WP_Customize_Manager::preserve_insert_changeset_post_content( array $data, array $postarr, array $unsanitized_postarr )

Preserve the initial JSON post_content passed to save into the post.


This is needed to prevent KSES and other ‘content_save_pre’ filters from corrupting JSON data.

Note that WP_Customize_Manager::validate_setting_values() have already run on the setting values being serialized as JSON into the post content so it is pre-sanitized.

Also, the sanitization logic is re-run through the respective WP_Customize_Setting::sanitize() method when being read out of the changeset, via WP_Customize_Manager::post_value(), and this sanitized value will also be sent into WP_Customize_Setting::update() for persisting to the DB.

Multiple users can collaborate on a single changeset, where one user may have the unfiltered_html capability but another may not. A user with unfiltered_html may add a script tag to some field which needs to be kept intact even when another user updates the changeset to modify another field when they do not have unfiltered_html.



(Required) An array of slashed and processed post data.


(Required) An array of sanitized (and slashed) but otherwise unmodified post data.


(Required) An array of slashed yet *unsanitized* and unprocessed post data as originally passed to wp_insert_post().


(array) Filtered post data.


File: wp-includes/class-wp-customize-manager.php

	public function preserve_insert_changeset_post_content( $data, $postarr, $unsanitized_postarr ) {
		if (
			isset( $data['post_type'] ) &&
			isset( $unsanitized_postarr['post_content'] ) &&
			'customize_changeset' === $data['post_type'] ||
				'revision' === $data['post_type'] &&
				! empty( $data['post_parent'] ) &&
				'customize_changeset' === get_post_type( $data['post_parent'] )
		) {
			$data['post_content'] = $unsanitized_postarr['post_content'];
		return $data;


Version Description
WP-4.9.14 Introduced.