From 456eabc9f574e449863acbb3c4f12495485f15b8 Mon Sep 17 00:00:00 2001
From: Anton Vlasenko <43744263+anton-vlasenko@users.noreply.github.com>
Date: Fri, 1 Oct 2021 10:17:08 +0200
Subject: [PATCH] Fix slashing when creating or updating a menu item (#35147)

* Slash 'menu-id', 'menu-item-db-id' and $prepared-nav-item values before passing them in into wp_update_nav_menu_item function.

* Add unit tests that check if  create_item and update_item endpoints correctly handle slashed data.

* Don't slash menu-id and menu-item-db-id values.
They are expected to be integers.
---
 lib/class-wp-rest-menu-items-controller.php   |  4 +--
 ...ss-rest-nav-menu-items-controller-test.php | 34 +++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/lib/class-wp-rest-menu-items-controller.php b/lib/class-wp-rest-menu-items-controller.php
index aeae2bb8706d9f..3b7ebb61d45136 100644
--- a/lib/class-wp-rest-menu-items-controller.php
+++ b/lib/class-wp-rest-menu-items-controller.php
@@ -181,7 +181,7 @@ public function create_item( $request ) {
 		}
 		$prepared_nav_item = (array) $prepared_nav_item;
 
-		$nav_menu_item_id = wp_update_nav_menu_item( $prepared_nav_item['menu-id'], $prepared_nav_item['menu-item-db-id'], $prepared_nav_item );
+		$nav_menu_item_id = wp_update_nav_menu_item( $prepared_nav_item['menu-id'], $prepared_nav_item['menu-item-db-id'], wp_slash( $prepared_nav_item ) );
 		if ( is_wp_error( $nav_menu_item_id ) ) {
 			if ( 'db_insert_error' === $nav_menu_item_id->get_error_code() ) {
 				$nav_menu_item_id->add_data( array( 'status' => 500 ) );
@@ -271,7 +271,7 @@ public function update_item( $request ) {
 
 		$prepared_nav_item = (array) $prepared_nav_item;
 
-		$nav_menu_item_id = wp_update_nav_menu_item( $prepared_nav_item['menu-id'], $prepared_nav_item['menu-item-db-id'], $prepared_nav_item );
+		$nav_menu_item_id = wp_update_nav_menu_item( $prepared_nav_item['menu-id'], $prepared_nav_item['menu-item-db-id'], wp_slash( $prepared_nav_item ) );
 
 		if ( is_wp_error( $nav_menu_item_id ) ) {
 			if ( 'db_update_error' === $nav_menu_item_id->get_error_code() ) {
diff --git a/phpunit/class-rest-nav-menu-items-controller-test.php b/phpunit/class-rest-nav-menu-items-controller-test.php
index b840aedb5c4e68..c679bbb1a89bb4 100644
--- a/phpunit/class-rest-nav-menu-items-controller-test.php
+++ b/phpunit/class-rest-nav-menu-items-controller-test.php
@@ -937,4 +937,38 @@ protected function set_menu_item_data( $args = array() ) {
 
 		return wp_parse_args( $args, $defaults );
 	}
+
+	public function test_create_item_properly_handles_slashed_data() {
+		wp_set_current_user( self::$admin_id );
+
+		$request = new WP_REST_Request( 'POST', '/__experimental/menu-items' );
+		$request->add_header( 'content-type', 'application/x-www-form-urlencoded' );
+		$parameters = $this->set_menu_item_data(
+			array(
+				'title' => 'Some \\\'title',
+			)
+		);
+		$request->set_body_params( $parameters );
+		$response = rest_get_server()->dispatch( $request );
+		$data     = $response->get_data();
+		$post     = get_post( $data['id'] );
+		$this->assertSame( $parameters['title'], $post->post_title );
+	}
+
+	public function test_update_item_properly_handles_slashed_data() {
+		wp_set_current_user( self::$admin_id );
+
+		$request = new WP_REST_Request( 'PUT', sprintf( '/__experimental/menu-items/%d', $this->menu_item_id ) );
+		$request->add_header( 'content-type', 'application/x-www-form-urlencoded' );
+		$title  = 'Some \\\'title';
+		$params = $this->set_menu_item_data(
+			array(
+				'title' => $title,
+			)
+		);
+		$request->set_body_params( $params );
+		$response = rest_get_server()->dispatch( $request );
+		$new_data = $response->get_data();
+		$this->assertEquals( $params['title'], $new_data['title']['raw'] );
+	}
 }