );
+				return match ? match[0] : '';
+			});
+
 			// Limit the URL to internal, front-end links.
+			//
+			// If the frontend and the admin are served from the same domain, load the
+			// preview over ssl if the customizer is being loaded over ssl. This avoids
+			// insecure content warnings. This is not attempted if the admin and frontend
+			// are on different domains to avoid the case where the frontend doesn't have
+			// ssl certs.
+
 			this.url.setter( function( to ) {
-				// Bail if we're navigating to a different origin or wp-admin.
-				if ( 0 !== to.indexOf( self.origin() + '/' ) || -1 !== to.indexOf( 'wp-admin' ) )
+				var result;
+
+				// Check for URLs that include "/wp-admin/" or end in "/wp-admin".
+				// Strip hashes and query strings before testing.
+				if ( /\/wp-admin(\/|$)/.test( to.replace(/[#?].*$/, '') ) )
 					return null;
 
-				return to;
+				// Attempt to match the URL to the control frame's scheme
+				// and check if it's allowed. If not, try the original URL.
+				$.each([ to.replace( rscheme, self.scheme() ), to ], function( i, url ) {
+					$.each( self.allowedUrls, function( i, allowed ) {
+						if ( 0 === url.indexOf( allowed ) ) {
+							result = url;
+							return false;
+						}
+					});
+					if ( result )
+						return false;
+				});
+
+				// If we found a matching result, return it. If not, bail.
+				return result ? result : null;
 			});
 
 			// Refresh the preview when the URL is changed.
@@ -422,9 +453,10 @@
 		});
 
 		previewer = new api.Previewer({
-			container: '#customize-preview',
-			form:      '#customize-controls',
-			url:       api.settings.url.preview
+			container:   '#customize-preview',
+			form:        '#customize-controls',
+			url:         api.settings.url.preview,
+			allowedUrls: api.settings.url.allowed
 		}, {
 			query: function() {
 				return {