Menus: Prevent HTML in menu item titles from being rendered unexpectedly.

Merges [60815] and [60816] to the 6.8 branch.

Props audrasjb, desrosj, johnbillion, jorbin, phillsav, vortfu, westonruter

git-svn-id: https://develop.svn.wordpress.org/branches/6.8@60818 602fd350-edb4-49c9-b593-d223f7449a82

Author: johnbillion

src/js/_enqueues/lib/nav-menu.js

@@ -298,44 +298,46 @@
 
 						$.each( parentDropdowns, function() {
 							var parentDropdown = $( this ),
-								$html = '',
-								$selected = '',
-								currentItemID = parentDropdown.closest( 'li.menu-item' ).find( '.menu-item-data-db-id' ).val(),
-								currentparentID = parentDropdown.closest( 'li.menu-item' ).find( '.menu-item-data-parent-id' ).val(),
+								currentItemID = parseInt( parentDropdown.closest( 'li.menu-item' ).find( '.menu-item-data-db-id' ).val() ),
+								currentParentID = parseInt( parentDropdown.closest( 'li.menu-item' ).find( '.menu-item-data-parent-id' ).val() ),
 								currentItem = parentDropdown.closest( 'li.menu-item' ),
 								currentMenuItemChild = currentItem.childMenuItems(),
-								excludeMenuItem = [ currentItemID ];
+								excludeMenuItem =  /** @type {number[]} */ [ currentItemID ];
+
+							parentDropdown.empty();
 
 							if ( currentMenuItemChild.length > 0 ) {
 								$.each( currentMenuItemChild, function(){
 									var childItem = $(this),
-										childID = childItem.find( '.menu-item-data-db-id' ).val();
+										childID = parseInt( childItem.find( '.menu-item-data-db-id' ).val() );
 
 									excludeMenuItem.push( childID );
 								});
 							}
 
-							if ( currentparentID == 0 ) {
-								$selected = 'selected';
-							}
-
-							$html += '<option ' + $selected + ' value="0">' + wp.i18n._x( 'No Parent', 'menu item without a parent in navigation menu' ) + '</option>';
+							parentDropdown.append(
+								$( '<option>', {
+									value: '0',
+									selected: currentParentID === 0,
+									text: wp.i18n._x( 'No Parent', 'menu item without a parent in navigation menu' ),
+								} )
+							);
 
 							$.each( menuItems, function() {
 								var menuItem = $(this),
-								$selected = '',
-								menuID = menuItem.find( '.menu-item-data-db-id' ).val(),
+								menuID = parseInt( menuItem.find( '.menu-item-data-db-id' ).val() ),
 								menuTitle = menuItem.find( '.edit-menu-item-title' ).val();
 
 								if ( ! excludeMenuItem.includes( menuID ) ) {
-									if ( currentparentID == menuID ) {
-										$selected = 'selected';
-									}
-									$html += '<option ' + $selected + ' value="' + menuID + '">' + menuTitle + '</option>';
+									parentDropdown.append(
+										$( '<option>', {
+											value: menuID.toString(),
+											selected: currentParentID === menuID,
+											text: menuTitle,
+										} )
+									);
 								}
 							});
-
-							parentDropdown.html( $html );
 						});
 
 					});
@@ -349,9 +351,9 @@
 							var orderDropdown = $( this ),
 								menuItem = orderDropdown.closest( 'li.menu-item' ).first(),
 								depth = menuItem.menuItemDepth(),
-								isPrimaryMenuItem = ( 0 === depth ),
-								$html = '',
-								$selected = '';
+								isPrimaryMenuItem = ( 0 === depth );
+
+							orderDropdown.empty();
 
 							if ( isPrimaryMenuItem ) {
 								var primaryItems = $( '.menu-item-depth-0' ),
@@ -360,17 +362,19 @@
 								itemPosition = primaryItems.index( menuItem ) + 1;
 
 								for ( let i = 1; i < totalMenuItems + 1; i++ ) {
-									$selected = '';
-									if ( i == itemPosition ) { 
-										$selected = 'selected';
-									}
-									var itemString = wp.i18n.sprintf( 
+									var itemString = wp.i18n.sprintf(
 										/* translators: 1: The current menu item number, 2: The total number of menu items. */
 										wp.i18n._x( '%1$s of %2$s', 'part of a total number of menu items' ),
 										i,
 										totalMenuItems
 									);
-									$html += '<option ' + $selected + ' value="' + i + '">' + itemString + '</option>';
+									orderDropdown.append(
+										$( '<option>', {
+											selected: i === itemPosition,
+											value: i.toString(),
+											text: itemString,
+										} )
+									);
 								}
 
