Create New Item
Item Type
File
Folder
Item Name
Search file in folder and subfolders...
Are you sure want to rename?
chromed
/
wp-content
/
plugins
/
extendify
/
tests
/
Integration
/
QuickEdit
/
Controllers
:
SaveControllerTest.php
Advanced Search
Upload
New Item
Settings
Back
Back Up
Advanced Editor
Save
<?php namespace Extendify\Tests\Integration\QuickEdit\Controllers; use Extendify\QuickEdit\Controllers\SaveController; use Extendify\QuickEdit\Schemas\Registry; use ReflectionClass; use WP_UnitTestCase; class SaveControllerTest extends WP_UnitTestCase { public function setUp(): void { parent::setUp(); $this->resetRegistry(); Registry::init(); } public function tearDown(): void { $this->resetRegistry(); delete_option('trp_settings'); unset($GLOBALS['TRP_LANGUAGE']); parent::tearDown(); } public function test_permission_callback_requires_admin_capability() { wp_set_current_user(0); $this->assertFalse(SaveController::permissionCallback()); $editor = self::factory()->user->create(['role' => 'editor']); wp_set_current_user($editor); $this->assertFalse(SaveController::permissionCallback()); $admin = self::factory()->user->create(['role' => 'administrator']); wp_set_current_user($admin); $this->assertTrue(SaveController::permissionCallback()); } public function test_missing_required_fields_returns_400() { $this->loginAsAdmin(); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => 1], // no blockId, no blockType, no patches/rawBlock ])); $this->assertSame(400, $res->get_status()); $this->assertStringContainsString('required', $res->get_data()['error']); } public function test_unknown_block_type_with_patches_returns_400_no_schema() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'not/a-real-block', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(400, $res->get_status()); $data = $res->get_data(); $this->assertSame('no schema registered for block type', $data['error']); $this->assertSame('not/a-real-block', $data['blockType']); } public function test_post_not_found_returns_404() { $this->loginAsAdmin(); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => 99999999], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); } public function test_unknown_source_kind_returns_404() { $this->loginAsAdmin(); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'bogus'], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertSame('unknown source kind', $res->get_data()['error']); } public function test_template_part_requires_partSlug() { $this->loginAsAdmin(); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'template-part'], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertSame('template-part requires partSlug', $res->get_data()['error']); } public function test_subscriber_user_forbidden_per_source() { $sub = self::factory()->user->create(['role' => 'subscriber']); wp_set_current_user($sub); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(403, $res->get_status()); $this->assertSame('forbidden for this source', $res->get_data()['error']); } // The post-path object check is edit_post on the *specific* id, // not the coarse edit_posts. An author holds edit_posts but not // edit_others_posts, so a save against another author's post must 403 — // even with the global gate lowered enough to let the author in. Mutating // userCanEditSource to current_user_can('edit_posts') reopens this. public function test_post_save_forbidden_when_editing_another_authors_post() { $owner = self::factory()->user->create(['role' => 'author']); $postId = self::factory()->post->create([ 'post_author' => $owner, 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $attacker = self::factory()->user->create(['role' => 'author']); wp_set_current_user($attacker); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'tampered']], ])); $this->assertSame(403, $res->get_status()); $this->assertSame('forbidden for this source', $res->get_data()['error']); $this->assertStringContainsString('<p>hi</p>', get_post($postId)->post_content); } // Template parts gate on edit_theme_options, independent of the // post-edit world. An editor can edit others' posts but lacks // edit_theme_options, so a template-part save must 403. Mutating // userCanEditSource's template-part branch to edit_post/edit_posts (which // the editor passes) reopens this. public function test_template_part_save_forbidden_for_user_without_edit_theme_options() { $editor = self::factory()->user->create(['role' => 'editor']); wp_set_current_user($editor); $this->assertTrue(current_user_can('edit_others_posts')); $this->assertFalse(current_user_can('edit_theme_options')); $slug = 'qe-test-part-' . wp_generate_password(6, false); $partId = self::factory()->post->create([ 'post_type' => 'wp_template_part', 'post_name' => $slug, 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>part-old</p><!