Ticket #12284: 12284.patch

formatting.php

@@ -334 +334 @@
         // Handle double encoding ourselves
         if ( !$double_encode ) {
                 $string = wp_specialchars_decode( $string, $_quote_style );
+
+                /* Critical */
+                // The previous line decodes &phrase; into &phrase;  We must guarantee that &phrase; is valid before proceeding.
+                $string = wp_kses_normalize_entities( $string );
+
+                // Now proceed with custom double-encoding silliness
                 $string = preg_replace( '/&(#?x?[0-9a-z]+);/i', '|wp_entity|$1|/wp_entity|', $string );
         }
 

kses.php

@@ -336 +336 @@
 }
 
 /**
+ * Kses allowed HTML Entity Names.
+ * 
+ * @see wp_kses_normalize_entities()
+ * @see wp_kses_named_entities()
+ * 
+ * @global array $allowedentitynames
+ * @since 3.0.0
+ */
+$allowedentitynames = array(
+        'nbsp',   'iexcl',  'cent',   'pound',  'curren', 'yen',
+        'brvbar', 'sect',   'uml',    'copy',   'ordf',   'laquo',
+        'not',    'shy',    'reg',        'macr',   'deg',    'plusmn',
+        'acute',  'micro',  'para',   'middot', 'cedil',  'ordm',
+        'raquo',  'iquest', 'Agrave', 'Aacute', 'Acirc',  'Atilde',
+        'Auml',   'Aring',      'AElig',  'Ccedil', 'Egrave', 'Eacute',
+        'Ecirc',  'Euml',   'Igrave', 'Iacute', 'Icirc',  'Iuml',
+        'ETH',    'Ntilde', 'Ograve', 'Oacute', 'Ocirc',  'Otilde',
+        'Ouml',   'times',  'Oslash', 'Ugrave', 'Uacute', 'Ucirc',
+        'Uuml',   'Yacute', 'THORN',  'szlig',  'agrave', 'aacute',
+        'acirc',  'atilde', 'auml',   'aring',  'aelig',  'ccedil',
+        'egrave', 'eacute', 'ecirc',  'euml',   'igrave', 'iacute',
+        'icirc',  'iuml',   'eth',    'ntilde', 'ograve', 'oacute',
+        'ocirc',  'otilde', 'ouml',   'divide', 'oslash', 'ugrave',
+        'uacute', 'ucirc',  'uuml',   'yacute', 'thorn',  'yuml',
+        'quot',   'amp',    'lt',     'gt',     'apos',   'OElig',
+        'oelig',  'Scaron', 'scaron', 'Yuml',   'circ',   'tilde',
+        'ensp',   'emsp',   'thinsp', 'zwnj',   'zwj',    'lrm',
+        'rlm',    'ndash',  'mdash',  'lsquo',  'rsquo',  'sbquo',
+        'ldquo',  'rdquo',  'bdquo',  'dagger', 'Dagger', 'permil',
+        'lsaquo', 'rsaquo', 'euro',   'fnof',   'Alpha',  'Beta',
+        'Gamma',  'Delta',  'Epsilon','Zeta',   'Eta',    'Theta',
+        'Iota',   'Kappa',  'Lambda', 'Mu',     'Nu',     'Xi',
+        'Omicron','Pi',     'Rho',    'Sigma',  'Tau',    'Upsilon',
+        'Phi',    'Chi',    'Psi',    'Omega',  'alpha',  'beta',
+        'gamma',  'delta',  'epsilon','zeta',   'eta',    'theta',
+        'iota',   'kappa',  'lambda', 'mu',     'nu',     'xi',
+        'omicron','pi',     'rho',    'sigmaf', 'sigma',  'tau',
+        'upsilon','phi',    'chi',    'psi',    'omega',  'thetasym',
+        'upsih',  'piv',    'bull',   'hellip', 'prime',  'Prime',
+        'oline',  'frasl',  'weierp', 'image',  'real',   'trade',
+        'alefsym','larr',   'uarr',   'rarr',   'darr',   'harr',
+        'crarr',  'lArr',   'uArr',   'rArr',   'dArr',   'hArr',
+        'forall', 'part',   'exist',  'empty',  'nabla',  'isin',
+        'notin',  'ni',     'prod',   'sum',    'minus',  'lowast',
+        'radic',  'prop',   'infin',  'ang',    'and',    'or',
+        'cap',    'cup',    'int',    'sim',    'cong',   'asymp',
+        'ne',     'equiv',  'le',     'ge',     'sub',    'sup',
+        'nsub',   'sube',   'supe',   'oplus',  'otimes', 'perp',
+        'sdot',   'lceil',  'rceil',  'lfloor', 'rfloor', 'lang',
+        'rang',   'loz',    'spades', 'clubs',  'hearts', 'diams'
+);
+
+/**
  * Filters content and keeps only allowable HTML elements.
  *
  * This function makes sure that only the allowed HTML element names, attribute
@@ -945 +998 @@
  * @param string $string Content to normalize entities
  * @return string Content with normalized entities
  */
-function wp_kses_normalize_entities($string) {
+function wp_kses_normalize_entities( $string ) {
         # Disarm all entities by converting & to &
 
