From 507f3b2d0ce0ccc8a4092d8479cffef762dad3a7 Mon Sep 17 00:00:00 2001
From: koopersmith <koopersmith@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Wed, 16 May 2012 20:59:02 +0000
Subject: [PATCH] Theme Customizer: Properly escape customize settings when
 sending values to JS. Add WP_Customize_Setting->js_value(). fixes #20687, see
 #19910.

git-svn-id: http://core.svn.wordpress.org/trunk@20809 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-wp-customize-setting.php | 16 ++++++++++++++++
 wp-includes/class-wp-customize.php         |  2 +-
 wp-includes/customize-controls.php         |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/wp-includes/class-wp-customize-setting.php b/wp-includes/class-wp-customize-setting.php
index 1e304d9ab..f6088c9f4 100644
--- a/wp-includes/class-wp-customize-setting.php
+++ b/wp-includes/class-wp-customize-setting.php
@@ -230,6 +230,22 @@ class WP_Customize_Setting {
 		return $this->multidimensional_get( $values, $this->id_data[ 'keys' ], $this->default );
 	}
 
+	/**
+	 * Escape the parameter's value for use in JavaScript.
+	 *
+	 * @since 3.4.0
+	 *
+	 * @return mixed The requested escaped value.
+	 */
+	public function js_value() {
+		$value = $this->value();
+
+		if ( is_string( $value ) )
+			return html_entity_decode( $value, ENT_QUOTES, 'UTF-8');
+
+		return $value;
+	}
+
 	/**
 	 * Check if the theme supports the setting and check user capabilities.
 	 *
diff --git a/wp-includes/class-wp-customize.php b/wp-includes/class-wp-customize.php
index 9eb280ff3..ba6dfed89 100644
--- a/wp-includes/class-wp-customize.php
+++ b/wp-includes/class-wp-customize.php
@@ -213,7 +213,7 @@ final class WP_Customize {
 		);
 
 		foreach ( $this->settings as $id => $setting ) {
-			$settings['values'][ $id ] = $setting->value();
+			$settings['values'][ $id ] = $setting->js_value();
 		}
 
 		?>
diff --git a/wp-includes/customize-controls.php b/wp-includes/customize-controls.php
index 0fd9b030d..31a3cf35c 100644
--- a/wp-includes/customize-controls.php
+++ b/wp-includes/customize-controls.php
@@ -108,7 +108,7 @@ do_action( 'customize_controls_print_scripts' );
 
 	foreach ( $this->settings as $id => $setting ) {
 		$settings['settings'][ $id ] = array(
-			'value'     => $setting->value(),
+			'value'     => $setting->js_value(),
 			'transport' => $setting->transport,
 		);
 	}