-- /wp:paragraph -->', ]); wp_set_object_terms($partId, get_stylesheet(), 'wp_theme'); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'template-part', 'partSlug' => $slug], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'part-new']], ])); $this->assertSame(403, $res->get_status()); $this->assertSame('forbidden for this source', $res->get_data()['error']); $this->assertStringContainsString('<p>part-old</p>', get_post($partId)->post_content); } public function test_blockId_past_end_of_walk_returns_404_with_diagnostics() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 99, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertSame('block not found in source', $res->get_data()['error']); $this->assertSame(99, $res->get_data()['blockId']); } public function test_block_type_mismatch_returns_409_without_writing() { $this->loginAsAdmin(); $originalContent = '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $originalContent]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/heading', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(409, $res->get_status()); $data = $res->get_data(); $this->assertSame('block type mismatch', $data['error']); $this->assertSame('core/heading', $data['expected']); $this->assertSame('core/paragraph', $data['actual']); $this->assertSame($originalContent, get_post($postId)->post_content); } public function test_successful_patch_updates_post_and_returns_rendered_html() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); $this->assertSame(200, $res->get_status()); $data = $res->get_data(); $this->assertTrue($data['ok']); $this->assertSame(1, $data['blockId']); $this->assertSame('core/paragraph', $data['blockType']); $this->assertStringContainsString('updated', $data['rendered']); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p>updated</p>', $stored); $this->assertStringContainsString('<!-- wp:paragraph -->', $stored); } public function test_patches_applied_in_order() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [ ['fieldKey' => 'content', 'value' => 'first'], ['fieldKey' => 'content', 'value' => 'second'], ], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('<p>second</p>', get_post($postId)->post_content); } public function test_rawBlock_must_parse_to_exactly_one_block() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $two = '<!-- wp:paragraph --><p>a</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>b</p><!-- /wp:paragraph -->'; $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => $two, ])); $this->assertSame(400, $res->get_status()); $this->assertSame('rawBlock must parse to exactly one block', $res->get_data()['error']); $this->assertSame(2, $res->get_data()['parsed_count']); } public function test_rawBlock_type_must_match_blockType() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:heading --><h2>x</h2><!-- /wp:heading -->', ])); $this->assertSame(400, $res->get_status()); $this->assertSame('rawBlock type does not match blockType', $res->get_data()['error']); $this->assertSame('core/paragraph', $res->get_data()['expected']); $this->assertSame('core/heading', $res->get_data()['got']); } public function test_rawBlock_path_bypasses_schema_apply() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph {"align":"right"} --><p class="has-text-align-right">whole-block</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p class="has-text-align-right">whole-block</p>', $stored); $this->assertStringContainsString('{"align":"right"}', $stored); } public function test_rawBlock_path_works_even_when_no_schema_registered() { $this->loginAsAdmin(); // Wipe registry: rawBlock should still save. $this->resetRegistry(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p>whole</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); } public function test_round_trip_preserves_block_structure_of_unrelated_siblings() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>first</p><!-- /wp:paragraph -->' . '<!-- wp:heading --><h2>middle</h2><!-- /wp:heading -->' . '<!-- wp:paragraph --><p>last</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // Edit only the middle heading (blockId=2 in TagBlocks counting). $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 2, 'blockType' => 'core/heading', 'patches' => [['fieldKey' => 'content', 'value' => 'new-middle']], ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p>first</p>', $stored); $this->assertStringContainsString('<h2>new-middle</h2>', $stored); $this->assertStringContainsString('<p>last</p>', $stored); } public function test_template_part_resolves_by_slug() { $this->loginAsAdmin(); $slug = 'qe-test-part-' . wp_generate_password(6, false); $partId = self::factory()->post->create([ 'post_type' => 'wp_template_part', 'post_name' => $slug, 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>part-old</p><!-- /wp:paragraph -->', ]); wp_set_object_terms($partId, get_stylesheet(), 'wp_theme'); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'template-part', 'partSlug' => $slug], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'part-new']], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('<p>part-new</p>', get_post($partId)->post_content); } // Real-world repro: an install that had `extendable` and `extendable-2` // both active at different points ends up with two wp_template_part // posts sharing post_name='header', one per wp_theme term. WP's render // path scopes to the current theme via get_block_template; raw // get_posts(name=...) doesn't, so a save-side resolver built on // get_posts patches the wrong row and the findBlock parse walk runs // against an unrelated post_content (the user's diagnostic dump: // 11 blocks visited, none of them the social-link the client clicked). // // Bypass wp_unique_post_slug with a direct $wpdb update so both posts // really share the slug — wp_insert_post auto-suffixes `-2` when terms // aren't set at insertion time, which masks this scenario in tests. public function test_template_part_duplicate_slug_resolves_via_active_theme() { global $wpdb; $this->loginAsAdmin(); $slug = sanitize_title('qe-test-dup-' . wp_generate_password(6, false)); $activeThemePartId = self::factory()->post->create([ 'post_type' => 'wp_template_part', 'post_name' => $slug, 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>active-old</p><!