require_once( ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-setting.php' );
/**
- * Filter the core Customizer components to load.
+ * Filters the core Customizer components to load.
*
* This allows Core components to be excluded from being instantiated by
* filtering them out of the array. Note that this filter generally runs
}
/**
- * Return true if it's an AJAX request.
+ * Return true if it's an Ajax request.
*
* @since 3.4.0
* @since 4.2.0 Added `$action` param.
* @access public
*
- * @param string|null $action Whether the supplied AJAX action is being run.
- * @return bool True if it's an AJAX request, false otherwise.
+ * @param string|null $action Whether the supplied Ajax action is being run.
+ * @return bool True if it's an Ajax request, false otherwise.
*/
public function doing_ajax( $action = null ) {
$doing_ajax = ( defined( 'DOING_AJAX' ) && DOING_AJAX );
/**
* Custom wp_die wrapper. Returns either the standard message for UI
- * or the AJAX message.
+ * or the Ajax message.
*
* @since 3.4.0
*
- * @param mixed $ajax_message AJAX return
+ * @param mixed $ajax_message Ajax return
* @param mixed $message UI message
*/
protected function wp_die( $ajax_message, $message = null ) {
}
/**
- * Return the AJAX wp_die() handler if it's a customized request.
+ * Return the Ajax wp_die() handler if it's a customized request.
*
* @since 3.4.0
*
show_admin_bar( false );
if ( ! current_user_can( 'customize' ) ) {
- $this->wp_die( -1, __( 'You are not allowed to customize the appearance of this site.' ) );
+ $this->wp_die( -1, __( 'Sorry, you are not allowed to customize this site.' ) );
}
$this->original_stylesheet = get_stylesheet();
// If the requested theme is not the active theme and the user doesn't have the
// switch_themes cap, bail.
if ( ! current_user_can( 'switch_themes' ) ) {
- $this->wp_die( -1, __( 'You are not allowed to edit theme options on this site.' ) );
+ $this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) );
}
// If the theme has errors while loading, bail.
* @since 3.4.0
*/
public function after_setup_theme() {
- $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_SERVER['customized'] ) );
+ $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) );
if ( ! $doing_ajax_or_is_customized && ! validate_current_theme() ) {
wp_redirect( 'themes.php?broken=true' );
exit;
}
/**
- * Prevents AJAX requests from following redirects when previewing a theme
+ * Prevents Ajax requests from following redirects when previewing a theme
* by issuing a 200 response instead of a 30x.
*
* Instead, the JS will sniff out the location header.
}
/**
- * Return the sanitized value for a given setting from the request's POST data.
+ * Returns the sanitized value for a given setting from the request's POST data.
*
* @since 3.4.0
- * @since 4.1.1 Introduced 'default' parameter.
+ * @since 4.1.1 Introduced the `$default` parameter.
+ * @since 4.6.0 `$default` is now returned early when the setting post value is invalid.
+ * @access public
+ *
+ * @see WP_REST_Server::dispatch()
+ * @see WP_Rest_Request::sanitize_params()
+ * @see WP_Rest_Request::has_valid_params()
*
- * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object
- * @param mixed $default value returned $setting has no post value (added in 4.2.0).
- * @return string|mixed $post_value Sanitized value or the $default provided
+ * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object.
+ * @param mixed $default Value returned $setting has no post value (added in 4.2.0)
+ * or the post value is invalid (added in 4.6.0).
+ * @return string|mixed $post_value Sanitized value or the $default provided.
*/
public function post_value( $setting, $default = null ) {
$post_values = $this->unsanitized_post_values();
- if ( array_key_exists( $setting->id, $post_values ) ) {
- return $setting->sanitize( $post_values[ $setting->id ] );
- } else {
+ if ( ! array_key_exists( $setting->id, $post_values ) ) {
+ return $default;
+ }
+ $value = $post_values[ $setting->id ];
+ $valid = $setting->validate( $value );
+ if ( is_wp_error( $valid ) ) {
return $default;
}
+ $value = $setting->sanitize( $value );
+ if ( is_null( $value ) || is_wp_error( $value ) ) {
+ return $default;
+ }
+ return $value;
}
/**
/**
* Announce when a specific setting's unsanitized post value has been set.
*
- * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called.
+ * Fires when the WP_Customize_Manager::set_post_value() method is called.
*
* The dynamic portion of the hook name, `$setting_id`, refers to the setting ID.
*
/**
* Announce when any setting's unsanitized post value has been set.
*
- * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called.
+ * Fires when the WP_Customize_Manager::set_post_value() method is called.
*
* This is useful for `WP_Customize_Setting` instances to watch
* in order to update a cached previewed value.
/**
* Prevent sending a 404 status when returning the response for the customize
- * preview, since it causes the jQuery AJAX to fail. Send 200 instead.
+ * preview, since it causes the jQuery Ajax to fail. Send 200 instead.
