X-Git-Url: https://scripts.mit.edu/gitweb/autoinstalls/wordpress.git/blobdiff_plain/c81aba3d563f7459dc79140e4c5be67bcf506b92..e3ff8f35458a959c1879c0a4976701ed8dcfe651:/wp-includes/class-wp-customize-manager.php diff --git a/wp-includes/class-wp-customize-manager.php b/wp-includes/class-wp-customize-manager.php index b7895563..f80708a2 100644 --- a/wp-includes/class-wp-customize-manager.php +++ b/wp-includes/class-wp-customize-manager.php @@ -66,6 +66,15 @@ final class WP_Customize_Manager { */ public $nav_menus; + /** + * Methods and properties dealing with selective refresh in the Customizer preview. + * + * @since 4.5.0 + * @access public + * @var WP_Customize_Selective_Refresh + */ + public $selective_refresh; + /** * Registered instances of WP_Customize_Setting. * @@ -94,31 +103,31 @@ final class WP_Customize_Manager { protected $panels = array(); /** - * Registered instances of WP_Customize_Section. + * List of core components. * - * @since 3.4.0 + * @since 4.5.0 * @access protected * @var array */ - protected $sections = array(); + protected $components = array( 'widgets', 'nav_menus' ); /** - * Registered instances of WP_Customize_Control. + * Registered instances of WP_Customize_Section. * * @since 3.4.0 * @access protected * @var array */ - protected $controls = array(); + protected $sections = array(); /** - * Return value of check_ajax_referer() in customize_preview_init() method. + * Registered instances of WP_Customize_Control. * - * @since 3.5.0 + * @since 3.4.0 * @access protected - * @var false|int + * @var array */ - protected $nonce_tick; + protected $controls = array(); /** * Panel types that may be rendered from JS templates. @@ -174,6 +183,15 @@ final class WP_Customize_Manager { */ protected $autofocus = array(); + /** + * Messenger channel. + * + * @since 4.7.0 + * @access protected + * @var string + */ + protected $messenger_channel; + /** * Unsanitized values for Customize Settings parsed from $_POST['customized']. * @@ -181,12 +199,76 @@ final class WP_Customize_Manager { */ private $_post_values; + /** + * Changeset UUID. + * + * @since 4.7.0 + * @access private + * @var string + */ + private $_changeset_uuid; + + /** + * Changeset post ID. + * + * @since 4.7.0 + * @access private + * @var int|false + */ + private $_changeset_post_id; + + /** + * Changeset data loaded from a customize_changeset post. + * + * @since 4.7.0 + * @access private + * @var array + */ + private $_changeset_data; + /** * Constructor. * * @since 3.4.0 + * @since 4.7.0 Added $args param. + * + * @param array $args { + * Args. + * + * @type string $changeset_uuid Changeset UUID, the post_name for the customize_changeset post containing the customized state. Defaults to new UUID. + * @type string $theme Theme to be previewed (for theme switch). Defaults to customize_theme or theme query params. + * @type string $messenger_channel Messenger channel. Defaults to customize_messenger_channel query param. + * } */ - public function __construct() { + public function __construct( $args = array() ) { + + $args = array_merge( + array_fill_keys( array( 'changeset_uuid', 'theme', 'messenger_channel' ), null ), + $args + ); + + // Note that the UUID format will be validated in the setup_theme() method. + if ( ! isset( $args['changeset_uuid'] ) ) { + $args['changeset_uuid'] = wp_generate_uuid4(); + } + + // The theme and messenger_channel should be supplied via $args, but they are also looked at in the $_REQUEST global here for back-compat. + if ( ! isset( $args['theme'] ) ) { + if ( isset( $_REQUEST['customize_theme'] ) ) { + $args['theme'] = wp_unslash( $_REQUEST['customize_theme'] ); + } elseif ( isset( $_REQUEST['theme'] ) ) { // Deprecated. + $args['theme'] = wp_unslash( $_REQUEST['theme'] ); + } + } + if ( ! isset( $args['messenger_channel'] ) && isset( $_REQUEST['customize_messenger_channel'] ) ) { + $args['messenger_channel'] = sanitize_key( wp_unslash( $_REQUEST['customize_messenger_channel'] ) ); + } + + $this->original_stylesheet = get_stylesheet(); + $this->theme = wp_get_theme( $args['theme'] ); + $this->messenger_channel = $args['messenger_channel']; + $this->_changeset_uuid = $args['changeset_uuid']; + require_once( ABSPATH . WPINC . '/class-wp-customize-setting.php' ); require_once( ABSPATH . WPINC . '/class-wp-customize-panel.php' ); require_once( ABSPATH . WPINC . '/class-wp-customize-section.php' ); @@ -197,6 +279,7 @@ final class WP_Customize_Manager { require_once( ABSPATH . WPINC . '/customize/class-wp-customize-upload-control.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-image-control.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-background-image-control.php' ); + require_once( ABSPATH . WPINC . '/customize/class-wp-customize-background-position-control.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-cropped-image-control.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-site-icon-control.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-header-image-control.php' ); @@ -217,6 +300,7 @@ final class WP_Customize_Manager { require_once( ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-section.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-new-menu-section.php' ); + require_once( ABSPATH . WPINC . '/customize/class-wp-customize-custom-css-setting.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-filter-setting.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-header-image-setting.php' ); require_once( ABSPATH . WPINC . '/customize/class-wp-customize-background-image-setting.php' ); @@ -224,11 +308,11 @@ final class WP_Customize_Manager { require_once( ABSPATH . WPINC . '/customize/class-wp-customize-nav-menu-setting.php' ); /** - * Filter the core Customizer components to load. + * Filters the core Customizer components to load. * * This allows Core components to be excluded from being instantiated by * filtering them out of the array. Note that this filter generally runs - * during the plugins_loaded action, so it cannot be added + * during the {@see 'plugins_loaded'} action, so it cannot be added * in a theme. * * @since 4.4.0 @@ -238,25 +322,24 @@ final class WP_Customize_Manager { * @param array $components List of core components to load. * @param WP_Customize_Manager $this WP_Customize_Manager instance. */ - $components = apply_filters( 'customize_loaded_components', array( 'widgets', 'nav_menus' ), $this ); + $components = apply_filters( 'customize_loaded_components', $this->components, $this ); - if ( in_array( 'widgets', $components ) ) { + require_once( ABSPATH . WPINC . '/customize/class-wp-customize-selective-refresh.php' ); + $this->selective_refresh = new WP_Customize_Selective_Refresh( $this ); + + if ( in_array( 'widgets', $components, true ) ) { require_once( ABSPATH . WPINC . '/class-wp-customize-widgets.php' ); $this->widgets = new WP_Customize_Widgets( $this ); } - if ( in_array( 'nav_menus', $components ) ) { + + if ( in_array( 'nav_menus', $components, true ) ) { require_once( ABSPATH . WPINC . '/class-wp-customize-nav-menus.php' ); $this->nav_menus = new WP_Customize_Nav_Menus( $this ); } - add_filter( 'wp_die_handler', array( $this, 'wp_die_handler' ) ); - add_action( 'setup_theme', array( $this, 'setup_theme' ) ); add_action( 'wp_loaded', array( $this, 'wp_loaded' ) ); - // Run wp_redirect_status late to make sure we override the status last. - add_action( 'wp_redirect_status', array( $this, 'wp_redirect_status' ), 1000 ); - // Do not spawn cron (especially the alternate cron) while running the Customizer. remove_action( 'init', 'wp_cron' ); @@ -278,23 +361,25 @@ final class WP_Customize_Manager { add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_section_templates' ), 1 ); add_action( 'customize_controls_print_footer_scripts', array( $this, 'render_control_templates' ), 1 ); + // Export header video settings with the partial response. + add_filter( 'customize_render_partials_response', array( $this, 'export_header_video_settings' ), 10, 3 ); + // Export the settings to JS via the _wpCustomizeSettings variable. add_action( 'customize_controls_print_footer_scripts', array( $this, 'customize_pane_settings' ), 1000 ); } /** - * Return true if it's an AJAX request. + * Return true if it's an Ajax request. * * @since 3.4.0 * @since 4.2.0 Added `$action` param. * @access public * - * @param string|null $action Whether the supplied AJAX action is being run. - * @return bool True if it's an AJAX request, false otherwise. + * @param string|null $action Whether the supplied Ajax action is being run. + * @return bool True if it's an Ajax request, false otherwise. */ public function doing_ajax( $action = null ) { - $doing_ajax = ( defined( 'DOING_AJAX' ) && DOING_AJAX ); - if ( ! $doing_ajax ) { + if ( ! wp_doing_ajax() ) { return false; } @@ -311,15 +396,15 @@ final class WP_Customize_Manager { /** * Custom wp_die wrapper. Returns either the standard message for UI - * or the AJAX message. + * or the Ajax message. * * @since 3.4.0 * - * @param mixed $ajax_message AJAX return + * @param mixed $ajax_message Ajax return * @param mixed $message UI message */ protected function wp_die( $ajax_message, $message = null ) { - if ( $this->doing_ajax() || isset( $_POST['customized'] ) ) { + if ( $this->doing_ajax() ) { wp_die( $ajax_message ); } @@ -327,17 +412,43 @@ final class WP_Customize_Manager { $message = __( 'Cheatin’ uh?' ); } + if ( $this->messenger_channel ) { + ob_start(); + wp_enqueue_scripts(); + wp_print_scripts( array( 'customize-base' ) ); + + $settings = array( + 'messengerArgs' => array( + 'channel' => $this->messenger_channel, + 'url' => wp_customize_url(), + ), + 'error' => $ajax_message, + ); + ?> + + doing_ajax() || isset( $_POST['customized'] ) ) { return '_ajax_wp_die_handler'; } @@ -353,24 +464,43 @@ final class WP_Customize_Manager { * @since 3.4.0 */ public function setup_theme() { - send_origin_headers(); + global $pagenow; - $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) ); - if ( is_admin() && ! $doing_ajax_or_is_customized ) { - auth_redirect(); - } elseif ( $doing_ajax_or_is_customized && ! is_user_logged_in() ) { - $this->wp_die( 0, __( 'You must be logged in to complete this action.' ) ); + // Check permissions for customize.php access since this method is called before customize.php can run any code, + if ( 'customize.php' === $pagenow && ! current_user_can( 'customize' ) ) { + if ( ! is_user_logged_in() ) { + auth_redirect(); + } else { + wp_die( + '

' . __( 'Cheatin’ uh?' ) . '

' . + '

' . __( 'Sorry, you are not allowed to customize this site.' ) . '

', + 403 + ); + } + return; } - show_admin_bar( false ); + if ( ! preg_match( '/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/', $this->_changeset_uuid ) ) { + $this->wp_die( -1, __( 'Invalid changeset UUID' ) ); + } - if ( ! current_user_can( 'customize' ) ) { - $this->wp_die( -1, __( 'You are not allowed to customize the appearance of this site.' ) ); + /* + * If unauthenticated then require a valid changeset UUID to load the preview. + * In this way, the UUID serves as a secret key. If the messenger channel is present, + * then send unauthenticated code to prompt re-auth. + */ + if ( ! current_user_can( 'customize' ) && ! $this->changeset_post_id() ) { + $this->wp_die( $this->messenger_channel ? 