-- /wp:paragraph -->', ]); wp_set_object_terms($activeThemePartId, get_stylesheet(), 'wp_theme'); $orphanThemePartId = self::factory()->post->create([ 'post_type' => 'wp_template_part', 'post_name' => "{$slug}-renamed-by-uniqueness", 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>orphan-untouched</p><!-- /wp:paragraph -->', ]); wp_set_object_terms($orphanThemePartId, 'qe-test-other-theme', 'wp_theme'); // Bypass wp_unique_post_slug + force the orphan to win get_posts' // default date-DESC ordering, mirroring the user's diagnostic // (orphan = newer modified-row, active = older modified-row). $wpdb->update( $wpdb->posts, [ 'post_name' => $slug, 'post_date' => '2099-01-01 00:00:00', 'post_date_gmt' => '2099-01-01 00:00:00', ], ['ID' => $orphanThemePartId] ); clean_post_cache($orphanThemePartId); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'template-part', 'partSlug' => $slug], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'active-new']], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('<p>active-new</p>', get_post($activeThemePartId)->post_content); $this->assertStringContainsString('<p>orphan-untouched</p>', get_post($orphanThemePartId)->post_content); } public function test_disallowed_post_type_revision_returns_404() { $this->loginAsAdmin(); $parentId = self::factory()->post->create(['post_status' => 'publish']); $revisionId = self::factory()->post->create([ 'post_type' => 'revision', 'post_parent' => $parentId, 'post_status' => 'inherit', 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $revisionId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertStringContainsString('dedicated endpoint', $res->get_data()['error']); } public function test_disallowed_post_type_wp_template_returns_404() { $this->loginAsAdmin(); $templateId = self::factory()->post->create([ 'post_type' => 'wp_template', 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $templateId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertStringContainsString('dedicated endpoint', $res->get_data()['error']); } public function test_disallowed_post_type_wp_block_returns_404() { $this->loginAsAdmin(); $reusableId = self::factory()->post->create([ 'post_type' => 'wp_block', 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $reusableId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertStringContainsString('dedicated endpoint', $res->get_data()['error']); } public function test_auto_draft_post_via_post_kind_returns_404() { $this->loginAsAdmin(); $autoDraftId = self::factory()->post->create([ 'post_status' => 'auto-draft', 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $autoDraftId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'x']], ])); $this->assertSame(404, $res->get_status()); $this->assertStringContainsString('dedicated endpoint', $res->get_data()['error']); } public function test_rawBlock_disallowed_block_type_returns_400() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:list --><ul><li>hi</li></ul><!-- /wp:list -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/list', 'rawBlock' => '<!-- wp:list --><ul><li>x</li></ul><!-- /wp:list -->', ])); $this->assertSame(400, $res->get_status()); $this->assertSame('rawBlock not supported for this block type', $res->get_data()['error']); } public function test_rawBlock_innerHTML_is_ksesd_in_stored_and_rendered() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $malicious = '<!-- wp:paragraph --><p>hello<script>alert(1)</script>' . '<img src="y" onerror="steal()"></p><!-- /wp:paragraph -->'; $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => $malicious, ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $rendered = $res->get_data()['rendered']; $this->assertStringContainsString('hello', $stored); $this->assertStringNotContainsString('<script', $stored); $this->assertStringNotContainsString('onerror', $stored); $this->assertStringNotContainsString('<script', $rendered); $this->assertStringNotContainsString('onerror', $rendered); } // innerHTML is kses'd, but the block-comment `attrs` JSON is client-supplied // and never sanitized by QuickEdit. An attribute-borne payload still can't // reach an executable sink: serialize_block // re-encodes attrs as JSON (angle brackets become < inside the comment), // unknown attrs are dropped at render, and supported attrs (style/fontSize) // run through core's render-time sanitizers. Stored AND rendered must be clean. public function test_rawBlock_malicious_attrs_never_reach_stored_or_rendered() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $attrPayloads = [ '{"className":"x\"><script>alert(1)</script>"}', '{"style":{"color":{"text":"red;}</style><script>alert(1)</script>"}}}', '{"fontSize":"x\"><script>alert(1)</script>"}', '{"evil":"</p><script>alert(1)</script>"}', ]; foreach ($attrPayloads as $attrs) { wp_update_post([ 'ID' => $postId, 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph ' . $attrs . ' --><p>hi</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status(), "attrs: {$attrs}"); $stored = get_post($postId)->post_content; $rendered = $res->get_data()['rendered']; $this->assertStringNotContainsString('<script', $stored, "stored attrs: {$attrs}"); $this->assertStringNotContainsString('<script', $rendered, "rendered attrs: {$attrs}"); } } // The patches path runs every value through its schema sanitizer; this // exercises it end-to-end through handleSave (not just the schema unit): // a javascript: button url is stripped before it reaches post_content. public function test_patch_url_javascript_scheme_is_stripped_in_stored_content() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:button --><div class="wp-block-button">' . '<a class="wp-block-button__link" href="http://ok">go</a>' . '</div><!-- /wp:button -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/button', 'patches' => [['fieldKey' => 'url', 'value' => 'javascript:alert(1)']], ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringNotContainsString('javascript:', $stored); $this->assertStringNotContainsString('href=', $stored); } // The rawBlock path kses's innerHTML but never esc_url_raw's the url, and // core/button is the only url-carrying type it accepts. kses strips the // javascript: scheme from the href; the comment-attr url survives verbatim // but a static block never re-emits it, so neither exit is executable. public function test_rawBlock_button_javascript_url_never_reaches_rendered_or_stored_href() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:button --><div class="wp-block-button">' . '<a class="wp-block-button__link" href="http://ok">go</a>' . '</div><!-- /wp:button -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/button', 'rawBlock' => '<!-- wp:button {"url":"javascript:alert(1)"} -->' . '<div class="wp-block-button">' . '<a class="wp-block-button__link" href="javascript:alert(1)">x</a>' . '</div><!-- /wp:button -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $rendered = $res->get_data()['rendered']; $this->assertStringNotContainsString('javascript:', $rendered); $this->assertStringNotContainsString('href="javascript:', $stored); } public function test_rawBlock_heading_passes_allowlist_and_keeps_safe_markup() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:heading --><h2>old</h2><!-- /wp:heading -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/heading', 'rawBlock' => '<!-- wp:heading --><h2>Safe <strong>title</strong></h2><!-- /wp:heading -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<h2>Safe <strong>title</strong></h2>', $stored); } // The header phone CTA is a core/paragraph whose only content is a tel: // link (AutoLaunch's ext-nav-extras-phone). Editing the visible digits in // RichText keeps the link format but only swaps the text, so the anchor's // href/data-id stay pointed at the OLD number and tap-to-call would dial // the stale digits. The save must re-point href + data-id (and pin // data-type) at the number the user now sees. public function test_phone_paragraph_tel_link_syncs_to_edited_digits() { $this->loginAsAdmin(); $slug = 'qe-test-header-' . wp_generate_password(6, false); $partId = self::factory()->post->create([ 'post_type' => 'wp_template_part', 'post_name' => $slug, 'post_status' => 'publish', 'post_content' => '<!-- wp:paragraph {"className":"no-underline"} -->' . '<p class="no-underline"><a href="tel:206-555-0100" data-type="tel" data-id="tel:206-555-0100">206-555-0100</a></p>' . '<!-- /wp:paragraph -->', ]); wp_set_object_terms($partId, get_stylesheet(), 'wp_theme'); // RichText preserves the anchor (href/data-id stale) and changes text only. $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'template-part', 'partSlug' => $slug], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph {"className":"no-underline"} -->' . '<p class="no-underline"><a href="tel:206-555-0100" data-type="tel" data-id="tel:206-555-0100">206-555-9999</a></p>' . '<!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($partId)->post_content; $rendered = $res->get_data()['rendered']; // All three anchor attributes track the edited digits and agree. $this->assertStringContainsString('href="tel:2065559999"', $stored); $this->assertStringContainsString('data-id="tel:2065559999"', $stored); $this->assertStringContainsString('data-type="tel"', $stored); // The stale number is gone from the link target... $this->assertStringNotContainsString('tel:206-555-0100', $stored); // ...but the visible digits the user typed are left untouched. $this->assertStringContainsString('>206-555-9999<', $stored); // The re-rendered HTML spliced into the live DOM dials the new number. $this->assertStringContainsString('href="tel:2065559999"', $rendered); } // A leading + (international