*
* @since 4.0.0
* @access public
* @since 3.4.0
*/
public function customize_preview_settings() {
+ $setting_validities = $this->validate_setting_values( $this->unsanitized_post_values() );
+ $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
+
$settings = array(
'theme' => array(
'stylesheet' => $this->get_stylesheet(),
'activePanels' => array(),
'activeSections' => array(),
'activeControls' => array(),
+ 'settingValidities' => $exported_setting_validities,
'nonce' => $this->get_nonces(),
'l10n' => array(
'shiftClickToEdit' => __( 'Shift-click to edit this element.' ),
*
* @since 3.4.0
*
- * @param mixed $return Value passed through for wp_die_handler filter.
- * @return mixed Value passed through for wp_die_handler filter.
+ * @param mixed $return Value passed through for {@see 'wp_die_handler'} filter.
+ * @return mixed Value passed through for {@see 'wp_die_handler'} filter.
*/
public function remove_preview_signature( $return = null ) {
remove_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 );
}
/**
- * Filter the current theme and return the name of the previewed theme.
+ * Filters the current theme and return the name of the previewed theme.
*
* @since 3.4.0
*
return $this->theme()->display('Name');
}
+ /**
+ * Validates setting values.
+ *
+ * Sanitization is applied to the values before being passed for validation.
+ * Validation is skipped for unregistered settings or for values that are
+ * already null since they will be skipped anyway.
+ *
+ * @since 4.6.0
+ * @access public
+ *
+ * @see WP_REST_Request::has_valid_params()
+ * @see WP_Customize_Setting::validate()
+ *
+ * @param array $setting_values Mapping of setting IDs to values to sanitize and validate.
+ * @return array Mapping of setting IDs to return value of validate method calls, either `true` or `WP_Error`.
+ */
+ public function validate_setting_values( $setting_values ) {
+ $validities = array();
+ foreach ( $setting_values as $setting_id => $unsanitized_value ) {
+ $setting = $this->get_setting( $setting_id );
+ if ( ! $setting || is_null( $unsanitized_value ) ) {
+ continue;
+ }
+ $validity = $setting->validate( $unsanitized_value );
+ if ( ! is_wp_error( $validity ) ) {
+ $value = $setting->sanitize( $unsanitized_value );
+ if ( is_null( $value ) ) {
+ $validity = false;
+ } elseif ( is_wp_error( $value ) ) {
+ $validity = $value;
+ }
+ }
+ if ( false === $validity ) {
+ $validity = new WP_Error( 'invalid_value', __( 'Invalid value.' ) );
+ }
+ $validities[ $setting_id ] = $validity;
+ }
+ return $validities;
+ }
+
+ /**
+ * Prepares setting validity for exporting to the client (JS).
+ *
+ * Converts `WP_Error` instance into array suitable for passing into the
+ * `wp.customize.Notification` JS model.
+ *
+ * @since 4.6.0
+ * @access public
+ *
+ * @param true|WP_Error $validity Setting validity.
+ * @return true|array If `$validity` was a WP_Error, the error codes will be array-mapped
+ * to their respective `message` and `data` to pass into the
+ * `wp.customize.Notification` JS model.
+ */
+ public function prepare_setting_validity_for_js( $validity ) {
+ if ( is_wp_error( $validity ) ) {
+ $notification = array();
+ foreach ( $validity->errors as $error_code => $error_messages ) {
+ $error_data = $validity->get_error_data( $error_code );
+ if ( is_null( $error_data ) ) {
+ $error_data = array();
+ }
+ $error_data = array_merge(
+ $error_data,
+ array( 'from_server' => true )
+ );
+ $notification[ $error_code ] = array(
+ 'message' => join( ' ', $error_messages ),
+ 'data' => $error_data,
+ );
+ }
+ return $notification;
+ } else {
+ return true;
+ }
+ }
+
/**
* Switch the theme and trigger the save() method on each setting.
*
wp_send_json_error( 'invalid_nonce' );
}
+ /**
+ * Fires before save validation happens.
+ *
+ * Plugins can add just-in-time {@see 'customize_validate_{$this->ID}'} filters
+ * at this point to catch any settings registered after `customize_register`.
+ * The dynamic portion of the hook name, `$this->ID` refers to the setting ID.
+ *
+ * @since 4.6.0
+ *
+ * @param WP_Customize_Manager $this WP_Customize_Manager instance.
+ */
+ do_action( 'customize_save_validation_before', $this );
+
+ // Validate settings.
+ $setting_validities = $this->validate_setting_values( $this->unsanitized_post_values() );
+ $invalid_setting_count = count( array_filter( $setting_validities, 'is_wp_error' ) );
+ $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities );
+ if ( $invalid_setting_count > 0 ) {
+ $response = array(
+ 'setting_validities' => $exported_setting_validities,
+ 'message' => sprintf( _n( 'There is %s invalid setting.', 'There are %s invalid settings.', $invalid_setting_count ), number_format_i18n( $invalid_setting_count ) ),
+ );
+
+ /** This filter is documented in wp-includes/class-wp-customize-manager.php */
+ $response = apply_filters( 'customize_save_response', $response, $this );
+ wp_send_json_error( $response );
+ }
+
// Do we have to switch themes?
if ( ! $this->is_theme_active() ) {
// Temporarily stop previewing the theme to allow switch_themes()
*/
do_action( 'customize_save_after', $this );
+ $data = array(
+ 'setting_validities' => $exported_setting_validities,
+ );
+
/**
- * Filter response data for a successful customize_save AJAX request.
