Description: Remove XSS from TinyMCE
 Fixes a cross-site scripting (XSS) vulnerability in the visual editor.
 CVE-2017-14726
Author: ocean90@wordpress.org
Origin: upstream, https://core.trac.wordpress.org/changeset/41436/branches/4.7
Bug-Debian: https://bugs.debian.org/876274
Applied-Upstream: 4.8.2
Reviewed-by: Craig Small <csmall@debian.org>
Last-Update: 2017-09-23
--- a/wp-includes/js/mce-view.js
+++ b/wp-includes/js/mce-view.js
@@ -155,8 +155,6 @@
 				encodedText,
 				instance;
 
-			text = tinymce.DOM.decode( text );
-
 			if ( text.indexOf( '[' ) !== -1 && text.indexOf( ']' ) !== -1 ) {
 				// Looks like a shortcode? Remove any line breaks from inside of shortcodes
 				// or autop will replace them with <p> and <br> later and the string won't match.
@@ -430,7 +428,7 @@
 			this.getMarkers( function( editor, node ) {
 				var $viewNode;
 
-				if ( ! this.loader && $( node ).text() !== this.text ) {
+				if ( ! this.loader && $( node ).text() !== tinymce.DOM.decode( this.text ) ) {
 					editor.dom.setAttrib( node, 'data-wpview-marker', null );
 					return;
 				}
@@ -494,6 +492,14 @@
 		setIframes: function( head, body, callback, rendered ) {
 			var self = this;
 
+			if ( body.indexOf( '[' ) !== -1 && body.indexOf( ']' ) !== -1 ) {
+				var shortcodesRegExp = new RegExp( '\\[\\/?(?:' + window.mceViewL10n.shortcodes.join( '|' ) + ')[^\\]]*?\\]', 'g' );
+				// Escape tags inside shortcode previews.
+				body = body.replace( shortcodesRegExp, function( match ) {
+					return match.replace( /</g, '&lt;' ).replace( />/g, '&gt;' );
+				} );
+			}
+
 			this.getNodes( function( editor, node ) {
 				var dom = editor.dom,
 					styles = '',
--- a/wp-includes/script-loader.php
+++ b/wp-includes/script-loader.php
@@ -938,6 +938,10 @@
 		'autosaveInterval' => AUTOSAVE_INTERVAL,
 		'blog_id' => get_current_blog_id(),
 	) );
+
+	wp_localize_script( 'mce-view', 'mceViewL10n', array(
+		'shortcodes' => ! empty( $GLOBALS['shortcode_tags'] ) ? array_keys( $GLOBALS['shortcode_tags'] ) : array()
+	) );
 }
 
 /**