dialing prefix) is the one non-digit kept; the // rest of the visual formatting (spaces, parens, dashes) is stripped. public function test_phone_paragraph_keeps_leading_plus_for_international_numbers() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p><a href="tel:2065550100" data-type="tel" data-id="tel:2065550100">206-555-0100</a></p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p><a href="tel:2065550100" data-type="tel" data-id="tel:2065550100">+1 (206) 555-0199</a></p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('href="tel:+12065550199"', $stored); $this->assertStringContainsString('data-id="tel:+12065550199"', $stored); } // The rewrite is scoped to tel: links: a paragraph whose link is an // ordinary http(s) URL is saved exactly as the editor serialized it. public function test_paragraph_with_http_link_is_left_untouched() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p>Visit <a href="https://example.com/contact">our page</a> today</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('href="https://example.com/contact"', $stored); $this->assertStringNotContainsString('tel:', $stored); } // If the edited text yields no usable phone number, leave the existing // tel: href intact rather than writing a broken link. public function test_tel_link_with_unparseable_text_keeps_prior_href() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p><a href="tel:206-555-0100" data-type="tel" data-id="tel:206-555-0100">Call us today!</a></p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('href="tel:206-555-0100"', $stored); $this->assertStringContainsString('Call us today!', $stored); } public function test_init_hooks_registerRoutes_into_rest_api_init() { remove_all_filters('rest_api_init'); SaveController::init(); $this->assertNotFalse( has_action('rest_api_init', [SaveController::class, 'registerRoutes']) ); } // Block ids are best-effort (render-time vs parse-time can diverge). When // the count lands on the wrong same-type block, the fingerprint identifies // the one the user clicked — recover to it rather than refusing or // corrupting the counted block. public function test_fingerprint_recovers_to_matching_block_when_count_misresolves() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>alpha</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>bravo</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // blockId 1 counts to "alpha", but the user clicked "bravo". $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'bravo'], 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p>alpha</p>', $stored); $this->assertStringContainsString('<p>updated</p>', $stored); $this->assertStringNotContainsString('<p>bravo</p>', $stored); } // Recovery only fires on a unique match. When the fingerprint matches no // block of this type, refuse without writing (no silent corruption). public function test_fingerprint_with_no_matching_block_returns_409() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>alpha</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>bravo</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'no block has this text'], 'patches' => [['fieldKey' => 'content', 'value' => 'corrupted']], ])); $this->assertSame(409, $res->get_status()); $this->assertSame('block fingerprint mismatch', $res->get_data()['error']); $this->assertSame($content, get_post($postId)->post_content); } // Ambiguous match (two blocks share the fingerprint text) can't be resolved // safely — refuse rather than guess. public function test_fingerprint_ambiguous_match_returns_409() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>same text</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>same text</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // blockId 5 is past the end, forcing recovery; fingerprint matches both. $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 5, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'same text'], 'patches' => [['fieldKey' => 'content', 'value' => 'corrupted']], ])); $this->assertSame(409, $res->get_status()); $this->assertSame($content, get_post($postId)->post_content); } // A block-level shortcode render (e.g. [products] -> a <div>) can't nest in // a <p>, so the browser splits the paragraph and the live element's text is // truncated. The fingerprint is then only a prefix of the stored block; // recover to the unique block it prefixes. public function test_fingerprint_recovers_via_prefix_when_render_truncates_the_paragraph() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>oane[products]new line</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>another text entirely</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>small</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // The live element was truncated to "oane"; the stored block is the full // "oane[products]new line". $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'oane'], 'rawBlock' => '<!