0 : -1, __( 'Non-existent changeset UUID.' ) ); } - $this->original_stylesheet = get_stylesheet(); + if ( ! headers_sent() ) { + send_origin_headers(); + } - $this->theme = wp_get_theme( isset( $_REQUEST['theme'] ) ? $_REQUEST['theme'] : null ); + // Hide the admin bar if we're embedded in the customizer iframe. + if ( $this->messenger_channel ) { + show_admin_bar( false ); + } if ( $this->is_theme_active() ) { // Once the theme is loaded, we'll validate it. @@ -379,7 +509,7 @@ final class WP_Customize_Manager { // If the requested theme is not the active theme and the user doesn't have the // switch_themes cap, bail. if ( ! current_user_can( 'switch_themes' ) ) { - $this->wp_die( -1, __( 'You are not allowed to edit theme options on this site.' ) ); + $this->wp_die( -1, __( 'Sorry, you are not allowed to edit theme options on this site.' ) ); } // If the theme has errors while loading, bail. @@ -393,6 +523,15 @@ final class WP_Customize_Manager { } } + /* + * Import theme starter content for fresh installs when landing in the customizer. + * Import starter content at after_setup_theme:100 so that any + * add_theme_support( 'starter-content' ) calls will have been made. + */ + if ( get_option( 'fresh_site' ) && 'customize.php' === $pagenow ) { + add_action( 'after_setup_theme', array( $this, 'import_theme_starter_content' ), 100 ); + } + $this->start_previewing_theme(); } @@ -402,7 +541,7 @@ final class WP_Customize_Manager { * @since 3.4.0 */ public function after_setup_theme() { - $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_SERVER['customized'] ) ); + $doing_ajax_or_is_customized = ( $this->doing_ajax() || isset( $_POST['customized'] ) ); if ( ! $doing_ajax_or_is_customized && ! validate_current_theme() ) { wp_redirect( 'themes.php?broken=true' ); exit; @@ -485,6 +624,18 @@ final class WP_Customize_Manager { do_action( 'stop_previewing_theme', $this ); } + /** + * Get the changeset UUID. + * + * @since 4.7.0 + * @access public + * + * @return string UUID. + */ + public function changeset_uuid() { + return $this->_changeset_uuid; + } + /** * Get the theme being customized. * @@ -582,403 +733,1965 @@ final class WP_Customize_Manager { */ do_action( 'customize_register', $this ); - if ( $this->is_preview() && ! is_admin() ) + /* + * Note that settings must be previewed here even outside the customizer preview + * and also in the customizer pane itself. This is to enable loading an existing + * changeset into the customizer. Previewing the settings only has to be prevented + * in the case of a customize_save action because then update_option() + * may short-circuit because it will detect that there are no changes to + * make. + */ + if ( ! $this->doing_ajax( 'customize_save' ) ) { + foreach ( $this->settings as $setting ) { + $setting->preview(); + } + } + + if ( $this->is_preview() && ! is_admin() ) { $this->customize_preview_init(); + } } /** - * Prevents AJAX requests from following redirects when previewing a theme + * Prevents Ajax requests from following redirects when previewing a theme * by issuing a 200 response instead of a 30x. * * Instead, the JS will sniff out the location header. * * @since 3.4.0 + * @deprecated 4.7.0 * - * @param $status + * @param int $status Status. * @return int */ public function wp_redirect_status( $status ) { - if ( $this->is_preview() && ! is_admin() ) + _deprecated_function( __FUNCTION__, '4.7.0' ); + + if ( $this->is_preview() && ! is_admin() ) { return 200; + } return $status; } /** - * Parse the incoming $_POST['customized'] JSON data and store the unsanitized - * settings for subsequent post_value() lookups. + * Find the changeset post ID for a given changeset UUID. * - * @since 4.1.1 + * @since 4.7.0 + * @access public * - * @return array + * @param string $uuid Changeset UUID. + * @return int|null Returns post ID on success and null on failure. */ - public function unsanitized_post_values() { - if ( ! isset( $this->_post_values ) ) { - if ( isset( $_POST['customized'] ) ) { - $this->_post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); - } - if ( empty( $this->_post_values ) ) { // if not isset or if JSON error - $this->_post_values = array(); - } - } - if ( empty( $this->_post_values ) ) { - return array(); - } else { - return $this->_post_values; + public function find_changeset_post_id( $uuid ) { + $cache_group = 'customize_changeset_post'; + $changeset_post_id = wp_cache_get( $uuid, $cache_group ); + if ( $changeset_post_id && 'customize_changeset' === get_post_type( $changeset_post_id ) ) { + return $changeset_post_id; } - } - /** - * Return the sanitized value for a given setting from the request's POST data. - * - * @since 3.4.0 - * @since 4.1.1 Introduced 'default' parameter. - * - * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object - * @param mixed $default value returned $setting has no post value (added in 4.2.0). - * @return string|mixed $post_value Sanitized value or the $default provided - */ - public function post_value( $setting, $default = null ) { - $post_values = $this->unsanitized_post_values(); - if ( array_key_exists( $setting->id, $post_values ) ) { - return $setting->sanitize( $post_values[ $setting->id ] ); - } else { - return $default; + $changeset_post_query = new WP_Query( array( + 'post_type' => 'customize_changeset', + 'post_status' => get_post_stati(), + 'name' => $uuid, + 'posts_per_page' => 1, + 'no_found_rows' => true, + 'cache_results' => true, + 'update_post_meta_cache' => false, + 'update_post_term_cache' => false, + 'lazy_load_term_meta' => false, + ) ); + if ( ! empty( $changeset_post_query->posts ) ) { + // Note: 'fields'=>'ids' is not being used in order to cache the post object as it will be needed. + $changeset_post_id = $changeset_post_query->posts[0]->ID; + wp_cache_set( $this->_changeset_uuid, $changeset_post_id, $cache_group ); + return $changeset_post_id; } + + return null; } /** - * Override a setting's (unsanitized) value as found in any incoming $_POST['customized']. + * Get the changeset post id for the loaded changeset. * - * @since 4.2.0 + * @since 4.7.0 * @access public * - * @param string $setting_id ID for the WP_Customize_Setting instance. - * @param mixed $value Post value. + * @return int|null Post ID on success or null if there is no post yet saved. */ - public function set_post_value( $setting_id, $value ) { - $this->unsanitized_post_values(); - $this->_post_values[ $setting_id ] = $value; - - /** - * Announce when a specific setting's unsanitized post value has been set. - * - * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called. - * - * The dynamic portion of the hook name, `$setting_id`, refers to the setting ID. - * - * @since 4.4.0 - * - * @param mixed $value Unsanitized setting post value. - * @param WP_Customize_Manager $this WP_Customize_Manager instance. - */ - do_action( "customize_post_value_set_{$setting_id}", $value, $this ); - - /** - * Announce when any setting's unsanitized post value has been set. - * - * Fires when the {@see WP_Customize_Manager::set_post_value()} method is called. - * - * This is useful for WP_Customize_Setting instances to watch - * in order to update a cached previewed value. - * - * @since 4.4.0 - * - * @param string $setting_id Setting ID. - * @param mixed $value Unsanitized setting post value. - * @param WP_Customize_Manager $this WP_Customize_Manager instance. - */ - do_action( 'customize_post_value_set', $setting_id, $value, $this ); + public function changeset_post_id() { + if ( ! isset( $this->_changeset_post_id ) ) { + $post_id = $this->find_changeset_post_id( $this->_changeset_uuid ); + if ( ! $post_id ) { + $post_id = false; + } + $this->_changeset_post_id = $post_id; + } + if ( false === $this->_changeset_post_id ) { + return null; + } + return $this->_changeset_post_id; } /** - * Print JavaScript settings. + * Get the data stored in a changeset post. * - * @since 3.4.0 + * @since 4.7.0 + * @access protected + * + * @param int $post_id Changeset post ID. + * @return array|WP_Error Changeset data or WP_Error on error. */ - public function customize_preview_init() { - $this->nonce_tick = check_ajax_referer( 'preview-customize_' . $this->get_stylesheet(), 'nonce' ); - - $this->prepare_controls(); - - wp_enqueue_script( 'customize-preview' ); - add_action( 'wp', array( $this, 'customize_preview_override_404_status' ) ); - add_action( 'wp_head', array( $this, 'customize_preview_base' ) ); - add_action( 'wp_head', array( $this, 'customize_preview_html5' ) ); - add_action( 'wp_head', array( $this, 'customize_preview_loading_style' ) ); - add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 ); - add_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 ); - add_filter( 'wp_die_handler', array( $this, 'remove_preview_signature' ) ); - - foreach ( $this->settings as $setting ) { - $setting->preview(); + protected function get_changeset_post_data( $post_id ) { + if ( ! $post_id ) { + return new WP_Error( 'empty_post_id' ); } - - /** - * Fires once the Customizer preview has initialized and JavaScript - * settings have been printed. - * - * @since 3.4.0 - * - * @param WP_Customize_Manager $this WP_Customize_Manager instance. - */ - do_action( 'customize_preview_init', $this ); + $changeset_post = get_post( $post_id ); + if ( ! $changeset_post ) { + return new WP_Error( 'missing_post' ); + } + if ( 'customize_changeset' !== $changeset_post->post_type ) { + return new WP_Error( 'wrong_post_type' ); + } + $changeset_data = json_decode( $changeset_post->post_content, true ); + if ( function_exists( 'json_last_error' ) && json_last_error() ) { + return new WP_Error( 'json_parse_error', '', json_last_error() ); + } + if ( ! is_array( $changeset_data ) ) { + return new WP_Error( 'expected_array' ); + } + return $changeset_data; } /** - * Prevent sending a 404 status when returning the response for the customize - * preview, since it causes the jQuery AJAX to fail. Send 200 instead. + * Get changeset data. * - * @since 4.0.0 + * @since 4.7.0 * @access public - */ - public function customize_preview_override_404_status() { - if ( is_404() ) { - status_header( 200 ); - } - } - - /** - * Print base element for preview frame. * - * @since 3.4.0 + * @return array Changeset data. */ - public function customize_preview_base() { - ?>_changeset_data ) ) { + return $this->_changeset_data; + } + $changeset_post_id = $this->changeset_post_id(); + if ( ! $changeset_post_id ) { + $this->_changeset_data = array(); + } else { + $data = $this->get_changeset_post_data( $changeset_post_id ); + if ( ! is_wp_error( $data ) ) { + $this->_changeset_data = $data; + } else { + $this->_changeset_data = array(); + } + } + return $this->_changeset_data; } /** - * Print a workaround to handle HTML5 tags in IE < 9. + * Starter content setting IDs. * - * @since 3.4.0 + * @since 4.7.0 + * @access private + * @var array */ - public function customize_preview_html5() { ?> - wp_unslash( $_POST['customize_messenger_channel'] ), - 'activePanels' => array(), - 'activeSections' => array(), - 'activeControls' => array(), - ); + function import_theme_starter_content( $starter_content = array() ) { + if ( empty( $starter_content ) ) { + $starter_content = get_theme_starter_content(); + } - if ( 2 == $this->nonce_tick ) { - $settings['nonce'] = array( - 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), - 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ) - ); + $changeset_data = array(); + if ( $this->changeset_post_id() ) { + $changeset_data = $this->get_changeset_post_data( $this->changeset_post_id() ); } - foreach ( $this->panels as $panel_id => $panel ) { - if ( $panel->check_capabilities() ) { - $settings['activePanels'][ $panel_id ] = $panel->active(); - foreach ( $panel->sections as $section_id => $section ) { - if ( $section->check_capabilities() ) { - $settings['activeSections'][ $section_id ] = $section->active(); + $sidebars_widgets = isset( $starter_content['widgets'] ) && ! empty( $this->widgets ) ? $starter_content['widgets'] : array(); + $attachments = isset( $starter_content['attachments'] ) && ! empty( $this->nav_menus ) ? $starter_content['attachments'] : array(); + $posts = isset( $starter_content['posts'] ) && ! empty( $this->nav_menus ) ? $starter_content['posts'] : array(); + $options = isset( $starter_content['options'] ) ? $starter_content['options'] : array(); + $nav_menus = isset( $starter_content['nav_menus'] ) && ! empty( $this->nav_menus ) ? $starter_content['nav_menus'] : array(); + $theme_mods = isset( $starter_content['theme_mods'] ) ? $starter_content['theme_mods'] : array(); + + // Widgets. + $max_widget_numbers = array(); + foreach ( $sidebars_widgets as $sidebar_id => $widgets ) { + $sidebar_widget_ids = array(); + foreach ( $widgets as $widget ) { + list( $id_base, $instance ) = $widget; + + if ( ! isset( $max_widget_numbers[ $id_base ] ) ) { + + // When $settings is an array-like object, get an intrinsic array for use with array_keys(). + $settings = get_option( "widget_{$id_base}", array() ); + if ( $settings instanceof ArrayObject || $settings instanceof ArrayIterator ) { + $settings = $settings->getArrayCopy(); + } + + // Find the max widget number for this type. + $widget_numbers = array_keys( $settings ); + if ( count( $widget_numbers ) > 0 ) { + $widget_numbers[] = 1; + $max_widget_numbers[ $id_base ] = call_user_func_array( 'max', $widget_numbers ); + } else { + $max_widget_numbers[ $id_base ] = 1; } } + $max_widget_numbers[ $id_base ] += 1; + + $widget_id = sprintf( '%s-%d', $id_base, $max_widget_numbers[ $id_base ] ); + $setting_id = sprintf( 'widget_%s[%d]', $id_base, $max_widget_numbers[ $id_base ] ); + + $setting_value = $this->widgets->sanitize_widget_js_instance( $instance ); + if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { + $this->set_post_value( $setting_id, $setting_value ); + $this->pending_starter_content_settings_ids[] = $setting_id; + } + $sidebar_widget_ids[] = $widget_id; + } + + $setting_id = sprintf( 'sidebars_widgets[%s]', $sidebar_id ); + if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { + $this->set_post_value( $setting_id, $sidebar_widget_ids ); + $this->pending_starter_content_settings_ids[] = $setting_id; } } - foreach ( $this->sections as $id => $section ) { - if ( $section->check_capabilities() ) { - $settings['activeSections'][ $id ] = $section->active(); + + $starter_content_auto_draft_post_ids = array(); + if ( ! empty( $changeset_data['nav_menus_created_posts']['value'] ) ) { + $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, $changeset_data['nav_menus_created_posts']['value'] ); + } + + // Make an index of all the posts needed and what their slugs are. + $needed_posts = array(); + $attachments = $this->prepare_starter_content_attachments( $attachments ); + foreach ( $attachments as $attachment ) { + $key = 'attachment:' . $attachment['post_name']; + $needed_posts[ $key ] = true; + } + foreach ( array_keys( $posts ) as $post_symbol ) { + if ( empty( $posts[ $post_symbol ]['post_name'] ) && empty( $posts[ $post_symbol ]['post_title'] ) ) { + unset( $posts[ $post_symbol ] ); + continue; + } + if ( empty( $posts[ $post_symbol ]['post_name'] ) ) { + $posts[ $post_symbol ]['post_name'] = sanitize_title( $posts[ $post_symbol ]['post_title'] ); } + if ( empty( $posts[ $post_symbol ]['post_type'] ) ) { + $posts[ $post_symbol ]['post_type'] = 'post'; + } + $needed_posts[ $posts[ $post_symbol ]['post_type'] . ':' . $posts[ $post_symbol ]['post_name'] ] = true; } - foreach ( $this->controls as $id => $control ) { - if ( $control->check_capabilities() ) { - $settings['activeControls'][ $id ] = $control->active(); + $all_post_slugs = array_merge( + wp_list_pluck( $attachments, 'post_name' ), + wp_list_pluck( $posts, 'post_name' ) + ); + + // Re-use auto-draft starter content posts referenced in the current customized state. + $existing_starter_content_posts = array(); + if ( ! empty( $starter_content_auto_draft_post_ids ) ) { + $existing_posts_query = new WP_Query( array( + 'post__in' => $starter_content_auto_draft_post_ids, + 'post_status' => 'auto-draft', + 'post_type' => 'any', + 'posts_per_page' => -1, + ) ); + foreach ( $existing_posts_query->posts as $existing_post ) { + $post_name = $existing_post->post_name; + if ( empty( $post_name ) ) { + $post_name = get_post_meta( $existing_post->ID, '_customize_draft_post_name', true ); + } + $existing_starter_content_posts[ $existing_post->post_type . ':' . $post_name ] = $existing_post; } } - ?> - - 'auto-draft', // So attachment will be garbage collected in a week if changeset is never published. + ) + ); + + // In PHP < 5.6 filesize() returns 0 for the temp files unless we clear the file status cache. + // Technically, PHP < 5.6.0 || < 5.5.13 || < 5.4.29 but no need to be so targeted. + // See https://bugs.php.net/bug.php?id=65701 + if ( version_compare( PHP_VERSION, '5.6', '<' ) ) { + clearstatcache(); + } + + $attachment_id = media_handle_sideload( $file_array, 0, null, $attachment_post_data ); + if ( is_wp_error( $attachment_id ) ) { + continue; + } + update_post_meta( $attachment_id, '_starter_content_theme', $this->get_stylesheet() ); + update_post_meta( $attachment_id, '_customize_draft_post_name', $attachment['post_name'] ); + } + + $attachment_ids[ $symbol ] = $attachment_id; + } + $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, array_values( $attachment_ids ) ); + } + + // Posts & pages. + if ( ! empty( $posts ) ) { + foreach ( array_keys( $posts ) as $post_symbol ) { + if ( empty( $posts[ $post_symbol ]['post_type'] ) || empty( $posts[ $post_symbol ]['post_name'] ) ) { + continue; + } + $post_type = $posts[ $post_symbol ]['post_type']; + if ( ! empty( $posts[ $post_symbol ]['post_name'] ) ) { + $post_name = $posts[ $post_symbol ]['post_name']; + } elseif ( ! empty( $posts[ $post_symbol ]['post_title'] ) ) { + $post_name = sanitize_title( $posts[ $post_symbol ]['post_title'] ); + } else { + continue; + } + + // Use existing auto-draft post if one already exists with the same type and name. + if ( isset( $existing_starter_content_posts[ $post_type . ':' . $post_name ] ) ) { + $posts[ $post_symbol ]['ID'] = $existing_starter_content_posts[ $post_type . ':' . $post_name ]->ID; + continue; + } + + // Translate the featured image symbol. + if ( ! empty( $posts[ $post_symbol ]['thumbnail'] ) + && preg_match( '/^{{(?P.+)}}$/', $posts[ $post_symbol ]['thumbnail'], $matches ) + && isset( $attachment_ids[ $matches['symbol'] ] ) ) { + $posts[ $post_symbol ]['meta_input']['_thumbnail_id'] = $attachment_ids[ $matches['symbol'] ]; + } + + if ( ! empty( $posts[ $post_symbol ]['template'] ) ) { + $posts[ $post_symbol ]['meta_input']['_wp_page_template'] = $posts[ $post_symbol ]['template']; + } + + $r = $this->nav_menus->insert_auto_draft_post( $posts[ $post_symbol ] ); + if ( $r instanceof WP_Post ) { + $posts[ $post_symbol ]['ID'] = $r->ID; + } + } + + $starter_content_auto_draft_post_ids = array_merge( $starter_content_auto_draft_post_ids, wp_list_pluck( $posts, 'ID' ) ); + } + + // The nav_menus_created_posts setting is why nav_menus component is dependency for adding posts. + if ( ! empty( $this->nav_menus ) && ! empty( $starter_content_auto_draft_post_ids ) ) { + $setting_id = 'nav_menus_created_posts'; + $this->set_post_value( $setting_id, array_unique( array_values( $starter_content_auto_draft_post_ids ) ) ); + $this->pending_starter_content_settings_ids[] = $setting_id; + } + + // Nav menus. + $placeholder_id = -1; + $reused_nav_menu_setting_ids = array(); + foreach ( $nav_menus as $nav_menu_location => $nav_menu ) { + + $nav_menu_term_id = null; + $nav_menu_setting_id = null; + $matches = array(); + + // Look for an existing placeholder menu with starter content to re-use. + foreach ( $changeset_data as $setting_id => $setting_params ) { + $can_reuse = ( + ! empty( $setting_params['starter_content'] ) + && + ! in_array( $setting_id, $reused_nav_menu_setting_ids, true ) + && + preg_match( '#^nav_menu\[(?P-?\d+)\]$#', $setting_id, $matches ) + ); + if ( $can_reuse ) { + $nav_menu_term_id = intval( $matches['nav_menu_id'] ); + $nav_menu_setting_id = $setting_id; + $reused_nav_menu_setting_ids[] = $setting_id; + break; + } + } + + if ( ! $nav_menu_term_id ) { + while ( isset( $changeset_data[ sprintf( 'nav_menu[%d]', $placeholder_id ) ] ) ) { + $placeholder_id--; + } + $nav_menu_term_id = $placeholder_id; + $nav_menu_setting_id = sprintf( 'nav_menu[%d]', $placeholder_id ); + } + + $this->set_post_value( $nav_menu_setting_id, array( + 'name' => isset( $nav_menu['name'] ) ? $nav_menu['name'] : $nav_menu_location, + ) ); + $this->pending_starter_content_settings_ids[] = $nav_menu_setting_id; + + // @todo Add support for menu_item_parent. + $position = 0; + foreach ( $nav_menu['items'] as $nav_menu_item ) { + $nav_menu_item_setting_id = sprintf( 'nav_menu_item[%d]', $placeholder_id-- ); + if ( ! isset( $nav_menu_item['position'] ) ) { + $nav_menu_item['position'] = $position++; + } + $nav_menu_item['nav_menu_term_id'] = $nav_menu_term_id; + + if ( isset( $nav_menu_item['object_id'] ) ) { + if ( 'post_type' === $nav_menu_item['type'] && preg_match( '/^{{(?P.+)}}$/', $nav_menu_item['object_id'], $matches ) && isset( $posts[ $matches['symbol'] ] ) ) { + $nav_menu_item['object_id'] = $posts[ $matches['symbol'] ]['ID']; + if ( empty( $nav_menu_item['title'] ) ) { + $original_object = get_post( $nav_menu_item['object_id'] ); + $nav_menu_item['title'] = $original_object->post_title; + } + } else { + continue; + } + } else { + $nav_menu_item['object_id'] = 0; + } + + if ( empty( $changeset_data[ $nav_menu_item_setting_id ] ) || ! empty( $changeset_data[ $nav_menu_item_setting_id ]['starter_content'] ) ) { + $this->set_post_value( $nav_menu_item_setting_id, $nav_menu_item ); + $this->pending_starter_content_settings_ids[] = $nav_menu_item_setting_id; + } + } + + $setting_id = sprintf( 'nav_menu_locations[%s]', $nav_menu_location ); + if ( empty( $changeset_data[ $setting_id ] ) || ! empty( $changeset_data[ $setting_id ]['starter_content'] ) ) { + $this->set_post_value( $setting_id, $nav_menu_term_id ); + $this->pending_starter_content_settings_ids[] = $setting_id; + } + } + + // Options. + foreach ( $options as $name => $value ) { + if ( preg_match( '/^{{(?P.+)}}$/', $value, $matches ) ) { + if ( isset( $posts[ $matches['symbol'] ] ) ) { + $value = $posts[ $matches['symbol'] ]['ID']; + } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { + $value = $attachment_ids[ $matches['symbol'] ]; + } else { + continue; + } + } + + if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { + $this->set_post_value( $name, $value ); + $this->pending_starter_content_settings_ids[] = $name; + } + } + + // Theme mods. + foreach ( $theme_mods as $name => $value ) { + if ( preg_match( '/^{{(?P.+)}}$/', $value, $matches ) ) { + if ( isset( $posts[ $matches['symbol'] ] ) ) { + $value = $posts[ $matches['symbol'] ]['ID']; + } elseif ( isset( $attachment_ids[ $matches['symbol'] ] ) ) { + $value = $attachment_ids[ $matches['symbol'] ]; + } else { + continue; + } + } + + // Handle header image as special case since setting has a legacy format. + if ( 'header_image' === $name ) { + $name = 'header_image_data'; + $metadata = wp_get_attachment_metadata( $value ); + if ( empty( $metadata ) ) { + continue; + } + $value = array( + 'attachment_id' => $value, + 'url' => wp_get_attachment_url( $value ), + 'height' => $metadata['height'], + 'width' => $metadata['width'], + ); + } elseif ( 'background_image' === $name ) { + $value = wp_get_attachment_url( $value ); + } + + if ( empty( $changeset_data[ $name ] ) || ! empty( $changeset_data[ $name ]['starter_content'] ) ) { + $this->set_post_value( $name, $value ); + $this->pending_starter_content_settings_ids[] = $name; + } + } + + if ( ! empty( $this->pending_starter_content_settings_ids ) ) { + if ( did_action( 'customize_register' ) ) { + $this->_save_starter_content_changeset(); + } else { + add_action( 'customize_register', array( $this, '_save_starter_content_changeset' ), 1000 ); + } + } + } + + /** + * Prepare starter content attachments. + * + * Ensure that the attachments are valid and that they have slugs and file name/path. + * + * @since 4.7.0 + * @access private + * + * @param array $attachments Attachments. + * @return array Prepared attachments. + */ + protected function prepare_starter_content_attachments( $attachments ) { + $prepared_attachments = array(); + if ( empty( $attachments ) ) { + return $prepared_attachments; + } + + // Such is The WordPress Way. + require_once( ABSPATH . 'wp-admin/includes/file.php' ); + require_once( ABSPATH . 'wp-admin/includes/media.php' ); + require_once( ABSPATH . 'wp-admin/includes/image.php' ); + + foreach ( $attachments as $symbol => $attachment ) { + + // A file is required and URLs to files are not currently allowed. + if ( empty( $attachment['file'] ) || preg_match( '#^https?://$#', $attachment['file'] ) ) { + continue; + } + + $file_path = null; + if ( file_exists( $attachment['file'] ) ) { + $file_path = $attachment['file']; // Could be absolute path to file in plugin. + } elseif ( is_child_theme() && file_exists( get_stylesheet_directory() . '/' . $attachment['file'] ) ) { + $file_path = get_stylesheet_directory() . '/' . $attachment['file']; + } elseif ( file_exists( get_template_directory() . '/' . $attachment['file'] ) ) { + $file_path = get_template_directory() . '/' . $attachment['file']; + } else { + continue; + } + $file_name = basename( $attachment['file'] ); + + // Skip file types that are not recognized. + $checked_filetype = wp_check_filetype( $file_name ); + if ( empty( $checked_filetype['type'] ) ) { + continue; + } + + // Ensure post_name is set since not automatically derived from post_title for new auto-draft posts. + if ( empty( $attachment['post_name'] ) ) { + if ( ! empty( $attachment['post_title'] ) ) { + $attachment['post_name'] = sanitize_title( $attachment['post_title'] ); + } else { + $attachment['post_name'] = sanitize_title( preg_replace( '/\.