diff --git a/editor/post.php b/editor/post.php index 1bf4a8ce2..ae2b4bd43 100755 --- a/editor/post.php +++ b/editor/post.php @@ -411,6 +411,11 @@ public function get_compiled_html() public function set_compiled_html($compiled_html) { $compiled_html = Brizy_SiteUrlReplacer::hideSiteUrl($compiled_html); + + if ( !current_user_can( 'unfiltered_html' ) ) { + $compiled_html = wp_kses_post($compiled_html); + } + $this->compiled_html = $compiled_html; return $this; } diff --git a/editor/trait/sanitize.php b/editor/trait/sanitize.php index 733db8f64..b6b159c74 100644 --- a/editor/trait/sanitize.php +++ b/editor/trait/sanitize.php @@ -15,10 +15,12 @@ public function sanitizeJson( $data ) { return $styles; } ); + $dataDecoded = wp_kses_post_deep( $dataDecoded ); //$dataDecoded = $this->escapeJsonValues( $dataDecoded ); $data = json_encode( $dataDecoded ); $data = preg_replace( '/javascript:.*?"/', '"', $data ); + $data = preg_replace( '/javascript%3A.*?%22/', '%22', $data ); $data = preg_replace( '/(on(click|mouseover|keydown|keyup|change|submit|load|error|focus|blur|select|dblclick))\s*[:=]\s*(\\\"|\\\')(.*?)(\3)/i', '', $data ); return $data;