-- wp:paragraph --><p>oane[products]new line and more</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('oane[products]new line and more', get_post($postId)->post_content); $this->assertStringContainsString('<p>small</p>', get_post($postId)->post_content); } // A truncated (prefix) fingerprint that prefixes two blocks can't be // resolved — refuse rather than guess. public function test_prefix_match_ambiguous_returns_409() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>oane first variant</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>oane second variant</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'oane'], 'patches' => [['fieldKey' => 'content', 'value' => 'corrupted']], ])); $this->assertSame(409, $res->get_status()); $this->assertSame($content, get_post($postId)->post_content); } // The general fingerprint recovery resolves social-links by their unique // `service` attr when the count misses — the same job the old social-link // special-case did, now covered by findBlocksByFingerprint. public function test_social_link_recovers_by_service_when_count_misses() { $this->loginAsAdmin(); $content = '<!-- wp:social-links --><ul class="wp-block-social-links">' . '<!-- wp:social-link {"url":"https://fb.com/x","service":"facebook"} /-->' . '<!-- wp:social-link {"url":"https://x.com/y","service":"twitter"} /-->' . '</ul><!-- /wp:social-links -->'; $postId = self::factory()->post->create(['post_content' => $content]); // blockId past the end forces a count miss; service identifies the item. $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 99, 'blockType' => 'core/social-link', 'fingerprint' => ['service' => 'twitter'], 'patches' => [['fieldKey' => 'url', 'value' => 'https://x.com/updated']], ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('https://x.com/updated', $stored); $this->assertStringContainsString('https://fb.com/x', $stored); } public function test_matching_fingerprint_allows_save() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>alpha</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>bravo</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 2, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'bravo'], 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p>alpha</p>', $stored); $this->assertStringContainsString('<p>updated</p>', $stored); } // Recovery applies to the rawBlock (text-editor) path too: the count points // at the wrong block, the fingerprint identifies the right one, and the // whole-block rawBlock lands there. public function test_rawBlock_save_recovers_to_matching_block() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>alpha</p><!-- /wp:paragraph -->' . '<!-- wp:paragraph --><p>bravo</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // blockId 2 counts to "bravo"; the user clicked "alpha". $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 2, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'alpha'], 'rawBlock' => '<!-- wp:paragraph --><p>alpha rewritten</p><!-- /wp:paragraph -->', ])); $this->assertSame(200, $res->get_status()); $stored = get_post($postId)->post_content; $this->assertStringContainsString('<p>alpha rewritten</p>', $stored); $this->assertStringContainsString('<p>bravo</p>', $stored); $this->assertStringNotContainsString('<p>alpha</p>', $stored); } // The client reads a block's text from the rendered DOM, where the_content // has run wptexturize (straight apostrophe -> curly). The fingerprint of // that rendered text must still match the straight-quote markup the server // parses, or every prose block with an apostrophe false-409s. (Field // report: editing a paragraph containing "Woody's".) public function test_fingerprint_matches_wptexturized_rendered_text() { $this->loginAsAdmin(); $content = "<!-- wp:paragraph --><p>Welcome to Woody's shop, the best deals</p><!-- /wp:paragraph -->"; $postId = self::factory()->post->create(['post_content' => $content]); // Mimic the browser: wptexturize emits ’ in the HTML, and the // client reads the live node's textContent, which decodes it to a // curly apostrophe. $rendered = apply_filters('the_content', get_post($postId)->post_content); $renderedText = trim(html_entity_decode(wp_strip_all_tags($rendered), ENT_QUOTES)); $this->assertStringContainsString( "\u{2019}", $renderedText, 'sanity: wptexturize should have curled the apostrophe in the rendered text' ); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => $renderedText], 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('updated', get_post($postId)->post_content); } // A shortcode (or any the_content transform) renders to different text than // the raw stored markup, so the client's rendered-DOM fingerprint can't // match the parsed markup. The gate must render the block the same way the // page does and retry before refusing. (Field report: a paragraph with a // shortcode became permanently uneditable.) public function test_fingerprint_falls_back_to_rendered_text_for_shortcodes() { $this->loginAsAdmin(); add_shortcode('ext_fp_probe', static fn () => 'EXPANDED'); $content = '<!