\w+$/', '', $file_name ) ); + } + } + + $attachment['file_name'] = $file_name; + $attachment['file_path'] = $file_path; + $prepared_attachments[ $symbol ] = $attachment; + } + return $prepared_attachments; + } + + /** + * Save starter content changeset. + * + * @since 4.7.0 + * @access private + */ + public function _save_starter_content_changeset() { + + if ( empty( $this->pending_starter_content_settings_ids ) ) { + return; + } + + $this->save_changeset_post( array( + 'data' => array_fill_keys( $this->pending_starter_content_settings_ids, array( 'starter_content' => true ) ), + 'starter_content' => true, + ) ); + + $this->pending_starter_content_settings_ids = array(); + } + + /** + * Get dirty pre-sanitized setting values in the current customized state. + * + * The returned array consists of a merge of three sources: + * 1. If the theme is not currently active, then the base array is any stashed + * theme mods that were modified previously but never published. + * 2. The values from the current changeset, if it exists. + * 3. If the user can customize, the values parsed from the incoming + * `$_POST['customized']` JSON data. + * 4. Any programmatically-set post values via `WP_Customize_Manager::set_post_value()`. + * + * The name "unsanitized_post_values" is a carry-over from when the customized + * state was exclusively sourced from `$_POST['customized']`. Nevertheless, + * the value returned will come from the current changeset post and from the + * incoming post data. + * + * @since 4.1.1 + * @since 4.7.0 Added $args param and merging with changeset values and stashed theme mods. + * + * @param array $args { + * Args. + * + * @type bool $exclude_changeset Whether the changeset values should also be excluded. Defaults to false. + * @type bool $exclude_post_data Whether the post input values should also be excluded. Defaults to false when lacking the customize capability. + * } + * @return array + */ + public function unsanitized_post_values( $args = array() ) { + $args = array_merge( + array( + 'exclude_changeset' => false, + 'exclude_post_data' => ! current_user_can( 'customize' ), + ), + $args + ); + + $values = array(); + + // Let default values be from the stashed theme mods if doing a theme switch and if no changeset is present. + if ( ! $this->is_theme_active() ) { + $stashed_theme_mods = get_option( 'customize_stashed_theme_mods' ); + $stylesheet = $this->get_stylesheet(); + if ( isset( $stashed_theme_mods[ $stylesheet ] ) ) { + $values = array_merge( $values, wp_list_pluck( $stashed_theme_mods[ $stylesheet ], 'value' ) ); + } + } + + if ( ! $args['exclude_changeset'] ) { + foreach ( $this->changeset_data() as $setting_id => $setting_params ) { + if ( ! array_key_exists( 'value', $setting_params ) ) { + continue; + } + if ( isset( $setting_params['type'] ) && 'theme_mod' === $setting_params['type'] ) { + + // Ensure that theme mods values are only used if they were saved under the current theme. + $namespace_pattern = '/^(?P.+?)::(?P.+)$/'; + if ( preg_match( $namespace_pattern, $setting_id, $matches ) && $this->get_stylesheet() === $matches['stylesheet'] ) { + $values[ $matches['setting_id'] ] = $setting_params['value']; + } + } else { + $values[ $setting_id ] = $setting_params['value']; + } + } + } + + if ( ! $args['exclude_post_data'] ) { + if ( ! isset( $this->_post_values ) ) { + if ( isset( $_POST['customized'] ) ) { + $post_values = json_decode( wp_unslash( $_POST['customized'] ), true ); + } else { + $post_values = array(); + } + if ( is_array( $post_values ) ) { + $this->_post_values = $post_values; + } else { + $this->_post_values = array(); + } + } + $values = array_merge( $values, $this->_post_values ); + } + return $values; + } + + /** + * Returns the sanitized value for a given setting from the current customized state. + * + * The name "post_value" is a carry-over from when the customized state was exclusively + * sourced from `$_POST['customized']`. Nevertheless, the value returned will come + * from the current changeset post and from the incoming post data. + * + * @since 3.4.0 + * @since 4.1.1 Introduced the `$default` parameter. + * @since 4.6.0 `$default` is now returned early when the setting post value is invalid. + * @access public + * + * @see WP_REST_Server::dispatch() + * @see WP_Rest_Request::sanitize_params() + * @see WP_Rest_Request::has_valid_params() + * + * @param WP_Customize_Setting $setting A WP_Customize_Setting derived object. + * @param mixed $default Value returned $setting has no post value (added in 4.2.0) + * or the post value is invalid (added in 4.6.0). + * @return string|mixed $post_value Sanitized value or the $default provided. + */ + public function post_value( $setting, $default = null ) { + $post_values = $this->unsanitized_post_values(); + if ( ! array_key_exists( $setting->id, $post_values ) ) { + return $default; + } + $value = $post_values[ $setting->id ]; + $valid = $setting->validate( $value ); + if ( is_wp_error( $valid ) ) { + return $default; + } + $value = $setting->sanitize( $value ); + if ( is_null( $value ) || is_wp_error( $value ) ) { + return $default; + } + return $value; + } + + /** + * Override a setting's value in the current customized state. + * + * The name "post_value" is a carry-over from when the customized state was + * exclusively sourced from `$_POST['customized']`. + * + * @since 4.2.0 + * @access public + * + * @param string $setting_id ID for the WP_Customize_Setting instance. + * @param mixed $value Post value. + */ + public function set_post_value( $setting_id, $value ) { + $this->unsanitized_post_values(); // Populate _post_values from $_POST['customized']. + $this->_post_values[ $setting_id ] = $value; + + /** + * Announce when a specific setting's unsanitized post value has been set. + * + * Fires when the WP_Customize_Manager::set_post_value() method is called. + * + * The dynamic portion of the hook name, `$setting_id`, refers to the setting ID. + * + * @since 4.4.0 + * + * @param mixed $value Unsanitized setting post value. + * @param WP_Customize_Manager $this WP_Customize_Manager instance. + */ + do_action( "customize_post_value_set_{$setting_id}", $value, $this ); + + /** + * Announce when any setting's unsanitized post value has been set. + * + * Fires when the WP_Customize_Manager::set_post_value() method is called. + * + * This is useful for `WP_Customize_Setting` instances to watch + * in order to update a cached previewed value. + * + * @since 4.4.0 + * + * @param string $setting_id Setting ID. + * @param mixed $value Unsanitized setting post value. + * @param WP_Customize_Manager $this WP_Customize_Manager instance. + */ + do_action( 'customize_post_value_set', $setting_id, $value, $this ); + } + + /** + * Print JavaScript settings. + * + * @since 3.4.0 + */ + public function customize_preview_init() { + + /* + * Now that Customizer previews are loaded into iframes via GET requests + * and natural URLs with transaction UUIDs added, we need to ensure that + * the responses are never cached by proxies. In practice, this will not + * be needed if the user is logged-in anyway. But if anonymous access is + * allowed then the auth cookies would not be sent and WordPress would + * not send no-cache headers by default. + */ + if ( ! headers_sent() ) { + nocache_headers(); + header( 'X-Robots: noindex, nofollow, noarchive' ); + } + add_action( 'wp_head', 'wp_no_robots' ); + add_filter( 'wp_headers', array( $this, 'filter_iframe_security_headers' ) ); + + /* + * If preview is being served inside the customizer preview iframe, and + * if the user doesn't have customize capability, then it is assumed + * that the user's session has expired and they need to re-authenticate. + */ + if ( $this->messenger_channel && ! current_user_can( 'customize' ) ) { + $this->wp_die( -1, __( 'Unauthorized. You may remove the customize_messenger_channel param to preview as frontend.' ) ); + return; + } + + $this->prepare_controls(); + + add_filter( 'wp_redirect', array( $this, 'add_state_query_params' ) ); + + wp_enqueue_script( 'customize-preview' ); + add_action( 'wp_head', array( $this, 'customize_preview_loading_style' ) ); + add_action( 'wp_head', array( $this, 'remove_frameless_preview_messenger_channel' ) ); + add_action( 'wp_footer', array( $this, 'customize_preview_settings' ), 20 ); + add_filter( 'get_edit_post_link', '__return_empty_string' ); + + /** + * Fires once the Customizer preview has initialized and JavaScript + * settings have been printed. + * + * @since 3.4.0 + * + * @param WP_Customize_Manager $this WP_Customize_Manager instance. + */ + do_action( 'customize_preview_init', $this ); } - /** - * Prints a signature so we can ensure the Customizer was properly executed. - * - * @since 3.4.0 - */ - public function customize_preview_signature() { - echo 'WP_CUSTOMIZER_SIGNATURE'; - } + /** + * Filter the X-Frame-Options and Content-Security-Policy headers to ensure frontend can load in customizer. + * + * @since 4.7.0 + * @access public + * + * @param array $headers Headers. + * @return array Headers. + */ + public function filter_iframe_security_headers( $headers ) { + $customize_url = admin_url( 'customize.php' ); + $headers['X-Frame-Options'] = 'ALLOW-FROM ' . $customize_url; + $headers['Content-Security-Policy'] = 'frame-ancestors ' . preg_replace( '#^(\w+://[^/]+).+?$#', '$1', $customize_url ); + return $headers; + } + + /** + * Add customize state query params to a given URL if preview is allowed. + * + * @since 4.7.0 + * @access public + * @see wp_redirect() + * @see WP_Customize_Manager::get_allowed_url() + * + * @param string $url URL. + * @return string URL. + */ + public function add_state_query_params( $url ) { + $parsed_original_url = wp_parse_url( $url ); + $is_allowed = false; + foreach ( $this->get_allowed_urls() as $allowed_url ) { + $parsed_allowed_url = wp_parse_url( $allowed_url ); + $is_allowed = ( + $parsed_allowed_url['scheme'] === $parsed_original_url['scheme'] + && + $parsed_allowed_url['host'] === $parsed_original_url['host'] + && + 0 === strpos( $parsed_original_url['path'], $parsed_allowed_url['path'] ) + ); + if ( $is_allowed ) { + break; + } + } + + if ( $is_allowed ) { + $query_params = array( + 'customize_changeset_uuid' => $this->changeset_uuid(), + ); + if ( ! $this->is_theme_active() ) { + $query_params['customize_theme'] = $this->get_stylesheet(); + } + if ( $this->messenger_channel ) { + $query_params['customize_messenger_channel'] = $this->messenger_channel; + } + $url = add_query_arg( $query_params, $url ); + } + + return $url; + } + + /** + * Prevent sending a 404 status when returning the response for the customize + * preview, since it causes the jQuery Ajax to fail. Send 200 instead. + * + * @since 4.0.0 + * @deprecated 4.7.0 + * @access public + */ + public function customize_preview_override_404_status() { + _deprecated_function( __METHOD__, '4.7.0' ); + } + + /** + * Print base element for preview frame. + * + * @since 3.4.0 + * @deprecated 4.7.0 + */ + public function customize_preview_base() { + _deprecated_function( __METHOD__, '4.7.0' ); + } + + /** + * Print a workaround to handle HTML5 tags in IE < 9. + * + * @since 3.4.0 + * @deprecated 4.7.0 Customizer no longer supports IE8, so all supported browsers recognize HTML5. + */ + public function customize_preview_html5() { + _deprecated_function( __FUNCTION__, '4.7.0' ); + } + + /** + * Print CSS for loading indicators for the Customizer preview. + * + * @since 4.2.0 + * @access public + */ + public function customize_preview_loading_style() { + ?>messenger_channel ) { + return; + } + ?> + + unsanitized_post_values( array( 'exclude_changeset' => true ) ); + $setting_validities = $this->validate_setting_values( $post_values ); + $exported_setting_validities = array_map( array( $this, 'prepare_setting_validity_for_js' ), $setting_validities ); + + // Note that the REQUEST_URI is not passed into home_url() since this breaks subdirectory installs. + $self_url = empty( $_SERVER['REQUEST_URI'] ) ? home_url( '/' ) : esc_url_raw( wp_unslash( $_SERVER['REQUEST_URI'] ) ); + $state_query_params = array( + 'customize_theme', + 'customize_changeset_uuid', + 'customize_messenger_channel', + ); + $self_url = remove_query_arg( $state_query_params, $self_url ); + + $allowed_urls = $this->get_allowed_urls(); + $allowed_hosts = array(); + foreach ( $allowed_urls as $allowed_url ) { + $parsed = wp_parse_url( $allowed_url ); + if ( empty( $parsed['host'] ) ) { + continue; + } + $host = $parsed['host']; + if ( ! empty( $parsed['port'] ) ) { + $host .