+ * Filters response data for a successful customize_save Ajax request.
*
* This filter does not apply if there was a nonce or authentication failure.
*
* event on `wp.customize`.
* @param WP_Customize_Manager $this WP_Customize_Manager instance.
*/
- $response = apply_filters( 'customize_save_response', array(), $this );
+ $response = apply_filters( 'customize_save_response', $data, $this );
wp_send_json_success( $response );
}
$setting_class = 'WP_Customize_Setting';
/**
- * Filter a dynamic setting's constructor args.
+ * Filters a dynamic setting's constructor args.
*
* For a dynamic setting to be registered, this filter must be employed
* to override the default false value with an array of args to pass to
'<a href="' . esc_url( 'https://developer.wordpress.org/reference/hooks/customize_loaded_components/' ) . '"><code>customize_loaded_components</code></a>'
);
- _doing_it_wrong( __METHOD__, $message, '4.5' );
+ _doing_it_wrong( __METHOD__, $message, '4.5.0' );
}
unset( $this->panels[ $id ] );
}
* @access public
*
* @param string $control Name of a custom control which is a subclass of
- * {@see WP_Customize_Control}.
+ * WP_Customize_Control.
*/
public function register_control_type( $control ) {
$this->registered_control_types[] = $control;
) );
$control->print_template();
}
+ ?>
+ <script type="text/html" id="tmpl-customize-control-notifications">
+ <ul>
+ <# _.each( data.notifications, function( notification ) { #>
+ <li class="notice notice-{{ notification.type || 'info' }} {{ data.altNotice ? 'notice-alt' : '' }}" data-code="{{ notification.code }}" data-type="{{ notification.type }}">{{ notification.message || notification.code }}</li>
+ <# } ); #>
+ </ul>
+ </script>
+ <?php
}
/**
* @param string $preview_url URL to be previewed.
*/
public function set_preview_url( $preview_url ) {
+ $preview_url = esc_url_raw( $preview_url );
$this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) );
}
* @param string $return_url URL for return link.
*/
public function set_return_url( $return_url ) {
+ $return_url = esc_url_raw( $return_url );
$return_url = remove_query_arg( wp_removable_query_args(), $return_url );
$return_url = wp_validate_redirect( $return_url );
$this->return_url = $return_url;
);
/**
- * Filter nonces for Customizer.
+ * Filters nonces for Customizer.
*
* @since 4.2.0
*
}
/**
- * Filter the list of URLs allowed to be clicked and followed in the Customizer preview.
+ * Filters the list of URLs allowed to be clicked and followed in the Customizer preview.
*
* @since 3.4.0
*
printf(
"s[%s] = %s;\n",
wp_json_encode( $setting->id ),
- wp_json_encode( array(
- 'value' => $setting->js_value(),
- 'transport' => $setting->transport,
- 'dirty' => $setting->dirty,
- ) )
+ wp_json_encode( $setting->json() )
);
}
}
);
/**
- * Filter the available devices to allow previewing in the Customizer.
+ * Filters the available devices to allow previewing in the Customizer.
*
* @since 4.5.0
*
return get_custom_logo();
}
}
-
-/**
- * Sanitizes a hex color.
- *
- * Returns either '', a 3 or 6 digit hex color (with #), or nothing.
- * For sanitizing values without a #, see sanitize_hex_color_no_hash().
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string|void
- */
-function sanitize_hex_color( $color ) {
- if ( '' === $color )
- return '';
-
- // 3 or 6 hex digits, or the empty string.
- if ( preg_match('|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) )
- return $color;
-}
-
-/**
- * Sanitizes a hex color without a hash. Use sanitize_hex_color() when possible.
- *
- * Saving hex colors without a hash puts the burden of adding the hash on the
- * UI, which makes it difficult to use or upgrade to other color types such as
- * rgba, hsl, rgb, and html color names.
- *
- * Returns either '', a 3 or 6 digit hex color (without a #), or null.
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string|null
- */
-function sanitize_hex_color_no_hash( $color ) {
- $color = ltrim( $color, '#' );
-
- if ( '' === $color )
- return '';
-
- return sanitize_hex_color( '#' . $color ) ? $color : null;
-}
-
-/**
- * Ensures that any hex color is properly hashed.
- * Otherwise, returns value untouched.
- *
- * This method should only be necessary if using sanitize_hex_color_no_hash().
- *
- * @since 3.4.0
- *
- * @param string $color
- * @return string
- */
-function maybe_hash_hex_color( $color ) {
- if ( $unhashed = sanitize_hex_color_no_hash( $color ) )
- return '#' . $unhashed;
-
- return $color;
-}