 							} else {
@@ -382,22 +386,22 @@
 								itemPosition = $( subItems.parents('.menu-item').get().reverse() ).index( menuItem ) + 1;
 
 								for ( let i = 1; i < totalSubMenuItems + 1; i++ ) {
-									$selected = '';
-									if ( i == itemPosition ) {
-										$selected = 'selected';
-									}
-									var submenuString = wp.i18n.sprintf( 
+									var submenuString = wp.i18n.sprintf(
 										/* translators: 1: The current submenu item number, 2: The total number of submenu items. */
 										wp.i18n._x( '%1$s of %2$s', 'part of a total number of menu items' ),
 										i,
 										totalSubMenuItems
 									);
-									$html += '<option ' + $selected + ' value="' + i + '">' + submenuString + '</option>';
+									orderDropdown.append(
+										$( '<option>', {
+											selected: i === itemPosition,
+											value: i.toString(),
+											text: submenuString,
+										} )
+									);
 								}
 
 							}
-
-							orderDropdown.html( $html );
 						});
 
 					});
@@ -1290,13 +1294,18 @@
 				}
 
 				if ( this.checked === true ) {
-					$( '#pending-menu-items-to-delete ul' ).append(
-						'<li data-menu-item-id="' + menuItemID + '">' +
-							'<span class="pending-menu-item-name">' + menuItemName + '</span> ' +
-							'<span class="pending-menu-item-type">(' + menuItemType + ')</span>' +
-							'<span class="separator"></span>' +
-						'</li>'
-					);
+					const $li = $( '<li>', { 'data-menu-item-id': menuItemID } );
+					$li.append( $( '<span>', {
+						'class': 'pending-menu-item-name',
+						text: menuItemName
+					} ) );
+					$li.append( ' ' );
+					$li.append( $( '<span>', {
+						'class': 'pending-menu-item-type',
+						text: '(' + menuItemType + ')',
+					} ) );
+					$li.append( $( '<span>', { 'class': 'separator' } ) );
+					$( '#pending-menu-items-to-delete ul' ).append( $li );
 				}
 
 				$( '#pending-menu-items-to-delete li .separator' ).html( ', ' );
@@ -1699,20 +1708,26 @@
 		},
 
 		eventOnClickMenuSave : function() {
-			var locs = '',
-			menuName = $('#menu-name'),
-			menuNameVal = menuName.val();
+			var menuName = $('#menu-name'),
+				menuNameVal = menuName.val();
 
 			// Cancel and warn if invalid menu name.
 			if ( ! menuNameVal || ! menuNameVal.replace( /\s+/, '' ) ) {
 				menuName.parent().addClass( 'form-invalid' );
 				return false;
 			}
 			// Copy menu theme locations.
+			// Note: This appears to be dead code since #nav-menu-theme-locations no longer exists, perhaps removed in r32842.
+			var $updateNavMenu = $('#update-nav-menu');
 			$('#nav-menu-theme-locations select').each(function() {
-				locs += '<input type="hidden" name="' + this.name + '" value="' + $(this).val() + '" />';
+				$updateNavMenu.append(
+					$( '<input>', {
+						type: 'hidden',
+						name: this.name,
+						value: $( this ).val(),
+					} )
+				);
 			});
-			$('#update-nav-menu').append( locs );
 			// Update menu item position data.
 			api.menuList.find('.menu-item-data-position').val( function(index) { return index + 1; } );
 			window.onbeforeunload = null;
@@ -1755,7 +1770,10 @@
 			$item;
 