= ':' . $parsed['port']; + } + $allowed_hosts[] = $host; + } + + $switched_locale = switch_to_locale( get_user_locale() ); + $l10n = array( + 'shiftClickToEdit' => __( 'Shift-click to edit this element.' ), + 'linkUnpreviewable' => __( 'This link is not live-previewable.' ), + 'formUnpreviewable' => __( 'This form is not live-previewable.' ), + ); + if ( $switched_locale ) { + restore_previous_locale(); + } + + $settings = array( + 'changeset' => array( + 'uuid' => $this->_changeset_uuid, + ), + 'timeouts' => array( + 'selectiveRefresh' => 250, + 'keepAliveSend' => 1000, + ), + 'theme' => array( + 'stylesheet' => $this->get_stylesheet(), + 'active' => $this->is_theme_active(), + ), + 'url' => array( + 'self' => $self_url, + 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), + 'allowedHosts' => array_unique( $allowed_hosts ), + 'isCrossDomain' => $this->is_cross_domain(), + ), + 'channel' => $this->messenger_channel, + 'activePanels' => array(), + 'activeSections' => array(), + 'activeControls' => array(), + 'settingValidities' => $exported_setting_validities, + 'nonce' => current_user_can( 'customize' ) ? $this->get_nonces() : array(), + 'l10n' => $l10n, + '_dirty' => array_keys( $post_values ), + ); + + foreach ( $this->panels as $panel_id => $panel ) { + if ( $panel->check_capabilities() ) { + $settings['activePanels'][ $panel_id ] = $panel->active(); + foreach ( $panel->sections as $section_id => $section ) { + if ( $section->check_capabilities() ) { + $settings['activeSections'][ $section_id ] = $section->active(); + } + } + } + } + foreach ( $this->sections as $id => $section ) { + if ( $section->check_capabilities() ) { + $settings['activeSections'][ $id ] = $section->active(); + } + } + foreach ( $this->controls as $id => $control ) { + if ( $control->check_capabilities() ) { + $settings['activeControls'][ $id ] = $control->active(); + } + } + + ?> + + previewing; + } + + /** + * Retrieve the template name of the previewed theme. + * + * @since 3.4.0 + * + * @return string Template name. + */ + public function get_template() { + return $this->theme()->get_template(); + } + + /** + * Retrieve the stylesheet name of the previewed theme. + * + * @since 3.4.0 + * + * @return string Stylesheet name. + */ + public function get_stylesheet() { + return $this->theme()->get_stylesheet(); + } + + /** + * Retrieve the template root of the previewed theme. + * + * @since 3.4.0 + * + * @return string Theme root. + */ + public function get_template_root() { + return get_raw_theme_root( $this->get_template(), true ); + } + + /** + * Retrieve the stylesheet root of the previewed theme. + * + * @since 3.4.0 + * + * @return string Theme root. + */ + public function get_stylesheet_root() { + return get_raw_theme_root( $this->get_stylesheet(), true ); + } + + /** + * Filters the current theme and return the name of the previewed theme. + * + * @since 3.4.0 + * + * @param $current_theme {@internal Parameter is not used} + * @return string Theme name. + */ + public function current_theme( $current_theme ) { + return $this->theme()->display('Name'); + } + + /** + * Validates setting values. + * + * Validation is skipped for unregistered settings or for values that are + * already null since they will be skipped anyway. Sanitization is applied + * to values that pass validation, and values that become null or `WP_Error` + * after sanitizing are marked invalid. + * + * @since 4.6.0 + * @access public + * + * @see WP_REST_Request::has_valid_params() + * @see WP_Customize_Setting::validate() + * + * @param array $setting_values Mapping of setting IDs to values to validate and sanitize. + * @param array $options { + * Options. + * + * @type bool $validate_existence Whether a setting's existence will be checked. + * @type bool $validate_capability Whether the setting capability will be checked. + * } + * @return array Mapping of setting IDs to return value of validate method calls, either `true` or `WP_Error`. + */ + public function validate_setting_values( $setting_values, $options = array() ) { + $options = wp_parse_args( $options, array( + 'validate_capability' => false, + 'validate_existence' => false, + ) ); + + $validities = array(); + foreach ( $setting_values as $setting_id => $unsanitized_value ) { + $setting = $this->get_setting( $setting_id ); + if ( ! $setting ) { + if ( $options['validate_existence'] ) { + $validities[ $setting_id ] = new WP_Error( 'unrecognized', __( 'Setting does not exist or is unrecognized.' ) ); + } + continue; + } + if ( $options['validate_capability'] && ! current_user_can( $setting->capability ) ) { + $validity = new WP_Error( 'unauthorized', __( 'Unauthorized to modify setting due to capability.' ) ); + } else { + if ( is_null( $unsanitized_value ) ) { + continue; + } + $validity = $setting->validate( $unsanitized_value ); + } + if ( ! is_wp_error( $validity ) ) { + /** This filter is documented in wp-includes/class-wp-customize-setting.php */ + $late_validity = apply_filters( "customize_validate_{$setting->id}", new WP_Error(), $unsanitized_value, $setting ); + if ( ! empty( $late_validity->errors ) ) { + $validity = $late_validity; + } + } + if ( ! is_wp_error( $validity ) ) { + $value = $setting->sanitize( $unsanitized_value ); + if ( is_null( $value ) ) { + $validity = false; + } elseif ( is_wp_error( $value ) ) { + $validity = $value; + } + } + if ( false === $validity ) { + $validity = new WP_Error( 'invalid_value', __( 'Invalid value.' ) ); + } + $validities[ $setting_id ] = $validity; + } + return $validities; + } + + /** + * Prepares setting validity for exporting to the client (JS). + * + * Converts `WP_Error` instance into array suitable for passing into the + * `wp.customize.Notification` JS model. + * + * @since 4.6.0 + * @access public + * + * @param true|WP_Error $validity Setting validity. + * @return true|array If `$validity` was a WP_Error, the error codes will be array-mapped + * to their respective `message` and `data` to pass into the + * `wp.customize.Notification` JS model. + */ + public function prepare_setting_validity_for_js( $validity ) { + if ( is_wp_error( $validity ) ) { + $notification = array(); + foreach ( $validity->errors as $error_code => $error_messages ) { + $notification[ $error_code ] = array( + 'message' => join( ' ', $error_messages ), + 'data' => $validity->get_error_data( $error_code ), + ); + } + return $notification; + } else { + return true; + } + } + + /** + * Handle customize_save WP Ajax request to save/update a changeset. + * + * @since 3.4.0 + * @since 4.7.0 The semantics of this method have changed to update a changeset, optionally to also change the status and other attributes. + */ + public function save() { + if ( ! is_user_logged_in() ) { + wp_send_json_error( 'unauthenticated' ); + } + + if ( ! $this->is_preview() ) { + wp_send_json_error( 'not_preview' ); + } + + $action = 'save-customize_' . $this->get_stylesheet(); + if ( ! check_ajax_referer( $action, 'nonce', false ) ) { + wp_send_json_error( 'invalid_nonce' ); + } + + $changeset_post_id = $this->changeset_post_id(); + if ( empty( $changeset_post_id ) ) { + if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->create_posts ) ) { + wp_send_json_error( 'cannot_create_changeset_post' ); + } + } else { + if ( ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->edit_post, $changeset_post_id ) ) { + wp_send_json_error( 'cannot_edit_changeset_post' ); + } + } + + if ( ! empty( $_POST['customize_changeset_data'] ) ) { + $input_changeset_data = json_decode( wp_unslash( $_POST['customize_changeset_data'] ), true ); + if ( ! is_array( $input_changeset_data ) ) { + wp_send_json_error( 'invalid_customize_changeset_data' ); + } + } else { + $input_changeset_data = array(); + } + + // Validate title. + $changeset_title = null; + if ( isset( $_POST['customize_changeset_title'] ) ) { + $changeset_title = sanitize_text_field( wp_unslash( $_POST['customize_changeset_title'] ) ); + } + + // Validate changeset status param. + $is_publish = null; + $changeset_status = null; + if ( isset( $_POST['customize_changeset_status'] ) ) { + $changeset_status = wp_unslash( $_POST['customize_changeset_status'] ); + if ( ! get_post_status_object( $changeset_status ) || ! in_array( $changeset_status, array( 'draft', 'pending', 'publish', 'future' ), true ) ) { + wp_send_json_error( 'bad_customize_changeset_status', 400 ); + } + $is_publish = ( 'publish' === $changeset_status || 'future' === $changeset_status ); + if ( $is_publish && ! current_user_can( get_post_type_object( 'customize_changeset' )->cap->publish_posts ) ) { + wp_send_json_error( 'changeset_publish_unauthorized', 403 ); + } + } + + /* + * Validate changeset date param. Date is assumed to be in local time for + * the WP if in MySQL format (YYYY-MM-DD HH:MM:SS). Otherwise, the date + * is parsed with strtotime() so that ISO date format may be supplied + * or a string like "+10 minutes". + */ + $changeset_date_gmt = null; + if ( isset( $_POST['customize_changeset_date'] ) ) { + $changeset_date = wp_unslash( $_POST['customize_changeset_date'] ); + if ( preg_match( '/^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d$/', $changeset_date ) ) { + $mm = substr( $changeset_date, 5, 2 ); + $jj = substr( $changeset_date, 8, 2 ); + $aa = substr( $changeset_date, 0, 4 ); + $valid_date = wp_checkdate( $mm, $jj, $aa, $changeset_date ); + if ( ! $valid_date ) { + wp_send_json_error( 'bad_customize_changeset_date', 400 ); + } + $changeset_date_gmt = get_gmt_from_date( $changeset_date ); + } else { + $timestamp = strtotime( $changeset_date ); + if ( ! $timestamp ) { + wp_send_json_error( 'bad_customize_changeset_date', 400 ); + } + $changeset_date_gmt = gmdate( 'Y-m-d H:i:s', $timestamp ); + } + } + + $r = $this->save_changeset_post( array( + 'status' => $changeset_status, + 'title' => $changeset_title, + 'date_gmt' => $changeset_date_gmt, + 'data' => $input_changeset_data, + ) ); + if ( is_wp_error( $r ) ) { + $response = array( + 'message' => $r->get_error_message(), + 'code' => $r->get_error_code(), + ); + if ( is_array( $r->get_error_data() ) ) { + $response = array_merge( $response, $r->get_error_data() ); + } else { + $response['data'] = $r->get_error_data(); + } + } else { + $response = $r; + + // Note that if the changeset status was publish, then it will get set to trash if revisions are not supported. + $response['changeset_status'] = get_post_status( $this->changeset_post_id() ); + if ( $is_publish && 'trash' === $response['changeset_status'] ) { + $response['changeset_status'] = 'publish'; + } + + if ( 'publish' === $response['changeset_status'] ) { + $response['next_changeset_uuid'] = wp_generate_uuid4(); + } + } + + if ( isset( $response['setting_validities'] ) ) { + $response['setting_validities'] = array_map( array( $this, 'prepare_setting_validity_for_js' ), $response['setting_validities'] ); + } + + /** + * Filters response data for a successful customize_save Ajax request. + * + * This filter does not apply if there was a nonce or authentication failure. + * + * @since 4.2.0 + * + * @param array $response Additional information passed back to the 'saved' + * event on `wp.customize`. + * @param WP_Customize_Manager $this WP_Customize_Manager instance. + */ + $response = apply_filters( 'customize_save_response', $response, $this ); + + if ( is_wp_error( $r ) ) { + wp_send_json_error( $response ); + } else { + wp_send_json_success( $response ); + } + } + + /** + * Save the post for the loaded changeset. + * + * @since 4.7.0 + * @access public + * + * @param array $args { + * Args for changeset post. + * + * @type array $data Optional additional changeset data. Values will be merged on top of any existing post values. + * @type string $status Post status. Optional. If supplied, the save will be transactional and a post revision will be allowed. + * @type string $title Post title. Optional. + * @type string $date_gmt Date in GMT. Optional. + * @type int $user_id ID for user who is saving the changeset. Optional, defaults to the current user ID. + * @type bool $starter_content Whether the data is starter content. If false (default), then $starter_content will be cleared for any $data being saved. + * } + * + * @return array|WP_Error Returns array on success and WP_Error with array data on error. + */ + function save_changeset_post( $args = array() ) { + + $args = array_merge( + array( + 'status' => null, + 'title' => null, + 'data' => array(), + 'date_gmt' => null, + 'user_id' => get_current_user_id(), + 'starter_content' => false, + ), + $args + ); + + $changeset_post_id = $this->changeset_post_id(); + $existing_changeset_data = array(); + if ( $changeset_post_id ) { + $existing_status = get_post_status( $changeset_post_id ); + if ( 'publish' === $existing_status || 'trash' === $existing_status ) { + return new WP_Error( 'changeset_already_published' ); + } + + $existing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); + } + + // Fail if attempting to publish but publish hook is missing. + if ( 'publish' === $args['status'] && false === has_action( 'transition_post_status', '_wp_customize_publish_changeset' ) ) { + return new WP_Error( 'missing_publish_callback' ); + } + + // Validate date. + $now = gmdate( 'Y-m-d H:i:59' ); + if ( $args['date_gmt'] ) { + $is_future_dated = ( mysql2date( 'U', $args['date_gmt'], false ) > mysql2date( 'U', $now, false ) ); + if ( ! $is_future_dated ) { + return new WP_Error( 'not_future_date' ); // Only