         $string = str_replace('&', '&', $string);
 
         # Change back the allowed entities in our entity whitelist
 
-        $string = preg_replace('/&([A-Za-z][A-Za-z0-9]{0,19});/', '&\\1;', $string);
+        $string = preg_replace_callback('/&([A-Za-z]{2,8});/', 'wp_kses_named_entities', $string);
         $string = preg_replace_callback('/&#0*([0-9]{1,5});/', 'wp_kses_normalize_entities2', $string);
         $string = preg_replace_callback('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', 'wp_kses_normalize_entities3', $string);
 
@@ -962 +1015 @@
 /**
  * Callback for wp_kses_normalize_entities() regular expression.
  *
+ * This function only accepts valid named entity references, which are finite,
+ * case-sensitive, and highly scrutinized by HTML and XML validators.
+ *
+ * @access private
+ * @since 3.0.0
+ * @see wp_kses_normalize_entities()
+ * @uses $allowedentitynames
+ * @param array $matches preg_replace_callback() matches array
+ * @return string Correctly encoded entity
+ */
+function wp_kses_named_entities( $matches ) {
+        if ( empty($matches[1]) )
+                return '';
+
+        $i = $matches[1];
+        return ( in_array( $i, $GLOBALS['allowedentitynames'] ) ? "&$i;" : "&$i;"  );
+}
+
+/**
+ * Callback for wp_kses_normalize_entities() regular expression.
+ *
  * This function helps wp_kses_normalize_entities() to only accept 16 bit values
  * and nothing more for &#number; entities.
  *
  * @access private
  * @since 1.0.0
+ * @see wp_kses_normalize_entities()
  *
  * @param array $matches preg_replace_callback() matches array
  * @return string Correctly encoded entity
  */
-function wp_kses_normalize_entities2($matches) {
-        if ( ! isset($matches[1]) || empty($matches[1]) )
+function wp_kses_normalize_entities2( $matches ) {
+        if ( empty( $matches[1] ) )
                 return '';
 
         $i = $matches[1];
-        return ( ( ! valid_unicode($i) ) || ($i > 65535) ? "&#$i;" : "&#$i;" );
+        return ( valid_unicode( $i ) || ($i > 65535) ? "&#$i;" : "&#$i;" );
 }
 
 /**
@@ -986 +1061 @@
  * numeric entities in hex form.
  *
  * @access private
+ * @since {@internal Version Unknown}}
+ * @see wp_kses_normalize_entities()
  *
  * @param array $matches preg_replace_callback() matches array
  * @return string Correctly encoded entity
  */
-function wp_kses_normalize_entities3($matches) {
-        if ( ! isset($matches[2]) || empty($matches[2]) )
+function wp_kses_normalize_entities3( $matches ) {
+        if ( empty( $matches[2] ) )
                 return '';
 
         $hexchars = $matches[2];
-        return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : "&#x$hexchars;" );
+        return ( valid_unicode( hexdec( $hexchars ) ) ? "&#x$hexchars;" : "&#x$hexchars;" );
 }
 
 /**
@@ -1004 +1081 @@
  * @param int $i Unicode value
  * @return bool true if the value was a valid Unicode number
  */
-function valid_unicode($i) {
+function valid_unicode( $i ) {
         return ( $i == 0x9 || $i == 0xa || $i == 0xd ||
                         ($i >= 0x20 && $i <= 0xd7ff) ||
                         ($i >= 0xe000 && $i <= 0xfffd) ||