 			if( ! $items.length ) {
-				$('.categorychecklist', panel).html( '<li><p>' + wp.i18n.__( 'No results found.' ) + '</p></li>' );
+				const li = $( '<li>' );
+				const p = $( '<p>', { text: wp.i18n.__( 'No results found.' ) } );
+				li.append( p );
+				$('.categorychecklist', panel).empty().append( li );
 				$( '.spinner', panel ).removeClass( 'is-active' );
 				wrapper.addClass( 'has-no-menu-item' );
 				return;

src/js/_enqueues/wp/customize/nav-menus.js

@@ -529,7 +529,13 @@
 				return;
 			}
 
-			this.currentMenuControl.addItemToMenu( menu_item.attributes );
+			// Leave the title as empty to reuse the original title as a placeholder if set.
+			var nav_menu_item = Object.assign( {}, menu_item.attributes );
+			if ( nav_menu_item.title === nav_menu_item.original_title ) {
+				nav_menu_item.title = '';
+			}
+
+			this.currentMenuControl.addItemToMenu( nav_menu_item );
 
 			$( menuitemTpl ).find( '.menu-item-handle' ).addClass( 'item-added' );
 		},
@@ -3136,7 +3142,6 @@
 				item,
 				{
 					nav_menu_term_id: menuControl.params.menu_id,
-					original_title: item.title,
 					position: position
 				}
 			);

src/wp-includes/class-wp-customize-nav-menus.php

@@ -191,13 +191,15 @@ public function load_available_items_query( $object_type = 'post_type', $object_
 				}
 			} elseif ( 'post' !== $object_name && 0 === $page && $post_type->has_archive ) {
 				// Add a post type archive link.
+				$title   = $post_type->labels->archives;
 				$items[] = array(
-					'id'         => $object_name . '-archive',
-					'title'      => $post_type->labels->archives,
-					'type'       => 'post_type_archive',
-					'type_label' => __( 'Post Type Archive' ),
-					'object'     => $object_name,
-					'url'        => get_post_type_archive_link( $object_name ),
+					'id'             => $object_name . '-archive',
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'post_type_archive',
+					'type_label'     => __( 'Post Type Archive' ),
+					'object'         => $object_name,
+					'url'            => get_post_type_archive_link( $object_name ),
 				);
 			}
 
@@ -244,14 +246,16 @@ public function load_available_items_query( $object_type = 'post_type', $object_
 					$post_type_label = implode( ',', $post_states );
 				}
 
+				$title   = html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) );
 				$items[] = array(
-					'id'         => "post-{$post->ID}",
-					'title'      => html_entity_decode( $post_title, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-					'type'       => 'post_type',
-					'type_label' => $post_type_label,
-					'object'     => $post->post_type,
-					'object_id'  => (int) $post->ID,
-					'url'        => get_permalink( (int) $post->ID ),
+					'id'             => "post-{$post->ID}",
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'post_type',
+					'type_label'     => $post_type_label,
+					'object'         => $post->post_type,
+					'object_id'      => (int) $post->ID,
+					'url'            => get_permalink( (int) $post->ID ),
 				);
 			}
 		} elseif ( 'taxonomy' === $object_type ) {
@@ -276,14 +280,16 @@ public function load_available_items_query( $object_type = 'post_type', $object_
 			}
 
 			foreach ( $terms as $term ) {
+				$title   = html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) );
 				$items[] = array(
-					'id'         => "term-{$term->term_id}",
-					'title'      => html_entity_decode( $term->name, ENT_QUOTES, get_bloginfo( 'charset' ) ),
-					'type'       => 'taxonomy',
-					'type_label' => get_taxonomy( $term->taxonomy )->labels->singular_name,
-					'object'     => $term->taxonomy,
-					'object_id'  => (int) $term->term_id,
-					'url'        => get_term_link( (int) $term->term_id, $term->taxonomy ),
+					'id'             => "term-{$term->term_id}",
+					'title'          => $title,
+					'original_title' => $title,
+					'type'           => 'taxonomy',
+					'type_label'     => get_taxonomy( $term->taxonomy )->labels->singular_name,
+					'object'         => $term->taxonomy,
+					'object_id'      => (int) $term->term_id,
+					'url'            => get_term_link( (int) $term->term_id, $term->taxonomy ),
 				);
 			}
 		}