future dates are allowed. + } + + if ( ! $this->is_theme_active() && ( 'future' === $args['status'] || $is_future_dated ) ) { + return new WP_Error( 'cannot_schedule_theme_switches' ); // This should be allowed in the future, when theme is a regular setting. + } + $will_remain_auto_draft = ( ! $args['status'] && ( ! $changeset_post_id || 'auto-draft' === get_post_status( $changeset_post_id ) ) ); + if ( $will_remain_auto_draft ) { + return new WP_Error( 'cannot_supply_date_for_auto_draft_changeset' ); + } + } elseif ( $changeset_post_id && 'future' === $args['status'] ) { + + // Fail if the new status is future but the existing post's date is not in the future. + $changeset_post = get_post( $changeset_post_id ); + if ( mysql2date( 'U', $changeset_post->post_date_gmt, false ) <= mysql2date( 'U', $now, false ) ) { + return new WP_Error( 'not_future_date' ); + } + } + + // The request was made via wp.customize.previewer.save(). + $update_transactionally = (bool) $args['status']; + $allow_revision = (bool) $args['status']; + + // Amend post values with any supplied data. + foreach ( $args['data'] as $setting_id => $setting_params ) { + if ( array_key_exists( 'value', $setting_params ) ) { + $this->set_post_value( $setting_id, $setting_params['value'] ); // Add to post values so that they can be validated and sanitized. + } + } + + // Note that in addition to post data, this will include any stashed theme mods. + $post_values = $this->unsanitized_post_values( array( + 'exclude_changeset' => true, + 'exclude_post_data' => false, + ) ); + $this->add_dynamic_settings( array_keys( $post_values ) ); // Ensure settings get created even if they lack an input value. + + /* + * Get list of IDs for settings that have values different from what is currently + * saved in the changeset. By skipping any values that are already the same, the + * subset of changed settings can be passed into validate_setting_values to prevent + * an underprivileged modifying a single setting for which they have the capability + * from being blocked from saving. This also prevents a user from touching of the + * previous saved settings and overriding the associated user_id if they made no change. + */ + $changed_setting_ids = array(); + foreach ( $post_values as $setting_id => $setting_value ) { + $setting = $this->get_setting( $setting_id ); + + if ( $setting && 'theme_mod' === $setting->type ) { + $prefixed_setting_id = $this->get_stylesheet() . '::' . $setting->id; + } else { + $prefixed_setting_id = $setting_id; + } + + $is_value_changed = ( + ! isset( $existing_changeset_data[ $prefixed_setting_id ] ) + || + ! array_key_exists( 'value', $existing_changeset_data[ $prefixed_setting_id ] ) + || + $existing_changeset_data[ $prefixed_setting_id ]['value'] !== $setting_value + ); + if ( $is_value_changed ) { + $changed_setting_ids[] = $setting_id; + } + } + + /** + * Fires before save validation happens. + * + * Plugins can add just-in-time {@see 'customize_validate_{$this->ID}'} filters + * at this point to catch any settings registered after `customize_register`. + * The dynamic portion of the hook name, `$this->ID` refers to the setting ID. + * + * @since 4.6.0 + * + * @param WP_Customize_Manager $this WP_Customize_Manager instance. + */ + do_action( 'customize_save_validation_before', $this ); + + // Validate settings. + $validated_values = array_merge( + array_fill_keys( array_keys( $args['data'] ), null ), // Make sure existence/capability checks are done on value-less setting updates. + $post_values + ); + $setting_validities = $this->validate_setting_values( $validated_values, array( + 'validate_capability' => true, + 'validate_existence' => true, + ) ); + $invalid_setting_count = count( array_filter( $setting_validities, 'is_wp_error' ) ); + + /* + * Short-circuit if there are invalid settings the update is transactional. + * A changeset update is transactional when a status is supplied in the request. + */ + if ( $update_transactionally && $invalid_setting_count > 0 ) { + $response = array( + 'setting_validities' => $setting_validities, + 'message' => sprintf( _n( 'There is %s invalid setting.', 'There are %s invalid settings.', $invalid_setting_count ), number_format_i18n( $invalid_setting_count ) ), + ); + return new WP_Error( 'transaction_fail', '', $response ); + } + + // Obtain/merge data for changeset. + $original_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); + $data = $original_changeset_data; + if ( is_wp_error( $data ) ) { + $data = array(); + } + + // Ensure that all post values are included in the changeset data. + foreach ( $post_values as $setting_id => $post_value ) { + if ( ! isset( $args['data'][ $setting_id ] ) ) { + $args['data'][ $setting_id ] = array(); + } + if ( ! isset( $args['data'][ $setting_id ]['value'] ) ) { + $args['data'][ $setting_id ]['value'] = $post_value; + } + } + + foreach ( $args['data'] as $setting_id => $setting_params ) { + $setting = $this->get_setting( $setting_id ); + if ( ! $setting || ! $setting->check_capabilities() ) { + continue; + } + + // Skip updating changeset for invalid setting values. + if ( isset( $setting_validities[ $setting_id ] ) && is_wp_error( $setting_validities[ $setting_id ] ) ) { + continue; + } + + $changeset_setting_id = $setting_id; + if ( 'theme_mod' === $setting->type ) { + $changeset_setting_id = sprintf( '%s::%s', $this->get_stylesheet(), $setting_id ); + } + + if ( null === $setting_params ) { + // Remove setting from changeset entirely. + unset( $data[ $changeset_setting_id ] ); + } else { + + if ( ! isset( $data[ $changeset_setting_id ] ) ) { + $data[ $changeset_setting_id ] = array(); + } + + // Merge any additional setting params that have been supplied with the existing params. + $merged_setting_params = array_merge( $data[ $changeset_setting_id ], $setting_params ); + + // Skip updating setting params if unchanged (ensuring the user_id is not overwritten). + if ( $data[ $changeset_setting_id ] === $merged_setting_params ) { + continue; + } + + $data[ $changeset_setting_id ] = array_merge( + $merged_setting_params, + array( + 'type' => $setting->type, + 'user_id' => $args['user_id'], + ) + ); + + // Clear starter_content flag in data if changeset is not explicitly being updated for starter content. + if ( empty( $args['starter_content'] ) ) { + unset( $data[ $changeset_setting_id ]['starter_content'] ); + } + } + } + + $filter_context = array( + 'uuid' => $this->changeset_uuid(), + 'title' => $args['title'], + 'status' => $args['status'], + 'date_gmt' => $args['date_gmt'], + 'post_id' => $changeset_post_id, + 'previous_data' => is_wp_error( $original_changeset_data ) ? array() : $original_changeset_data, + 'manager' => $this, + ); + + /** + * Filters the settings' data that will be persisted into the changeset. + * + * Plugins may amend additional data (such as additional meta for settings) into the changeset with this filter. + * + * @since 4.7.0 + * + * @param array $data Updated changeset data, mapping setting IDs to arrays containing a $value item and optionally other metadata. + * @param array $context { + * Filter context. + * + * @type string $uuid Changeset UUID. + * @type string $title Requested title for the changeset post. + * @type string $status Requested status for the changeset post. + * @type string $date_gmt Requested date for the changeset post in MySQL format and GMT timezone. + * @type int|false $post_id Post ID for the changeset, or false if it doesn't exist yet. + * @type array $previous_data Previous data contained in the changeset. + * @type WP_Customize_Manager $manager Manager instance. + * } + */ + $data = apply_filters( 'customize_changeset_save_data', $data, $filter_context ); + + // Switch theme if publishing changes now. + if ( 'publish' === $args['status'] && ! $this->is_theme_active() ) { + // Temporarily stop previewing the theme to allow switch_themes() to operate properly. + $this->stop_previewing_theme(); + switch_theme( $this->get_stylesheet() ); + update_option( 'theme_switched_via_customizer', true ); + $this->start_previewing_theme(); + } - /** - * Removes the signature in case we experience a case where the Customizer was not properly executed. - * - * @since 3.4.0 - * - * @param mixed $return Value passed through for wp_die_handler filter. - * @return mixed Value passed through for wp_die_handler filter. - */ - public function remove_preview_signature( $return = null ) { - remove_action( 'shutdown', array( $this, 'customize_preview_signature' ), 1000 ); + // Gather the data for wp_insert_post()/wp_update_post(). + $json_options = 0; + if ( defined( 'JSON_UNESCAPED_SLASHES' ) ) { + $json_options |= JSON_UNESCAPED_SLASHES; // Introduced in PHP 5.4. This is only to improve readability as slashes needn't be escaped in storage. + } + $json_options |= JSON_PRETTY_PRINT; // Also introduced in PHP 5.4, but WP defines constant for back compat. See WP Trac #30139. + $post_array = array( + 'post_content' => wp_json_encode( $data, $json_options ), + ); + if ( $args['title'] ) { + $post_array['post_title'] = $args['title']; + } + if ( $changeset_post_id ) { + $post_array['ID'] = $changeset_post_id; + } else { + $post_array['post_type'] = 'customize_changeset'; + $post_array['post_name'] = $this->changeset_uuid(); + $post_array['post_status'] = 'auto-draft'; + } + if ( $args['status'] ) { + $post_array['post_status'] = $args['status']; + } - return $return; - } + // Reset post date to now if we are publishing, otherwise pass post_date_gmt and translate for post_date. + if ( 'publish' === $args['status'] ) { + $post_array['post_date_gmt'] = '0000-00-00 00:00:00'; + $post_array['post_date'] = '0000-00-00 00:00:00'; + } elseif ( $args['date_gmt'] ) { + $post_array['post_date_gmt'] = $args['date_gmt']; + $post_array['post_date'] = get_date_from_gmt( $args['date_gmt'] ); + } - /** - * Is it a theme preview? - * - * @since 3.4.0 - * - * @return bool True if it's a preview, false if not. - */ - public function is_preview() { - return (bool) $this->previewing; - } + $this->store_changeset_revision = $allow_revision; + add_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ), 5, 3 ); - /** - * Retrieve the template name of the previewed theme. - * - * @since 3.4.0 - * - * @return string Template name. - */ - public function get_template() { - return $this->theme()->get_template(); + // Update the changeset post. The publish_customize_changeset action will cause the settings in the changeset to be saved via WP_Customize_Setting::save(). + $has_kses = ( false !== has_filter( 'content_save_pre', 'wp_filter_post_kses' ) ); + if ( $has_kses ) { + kses_remove_filters(); // Prevent KSES from corrupting JSON in post_content. + } + + // Note that updating a post with publish status will trigger WP_Customize_Manager::publish_changeset_values(). + if ( $changeset_post_id ) { + $post_array['edit_date'] = true; // Prevent date clearing. + $r = wp_update_post( wp_slash( $post_array ), true ); + } else { + $r = wp_insert_post( wp_slash( $post_array ), true ); + if ( ! is_wp_error( $r ) ) { + $this->_changeset_post_id = $r; // Update cached post ID for the loaded changeset. + } + } + if ( $has_kses ) { + kses_init_filters(); + } + $this->_changeset_data = null; // Reset so WP_Customize_Manager::changeset_data() will re-populate with updated contents. + + remove_filter( 'wp_save_post_revision_post_has_changed', array( $this, '_filter_revision_post_has_changed' ) ); + + $response = array( + 'setting_validities' => $setting_validities, + ); + + if ( is_wp_error( $r ) ) { + $response['changeset_post_save_failure'] = $r->get_error_code(); + return new WP_Error( 'changeset_post_save_failure', '', $response ); + } + + return $response; } /** - * Retrieve the stylesheet name of the previewed theme. - * - * @since 3.4.0 + * Whether a changeset revision should be made. * - * @return string Stylesheet name. + * @since 4.7.0 + * @access private + * @var bool */ - public function get_stylesheet() { - return $this->theme()->get_stylesheet(); - } + protected $store_changeset_revision; /** - * Retrieve the template root of the previewed theme. + * Filters whether a changeset has changed to create a new revision. * - * @since 3.4.0 + * Note that this will not be called while a changeset post remains in auto-draft status. * - * @return string Theme root. - */ - public function get_template_root() { - return get_raw_theme_root( $this->get_template(), true ); - } - - /** - * Retrieve the stylesheet root of the previewed theme. + * @since 4.7.0 + * @access private * - * @since 3.4.0 + * @param bool $post_has_changed Whether the post has changed. + * @param WP_Post $last_revision The