-- wp:paragraph --><p>Hello [ext_fp_probe] world</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); // Client reads "Hello EXPANDED world" from the DOM; raw markup still has // the literal "[ext_fp_probe]". $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'fingerprint' => ['text' => 'Hello EXPANDED world'], 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); remove_shortcode('ext_fp_probe'); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('updated', get_post($postId)->post_content); } // The re-render echo sets $GLOBALS['post'] to the source, but in a REST // request wp_reset_postdata() can't restore it (the main query has no // post), so a template-part save would leave global $post dangling. The // save must snapshot and restore it. public function test_global_post_is_restored_after_save() { $this->loginAsAdmin(); $sentinelId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>sentinel</p><!-- /wp:paragraph -->', ]); $targetId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>hi</p><!-- /wp:paragraph -->', ]); $GLOBALS['post'] = get_post($sentinelId); $before = $GLOBALS['post']; $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $targetId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'updated']], ])); $this->assertSame(200, $res->get_status()); $after = $GLOBALS['post'] ?? null; $this->assertSame($before, $after); $this->assertInstanceOf(\WP_Post::class, $after); $this->assertSame($sentinelId, $after->ID); } // --- Translated-content guard --- // The corruption hole this closes: a text save with no fingerprint would // otherwise pass the count gate and overwrite the source post_content. On a // translated render (client-forwarded context) the rawBlock save is refused // even without a fingerprint, and nothing is written. public function test_rawBlock_text_save_on_translated_render_is_refused_without_fingerprint() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>hola</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p>overwritten</p><!-- /wp:paragraph -->', 'translatedContext' => ['isTranslated' => true, 'plugin' => 'translatepress'], ])); $this->assertSame(409, $res->get_status()); $this->assertSame('translated_content', $res->get_data()['error']); $this->assertSame($content, get_post($postId)->post_content); } // Server-side detection is the backstop when the client doesn't forward // context: a TranslatePress non-default render (default en_US, current // es_ES) refuses the text save on its own. public function test_rawBlock_text_save_refused_when_server_detects_translatepress() { $this->loginAsAdmin(); update_option('trp_settings', ['default-language' => 'en_US']); $GLOBALS['TRP_LANGUAGE'] = 'es_ES'; $content = '<!-- wp:heading --><h2>hola</h2><!-- /wp:heading -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/heading', 'rawBlock' => '<!-- wp:heading --><h2>overwritten</h2><!-- /wp:heading -->', ])); $this->assertSame(409, $res->get_status()); $this->assertSame('translated_content', $res->get_data()['error']); $this->assertSame($content, get_post($postId)->post_content); } // The text guard also covers the schema-patch path (content / text fields), // not just the rawBlock text editor. public function test_content_patch_on_translated_render_is_refused() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>hola</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'content', 'value' => 'overwritten']], 'translatedContext' => ['isTranslated' => true, 'plugin' => 'polylang'], ])); $this->assertSame(409, $res->get_status()); $this->assertSame($content, get_post($postId)->post_content); } // Non-text edits stay allowed on a translated render: an alignment patch // (shared, untranslated layout) saves normally. public function test_alignment_patch_on_translated_render_is_allowed() { $this->loginAsAdmin(); $content = '<!-- wp:paragraph --><p>hola</p><!-- /wp:paragraph -->'; $postId = self::factory()->post->create(['post_content' => $content]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'patches' => [['fieldKey' => 'align', 'value' => 'center']], 'translatedContext' => ['isTranslated' => true, 'plugin' => 'translatepress'], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString( 'has-text-align-center', get_post($postId)->post_content ); } // Default-language renders are unaffected: a text save with the context // flagged not-translated proceeds and writes. public function test_text_save_on_default_language_is_allowed() { $this->loginAsAdmin(); $postId = self::factory()->post->create([ 'post_content' => '<!-- wp:paragraph --><p>old</p><!-- /wp:paragraph -->', ]); $res = SaveController::handleSave($this->jsonRequest([ 'source' => ['kind' => 'post', 'id' => $postId], 'blockId' => 1, 'blockType' => 'core/paragraph', 'rawBlock' => '<!-- wp:paragraph --><p>new</p><!-- /wp:paragraph -->', 'translatedContext' => ['isTranslated' => false, 'plugin' => null], ])); $this->assertSame(200, $res->get_status()); $this->assertStringContainsString('<p>new</p>', get_post($postId)->post_content); } private function jsonRequest(array $body): \WP_REST_Request { $req = new \WP_REST_Request('POST', '/extendify/v1/quick-edit/save'); $req->set_header('Content-Type', 'application/json'); $req->set_body(wp_json_encode($body)); return $req; } private function loginAsAdmin(): void { $admin = self::factory()->user->create(['role' => 'administrator']); wp_set_current_user($admin); } private function resetRegistry(): void { $reflection = new ReflectionClass(Registry::class); $prop = $reflection->getProperty('schemas'); $prop->setAccessible(true); $prop->setValue(null, []); } }