Use wp_kses in place of wp_filter_post_kses to sanitize post title

May fix #2788 This PR switches from using `wp_filter_post_kses()` for `post_title` sanitization to calling `wp_kses` directly: #2788 describes that the core behavior is to call `wp_filter_kses()`, but @westonruter notes in that thread that the slash handling in `wp_filter_kses` is lossy so using the underlying implementation of `wp_filter_kses` without the de-slashing and re-slashing should provide adequate sanitization without compromising the integrity of the content. Review requested especially from @rachelbaker or @westonruter
WP-API · Oct 15, 2016 · 7739be4 · 7739be4
1 parent 6563324
commit 7739be4
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/lib/endpoints/class-wp-rest-posts-controller.php b/lib/endpoints/class-wp-rest-posts-controller.php
@@ -824,9 +824,10 @@ protected function prepare_item_for_database( $request ) {
 		// Post title.
 		if ( ! empty( $schema['properties']['title'] ) && isset( $request['title'] ) ) {
 			if ( is_string( $request['title'] ) ) {
-				$prepared_post->post_title = wp_filter_post_kses( $request['title'] );
+				// wp_filter_kses slash handling is lossy: use the underlying methods directly
+				$prepared_post->post_title = wp_kses( $request['title'], current_filter() );
 			} elseif ( ! empty( $request['title']['raw'] ) ) {
-				$prepared_post->post_title = wp_filter_post_kses( $request['title']['raw'] );
+				$prepared_post->post_title = wp_kses( $request['title']['raw'], current_filter() );
 			}
 		}