last revision post object. + * @param WP_Post $post The post object. * - * @return string Theme root. + * @return bool Whether a revision should be made. */ - public function get_stylesheet_root() { - return get_raw_theme_root( $this->get_stylesheet(), true ); + public function _filter_revision_post_has_changed( $post_has_changed, $last_revision, $post ) { + unset( $last_revision ); + if ( 'customize_changeset' === $post->post_type ) { + $post_has_changed = $this->store_changeset_revision; + } + return $post_has_changed; } /** - * Filter the current theme and return the name of the previewed theme. + * Publish changeset values. * - * @since 3.4.0 + * This will the values contained in a changeset, even changesets that do not + * correspond to current manager instance. This is called by + * `_wp_customize_publish_changeset()` when a customize_changeset post is + * transitioned to the `publish` status. As such, this method should not be + * called directly and instead `wp_publish_post()` should be used. * - * @param $current_theme {@internal Parameter is not used} - * @return string Theme name. - */ - public function current_theme( $current_theme ) { - return $this->theme()->display('Name'); - } - - /** - * Switch the theme and trigger the save() method on each setting. + * Please note that if the settings in the changeset are for a non-activated + * theme, the theme must first be switched to (via `switch_theme()`) before + * invoking this method. * - * @since 3.4.0 + * @since 4.7.0 + * @access private + * @see _wp_customize_publish_changeset() + * + * @param int $changeset_post_id ID for customize_changeset post. Defaults to the changeset for the current manager instance. + * @return true|WP_Error True or error info. */ - public function save() { - if ( ! $this->is_preview() ) { - wp_send_json_error( 'not_preview' ); + public function _publish_changeset_values( $changeset_post_id ) { + $publishing_changeset_data = $this->get_changeset_post_data( $changeset_post_id ); + if ( is_wp_error( $publishing_changeset_data ) ) { + return $publishing_changeset_data; } - $action = 'save-customize_' . $this->get_stylesheet(); - if ( ! check_ajax_referer( $action, 'nonce', false ) ) { - wp_send_json_error( 'invalid_nonce' ); - } + $changeset_post = get_post( $changeset_post_id ); - // Do we have to switch themes? - if ( ! $this->is_theme_active() ) { - // Temporarily stop previewing the theme to allow switch_themes() - // to operate properly. - $this->stop_previewing_theme(); - switch_theme( $this->get_stylesheet() ); - update_option( 'theme_switched_via_customizer', true ); - $this->start_previewing_theme(); + /* + * Temporarily override the changeset context so that it will be read + * in calls to unsanitized_post_values() and so that it will be available + * on the $wp_customize object passed to hooks during the save logic. + */ + $previous_changeset_post_id = $this->_changeset_post_id; + $this->_changeset_post_id = $changeset_post_id; + $previous_changeset_uuid = $this->_changeset_uuid; + $this->_changeset_uuid = $changeset_post->post_name; + $previous_changeset_data = $this->_changeset_data; + $this->_changeset_data = $publishing_changeset_data; + + // Parse changeset data to identify theme mod settings and user IDs associated with settings to be saved. + $setting_user_ids = array(); + $theme_mod_settings = array(); + $namespace_pattern = '/^(?P.+?)::(?P.+)$/'; + $matches = array(); + foreach ( $this->_changeset_data as $raw_setting_id => $setting_params ) { + $actual_setting_id = null; + $is_theme_mod_setting = ( + isset( $setting_params['value'] ) + && + isset( $setting_params['type'] ) + && + 'theme_mod' === $setting_params['type'] + && + preg_match( $namespace_pattern, $raw_setting_id, $matches ) + ); + if ( $is_theme_mod_setting ) { + if ( ! isset( $theme_mod_settings[ $matches['stylesheet'] ] ) ) { + $theme_mod_settings[ $matches['stylesheet'] ] = array(); + } + $theme_mod_settings[ $matches['stylesheet'] ][ $matches['setting_id'] ] = $setting_params; + + if ( $this->get_stylesheet() === $matches['stylesheet'] ) { + $actual_setting_id = $matches['setting_id']; + } + } else { + $actual_setting_id = $raw_setting_id; + } + + // Keep track of the user IDs for settings actually for this theme. + if ( $actual_setting_id && isset( $setting_params['user_id'] ) ) { + $setting_user_ids[ $actual_setting_id ] = $setting_params['user_id']; + } } + $changeset_setting_values = $this->unsanitized_post_values( array( + 'exclude_post_data' => true, + 'exclude_changeset' => false, + ) ); + $changeset_setting_ids = array_keys( $changeset_setting_values ); + $this->add_dynamic_settings( $changeset_setting_ids ); + /** * Fires once the theme has switched in the Customizer, but before settings * have been saved. * * @since 3.4.0 * - * @param WP_Customize_Manager $this WP_Customize_Manager instance. + * @param WP_Customize_Manager $manager WP_Customize_Manager instance. */ do_action( 'customize_save', $this ); - foreach ( $this->settings as $setting ) { - $setting->save(); + /* + * Ensure that all settings will allow themselves to be saved. Note that + * this is safe because the setting would have checked the capability + * when the setting value was written into the changeset. So this is why + * an additional capability check is not required here. + */ + $original_setting_capabilities = array(); + foreach ( $changeset_setting_ids as $setting_id ) { + $setting = $this->get_setting( $setting_id ); + if ( $setting && ! isset( $setting_user_ids[ $setting_id ] ) ) { + $original_setting_capabilities[ $setting->id ] = $setting->capability; + $setting->capability = 'exist'; + } + } + + $original_user_id = get_current_user_id(); + foreach ( $changeset_setting_ids as $setting_id ) { + $setting = $this->get_setting( $setting_id ); + if ( $setting ) { + /* + * Set the current user to match the user who saved the value into + * the changeset so that any filters that apply during the save + * process will respect the original user's capabilities. This + * will ensure, for example, that KSES won't strip unsafe HTML + * when a scheduled changeset publishes via WP Cron. + */ + if ( isset( $setting_user_ids[ $setting_id ] ) ) { + wp_set_current_user( $setting_user_ids[ $setting_id ] ); + } else { + wp_set_current_user( $original_user_id ); + } + + $setting->save(); + } + } + wp_set_current_user( $original_user_id ); + + // Update the stashed theme mod settings, removing the active theme's stashed settings, if activated. + if ( did_action( 'switch_theme' ) ) { + $other_theme_mod_settings = $theme_mod_settings; + unset( $other_theme_mod_settings[ $this->get_stylesheet() ] ); + $this->update_stashed_theme_mod_settings( $other_theme_mod_settings ); } /** @@ -986,23 +2699,62 @@ final class WP_Customize_Manager { * * @since 3.6.0 * - * @param WP_Customize_Manager $this WP_Customize_Manager instance. + * @param WP_Customize_Manager $manager WP_Customize_Manager instance. */ do_action( 'customize_save_after', $this ); - /** - * Filter response data for a successful customize_save AJAX request. - * - * This filter does not apply if there was a nonce or authentication failure. - * - * @since 4.2.0 - * - * @param array $data Additional information passed back to the 'saved' - * event on `wp.customize`. - * @param WP_Customize_Manager $this WP_Customize_Manager instance. - */ - $response = apply_filters( 'customize_save_response', array(), $this ); - wp_send_json_success( $response ); + // Restore original capabilities. + foreach ( $original_setting_capabilities as $setting_id => $capability ) { + $setting = $this->get_setting( $setting_id ); + if ( $setting ) { + $setting->capability = $capability; + } + } + + // Restore original changeset data. + $this->_changeset_data = $previous_changeset_data; + $this->_changeset_post_id = $previous_changeset_post_id; + $this->_changeset_uuid = $previous_changeset_uuid; + + return true; + } + + /** + * Update stashed theme mod settings. + * + * @since 4.7.0 + * @access private + * + * @param array $inactive_theme_mod_settings Mapping of stylesheet to arrays of theme mod settings. + * @return array|false Returns array of updated stashed theme mods or false if the update failed or there were no changes. + */ + protected function update_stashed_theme_mod_settings( $inactive_theme_mod_settings ) { + $stashed_theme_mod_settings = get_option( 'customize_stashed_theme_mods' ); + if ( empty( $stashed_theme_mod_settings ) ) { + $stashed_theme_mod_settings = array(); + } + + // Delete any stashed theme mods for the active theme since since they would have been loaded and saved upon activation. + unset( $stashed_theme_mod_settings[ $this->get_stylesheet() ] ); + + // Merge inactive theme mods with the stashed theme mod settings. + foreach ( $inactive_theme_mod_settings as $stylesheet => $theme_mod_settings ) { + if ( ! isset( $stashed_theme_mod_settings[ $stylesheet ] ) ) { + $stashed_theme_mod_settings[ $stylesheet ] = array(); + } + + $stashed_theme_mod_settings[ $stylesheet ] = array_merge( + $stashed_theme_mod_settings[ $stylesheet ], + $theme_mod_settings + ); + } + + $autoload = false; + $result = update_option( 'customize_stashed_theme_mods', $stashed_theme_mod_settings, $autoload ); + if ( ! $result ) { + return false; + } + return $stashed_theme_mod_settings; } /** @@ -1015,40 +2767,38 @@ final class WP_Customize_Manager { wp_send_json_error( 'not_preview' ); } - $nonces = array( - 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), - 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ), - ); - - /** - * Filter nonces for a customize_refresh_nonces AJAX request. - * - * @since 4.2.0 - * - * @param array $nonces Array of refreshed nonces for save and - * preview actions. - * @param WP_Customize_Manager $this WP_Customize_Manager instance. - */ - $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this ); - wp_send_json_success( $nonces ); + wp_send_json_success( $this->get_nonces() ); } /** * Add a customize setting. * * @since 3.4.0 + * @since 4.5.0 Return added WP_Customize_Setting instance. + * @access public * - * @param WP_Customize_Setting|string $id Customize Setting object, or ID. - * @param array $args Setting arguments; passed to WP_Customize_Setting - * constructor. + * @param WP_Customize_Setting|string $id Customize Setting object, or ID. + * @param array $args Setting arguments; passed to WP_Customize_Setting + * constructor. + * @return WP_Customize_Setting The instance of the setting that was added. */ public function add_setting( $id, $args = array() ) { if ( $id instanceof WP_Customize_Setting ) { $setting = $id; } else { - $setting = new WP_Customize_Setting( $this, $id, $args ); + $class = 'WP_Customize_Setting'; + + /** This filter is documented in wp-includes/class-wp-customize-manager.php */ + $args = apply_filters( 'customize_dynamic_setting_args', $args, $id ); + + /** This filter is documented in wp-includes/class-wp-customize-manager.php */ + $class = apply_filters( 'customize_dynamic_setting_class', $class, $id, $args ); + + $setting = new $class( $this, $id, $args ); } + $this->settings[ $setting->id ] = $setting; + return $setting; } /** @@ -1056,11 +2806,12 @@ final class WP_Customize_Manager { * that have no corresponding setting created. * * This is a mechanism to "wake up" settings that have been dynamically created - * on the frontend and have been sent to WordPress in `$_POST['customized']`. When WP + * on the front end and have been sent to WordPress in `$_POST['customized']`. When WP * loads, the dynamically-created settings then will get created and previewed * even though they are not directly created statically with code. * * @since 4.2.0 + * @access public * * @param array $setting_ids The setting IDs to add. * @return array The WP_Customize_Setting objects added. @@ -1077,7 +2828,7 @@ final class WP_Customize_Manager { $setting_class = 'WP_Customize_Setting'; /** - * Filter a dynamic setting's constructor args. + * Filters a dynamic setting's constructor args. * * For a dynamic setting to be registered, this filter must be employed * to override the default false value with an array of args to pass to @@ -1141,10 +2892,13 @@ final class WP_Customize_Manager { * Add a customize panel. * * @since 4.0.0 + * @since 4.5.0 Return added WP_Customize_Panel instance. * @access public * * @param WP_Customize_Panel|string $id Customize Panel object, or Panel ID. * @param array $args Optional. Panel arguments. Default empty array. + * + * @return WP_Customize_Panel The instance of the panel that was added. */ public function add_panel( $id, $args = array() ) { if ( $id instanceof WP_Customize_Panel ) { @@ -1154,6 +2908,7 @@ final class WP_Customize_Manager { } $this->panels[ $panel->id ] = $panel; + return $panel; } /** @@ -1180,6 +2935,16 @@ final class WP_Customize_Manager { * @param string $id Panel ID to remove. */ public function remove_panel( $id ) { + // Removing core components this way is _doing_it_wrong(). + if ( in_array( $id, $this->components, true ) ) { + /* translators: 1: panel id, 2: link to 'customize_loaded_components' filter reference */ + $message = sprintf( __( 'Removing %1$s manually will cause PHP warnings. Use the %2$s filter instead.' ), + $id, + 'customize_loaded_components' + ); + + _doing_it_wrong( __METHOD__, $message, '4.5.0' ); + } unset( $this->panels[ $id ] ); } @@ -1216,9 +2981,13 @@ final class WP_Customize_Manager { * Add a customize section. * * @since 3.4.0 + * @since 4.5.0 Return added WP_Customize_Section instance. + * @access public * * @param WP_Customize_Section|string $id Customize Section object, or Section ID. * @param array $args Section arguments. + * + * @return WP_Customize_Section The instance of the section that was added. */ public function add_section( $id, $args = array() ) { if ( $id instanceof WP_Customize_Section ) { @@ -1226,7 +2995,9 @@ final class WP_Customize_Manager { } else { $section = new WP_Customize_Section( $this, $id, $args ); } + $this->sections[ $section->id ] = $section; + return $section; } /** @@ -1286,10 +3057,13 @@ final class WP_Customize_Manager { * Add a customize control. * * @since 3.4.0 + * @since 4.5.0 Return added WP_Customize_Control instance. + * @access public * * @param WP_Customize_Control|string $id Customize Control object, or ID. * @param array $args Control arguments; passed to WP_Customize_Control * constructor. + * @return WP_Customize_Control The instance of the control that was added. */ public function add_control( $id, $args = array() ) { if ( $id instanceof WP_Customize_Control ) { @@ -1297,7 +3071,9 @@ final class WP_Customize_Manager { } else { $control = new WP_Customize_Control( $this, $id, $args ); } + $this->controls[ $control->id ] = $control; + return $control; } /** @@ -1333,7 +3109,7 @@ final class WP_Customize_Manager { * @access public * * @param string $control Name of a custom control which is a subclass of - * {@see WP_Customize_Control}. + * WP_Customize_Control. */ public function register_control_type( $control ) { $this->registered_control_types[] = $control; @@ -1347,21 +3123,35 @@ final class WP_Customize_Manager { */ public function render_control_templates() { foreach ( $this->registered_control_types as $control_type ) { - $control = new $control_type( $this, 'temp', array() ); + $control = new $control_type( $this, 'temp', array( + 'settings' => array(), + ) ); $control->print_template(); } + ?> + + priority === $b->priority ) { return $a->instance_number - $b->instance_number; } else { @@ -1381,7 +3171,10 @@ final class WP_Customize_Manager { public function prepare_controls() { $controls = array(); - uasort( $this->controls, array( $this, '_cmp_priority' ) ); + $this->controls = wp_list_sort( $this->controls, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ), 'ASC', true ); foreach ( $this->controls as $id => $control ) { if ( ! isset( $this->sections[ $control->section ] ) || ! $control->check_capabilities() ) { @@ -1394,7 +3187,10 @@ final class WP_Customize_Manager { $this->controls = $controls; // Prepare sections. - uasort( $this->sections, array( $this, '_cmp_priority' ) ); + $this->sections = wp_list_sort( $this->sections, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ), 'ASC', true ); $sections = array(); foreach ( $this->sections as $section ) { @@ -1402,7 +3198,11 @@ final class WP_Customize_Manager { continue; } - usort( $section->controls, array( $this, '_cmp_priority' ) ); + + $section->controls = wp_list_sort( $section->controls, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ) ); if ( ! $section->panel ) { // Top-level section. @@ -1417,7 +3217,10 @@ final class WP_Customize_Manager { $this->sections = $sections; // Prepare panels. - uasort( $this->panels, array( $this, '_cmp_priority' ) ); + $this->panels = wp_list_sort( $this->panels, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ), 'ASC', true ); $panels = array(); foreach ( $this->panels as $panel ) { @@ -1425,14 +3228,20 @@ final class WP_Customize_Manager { continue; } - uasort( $panel->sections, array( $this, '_cmp_priority' ) ); + $panel->sections = wp_list_sort( $panel->sections, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ), 'ASC', true ); $panels[ $panel->id ] = $panel; } $this->panels = $panels; // Sort panels and top-level sections together. $this->containers = array_merge( $this->panels, $this->sections ); - uasort( $this->containers, array( $this, '_cmp_priority' ) ); + $this->containers = wp_list_sort( $this->containers, array( + 'priority' => 'ASC', + 'instance_number' => 'ASC', + ), 'ASC', true ); } /** @@ -1478,35 +3287,97 @@ final class WP_Customize_Manager { return $document_title_tmpl; } - /** - * Set the initial URL to be previewed. - * - * URL is validated. - * - * @since 4.4.0 - * @access public - * - * @param string $preview_url URL to be previewed. - */ - public function set_preview_url( $preview_url ) { - $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); + /** + * Set the initial URL to be previewed. + * + * URL is validated. + * + * @since 4.4.0 + * @access public + * + * @param string $preview_url URL to be previewed. + */ + public function set_preview_url( $preview_url ) { + $preview_url = esc_url_raw( $preview_url ); + $this->preview_url = wp_validate_redirect( $preview_url, home_url( '/' ) ); + } + + /** + * Get the initial URL to be previewed. + * + * @since 4.4.0 + * @access public + * + * @return string URL being previewed. + */ + public function get_preview_url() { + if ( empty( $this->preview_url ) ) { + $preview_url = home_url( '/' ); + } else { + $preview_url = $this->preview_url; + } + return $preview_url; + } + + /** + * Determines whether the admin and the frontend are on different domains. + * + * @since 4.7.0 + * @access public + * + * @return bool Whether cross-domain. + */ + public function is_cross_domain() { + $admin_origin = wp_parse_url( admin_url() ); + $home_origin = wp_parse_url( home_url() ); + $cross_domain = ( strtolower( $admin_origin['host'] ) !== strtolower( $home_origin['host'] ) ); + return $cross_domain; + } + + /** + * Get URLs allowed to be previewed. + * + * If the front end and the admin are served from the same domain, load the + * preview over ssl if the Customizer is being loaded over ssl. This avoids + * insecure content warnings. This is not attempted if the admin and front end + * are on different domains to avoid the case where the front end doesn't have + * ssl certs. Domain mapping plugins can allow other urls in these conditions + * using the customize_allowed_urls filter. + * + * @since 4.7.0 + * @access public + * + * @returns array Allowed URLs. + */ + public function get_allowed_urls() { + $allowed_urls = array( home_url( '/' ) ); + + if ( is_ssl() && ! $this->is_cross_domain() ) { + $allowed_urls[] = home_url( '/', 'https' ); + } + + /** + * Filters the list of URLs allowed to be clicked and followed in the Customizer preview. + * + * @since 3.4.0 + * + * @param array $allowed_urls An array of allowed URLs. + */ + $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) ); + + return $allowed_urls; } /** - * Get the initial URL to be previewed. + * Get messenger channel. * - * @since 4.4.0 + * @since 4.7.0 * @access public * - * @return string URL being previewed. + * @return string Messenger channel. */ - public function get_preview_url() { - if ( empty( $this->preview_url ) ) { - $preview_url = home_url( '/' ); - } else { - $preview_url = $this->preview_url; - } - return $preview_url; + public function get_messenger_channel() { + return $this->messenger_channel; } /** @@ -1520,6 +3391,7 @@ final class WP_Customize_Manager { * @param string $return_url URL for return link. */ public function set_return_url( $return_url ) { + $return_url = esc_url_raw( $return_url ); $return_url = remove_query_arg( wp_removable_query_args(), $return_url ); $return_url = wp_validate_redirect( $return_url ); $this->return_url = $return_url; @@ -1586,45 +3458,64 @@ final class WP_Customize_Manager { } /** - * Print JavaScript settings for parent window. + * Get nonces for the Customizer. * - * @since 4.4.0 + * @since 4.5.0 + * @return array Nonces. */ - public function customize_pane_settings() { - /* - * If the frontend and the admin are served from the same domain, load the - * preview over ssl if the Customizer is being loaded over ssl. This avoids - * insecure content warnings. This is not attempted if the admin and frontend - * are on different domains to avoid the case where the frontend doesn't have - * ssl certs. Domain mapping plugins can allow other urls in these conditions - * using the customize_allowed_urls filter. - */ - - $allowed_urls = array( home_url( '/' ) ); - $admin_origin = parse_url( admin_url() ); - $home_origin = parse_url( home_url() ); - $cross_domain = ( strtolower( $admin_origin['host'] ) !== strtolower( $home_origin['host'] ) ); - - if ( is_ssl() && ! $cross_domain ) { - $allowed_urls[] = home_url( '/', 'https' ); - } + public function get_nonces() { + $nonces = array( + 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), + 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ), + ); /** - * Filter the list of URLs allowed to be clicked and followed in the Customizer preview. + * Filters nonces for Customizer. * - * @since 3.4.0 + * @since 4.2.0 * - * @param array $allowed_urls An array of allowed URLs. + * @param array $nonces Array of refreshed nonces for save and + * preview actions. + * @param WP_Customize_Manager $this WP_Customize_Manager instance. */ - $allowed_urls = array_unique( apply_filters( 'customize_allowed_urls', $allowed_urls ) ); + $nonces = apply_filters( 'customize_refresh_nonces', $nonces, $this ); + + return $nonces; + } + + /** + * Print JavaScript settings for parent window. + * + * @since 4.4.0 + */ + public function customize_pane_settings() { $login_url = add_query_arg( array( 'interim-login' => 1, 'customize-login' => 1, ), wp_login_url() ); + // Ensure dirty flags are set for modified settings. + foreach ( array_keys( $this->unsanitized_post_values() ) as $setting_id ) { + $setting = $this->get_setting( $setting_id ); + if ( $setting ) { + $setting->dirty = true; + } + } + // Prepare Customizer settings to pass to JavaScript. $settings = array( + 'changeset' => array( + 'uuid' => $this->changeset_uuid(), + 'status' => $this->changeset_post_id() ? get_post_status( $this->changeset_post_id() ) : '', + ), + 'timeouts' => array( + 'windowRefresh' => 250, + 'changesetAutoSave' => AUTOSAVE_INTERVAL * 1000, + 'keepAliveCheck' => 2500, + 'reflowPaneContents' => 100, + 'previewFrameSensitivity' => 2000, + ), 'theme' => array( 'stylesheet' => $this->get_stylesheet(), 'active' => $this->is_theme_active(), @@ -1634,8 +3525,8 @@ final class WP_Customize_Manager { 'parent' => esc_url_raw( admin_url() ), 'activated' => esc_url_raw( home_url( '/' ) ), 'ajax' => esc_url_raw( admin_url( 'admin-ajax.php', 'relative' ) ), - 'allowed' => array_map( 'esc_url_raw', $allowed_urls ), - 'isCrossDomain' => $cross_domain, + 'allowed' => array_map( 'esc_url_raw', $this->get_allowed_urls() ), + 'isCrossDomain' => $this->is_cross_domain(), 'home' => esc_url_raw( home_url( '/' ) ), 'login' => esc_url_raw( $login_url ), ), @@ -1645,12 +3536,10 @@ final class WP_Customize_Manager { ), 'panels' => array(), 'sections' => array(), - 'nonce' => array( - 'save' => wp_create_nonce( 'save-customize_' . $this->get_stylesheet() ), - 'preview' => wp_create_nonce( 'preview-customize_' . $this->get_stylesheet() ), - ), - 'autofocus' => array(), + 'nonce' => $this->get_nonces(), + 'autofocus' => $this->get_autofocus(), 'documentTitleTmpl' => $this->get_document_title_template(), + 'previewableDevices' => $this->get_previewable_devices(), ); // Prepare Customize Section objects to pass to JavaScript. @@ -1672,20 +3561,6 @@ final class WP_Customize_Manager { } } - // Pass to frontend the Customizer construct being deeplinked. - foreach ( $this->get_autofocus() as $type => $id ) { - $can_autofocus = ( - ( 'control' === $type && $this->get_control( $id ) && $this->get_control( $id )->check_capabilities() ) - || - ( 'section' === $type && isset( $settings['sections'][ $id ] ) ) - || - ( 'panel' === $type && isset( $settings['panels'][ $id ] ) ) - ); - if ( $can_autofocus ) { - $settings['autofocus'][ $type ] = $id; - } - } - ?>