Ticket #12284: miqrohtmlinjectionsforwordpress.2.patch
File miqrohtmlinjectionsforwordpress.2.patch, 5.5 KB (added by , 8 years ago) 


wpincludes/formatting.php
334 334 // Handle double encoding ourselves 335 335 if ( !$double_encode ) { 336 336 $string = wp_specialchars_decode( $string, $_quote_style ); 337 338 /* Critical */ 339 // The previous line decodes &phrase; into &phrase; We must guarantee that &phrase; is valid before proceeding. 340 $string = wp_kses_normalize_entities($string); 341 342 // Now proceed with custom doubleencoding silliness 337 343 $string = preg_replace( '/&(#?x?[09az]+);/i', 'wp_entity$1/wp_entity', $string ); 338 344 } 339 345 
wpincludes/kses.php
333 333 // 'u' => array(), 334 334 // 'ul' => array(), 335 335 ); 336 337 $allowedentitynames = array( 338 'nbsp', 339 'iexcl', 340 'cent', 341 'pound', 342 'curren', 343 'yen', 344 'brvbar', 345 'sect', 346 'uml', 347 'copy', 348 'ordf', 349 'laquo', 350 'not', 351 'shy', 352 'reg', 353 'macr', 354 'deg', 355 'plusmn', 356 'acute', 357 'micro', 358 'para', 359 'middot', 360 'cedil', 361 'ordm', 362 'raquo', 363 'iquest', 364 'Agrave', 365 'Aacute', 366 'Acirc', 367 'Atilde', 368 'Auml', 369 'Aring', 370 'AElig', 371 'Ccedil', 372 'Egrave', 373 'Eacute', 374 'Ecirc', 375 'Euml', 376 'Igrave', 377 'Iacute', 378 'Icirc', 379 'Iuml', 380 'ETH', 381 'Ntilde', 382 'Ograve', 383 'Oacute', 384 'Ocirc', 385 'Otilde', 386 'Ouml', 387 'times', 388 'Oslash', 389 'Ugrave', 390 'Uacute', 391 'Ucirc', 392 'Uuml', 393 'Yacute', 394 'THORN', 395 'szlig', 396 'agrave', 397 'aacute', 398 'acirc', 399 'atilde', 400 'auml', 401 'aring', 402 'aelig', 403 'ccedil', 404 'egrave', 405 'eacute', 406 'ecirc', 407 'euml', 408 'igrave', 409 'iacute', 410 'icirc', 411 'iuml', 412 'eth', 413 'ntilde', 414 'ograve', 415 'oacute', 416 'ocirc', 417 'otilde', 418 'ouml', 419 'divide', 420 'oslash', 421 'ugrave', 422 'uacute', 423 'ucirc', 424 'uuml', 425 'yacute', 426 'thorn', 427 'yuml', 428 'quot', 429 'amp', 430 'lt', 431 'gt', 432 'apos', 433 'OElig', 434 'oelig', 435 'Scaron', 436 'scaron', 437 'Yuml', 438 'circ', 439 'tilde', 440 'ensp', 441 'emsp', 442 'thinsp', 443 'zwnj', 444 'zwj', 445 'lrm', 446 'rlm', 447 'ndash', 448 'mdash', 449 'lsquo', 450 'rsquo', 451 'sbquo', 452 'ldquo', 453 'rdquo', 454 'bdquo', 455 'dagger', 456 'Dagger', 457 'permil', 458 'lsaquo', 459 'rsaquo', 460 'euro', 461 'fnof', 462 'Alpha', 463 'Beta', 464 'Gamma', 465 'Delta', 466 'Epsilon', 467 'Zeta', 468 'Eta', 469 'Theta', 470 'Iota', 471 'Kappa', 472 'Lambda', 473 'Mu', 474 'Nu', 475 'Xi', 476 'Omicron', 477 'Pi', 478 'Rho', 479 'Sigma', 480 'Tau', 481 'Upsilon', 482 'Phi', 483 'Chi', 484 'Psi', 485 'Omega', 486 'alpha', 487 'beta', 488 'gamma', 489 'delta', 490 'epsilon', 491 'zeta', 492 'eta', 493 'theta', 494 'iota', 495 'kappa', 496 'lambda', 497 'mu', 498 'nu', 499 'xi', 500 'omicron', 501 'pi', 502 'rho', 503 'sigmaf', 504 'sigma', 505 'tau', 506 'upsilon', 507 'phi', 508 'chi', 509 'psi', 510 'omega', 511 'thetasym', 512 'upsih', 513 'piv', 514 'bull', 515 'hellip', 516 'prime', 517 'Prime', 518 'oline', 519 'frasl', 520 'weierp', 521 'image', 522 'real', 523 'trade', 524 'alefsym', 525 'larr', 526 'uarr', 527 'rarr', 528 'darr', 529 'harr', 530 'crarr', 531 'lArr', 532 'uArr', 533 'rArr', 534 'dArr', 535 'hArr', 536 'forall', 537 'part', 538 'exist', 539 'empty', 540 'nabla', 541 'isin', 542 'notin', 543 'ni', 544 'prod', 545 'sum', 546 'minus', 547 'lowast', 548 'radic', 549 'prop', 550 'infin', 551 'ang', 552 'and', 553 'or', 554 'cap', 555 'cup', 556 'int', 557 'sim', 558 'cong', 559 'asymp', 560 'ne', 561 'equiv', 562 'le', 563 'ge', 564 'sub', 565 'sup', 566 'nsub', 567 'sube', 568 'supe', 569 'oplus', 570 'otimes', 571 'perp', 572 'sdot', 573 'lceil', 574 'rceil', 575 'lfloor', 576 'rfloor', 577 'lang', 578 'rang', 579 'loz', 580 'spades', 581 'clubs', 582 'hearts', 583 'diams' 584 ); 336 585 } 337 586 338 587 /** … … 952 1201 953 1202 # Change back the allowed entities in our entity whitelist 954 1203 955 $string = preg_replace ('/&([AZaz][AZaz09]{0,19});/', '&\\1;', $string);1204 $string = preg_replace_callback('/&([AZaz]{2,8});/', 'wp_kses_named_entities', $string); 956 1205 $string = preg_replace_callback('/&#0*([09]{1,5});/', 'wp_kses_normalize_entities2', $string); 957 1206 $string = preg_replace_callback('/&#([Xx])0*(([09AFaf]{2}){1,2});/', 'wp_kses_normalize_entities3', $string); 958 1207 … … 962 1211 /** 963 1212 * Callback for wp_kses_normalize_entities() regular expression. 964 1213 * 1214 * This function only accepts valid named entity references, which are finite, 1215 * casesensitive, and highly scrutinized by HTML and XML validators. 1216 * 1217 * @since 3.0.0 1218 * 1219 * @param array $matches preg_replace_callback() matches array 1220 * @return string Correctly encoded entity 1221 */ 1222 function wp_kses_named_entities($matches) { 1223 global $allowedentitynames; 1224 1225 if ( empty($matches[1]) ) 1226 return ''; 1227 1228 $i = $matches[1]; 1229 return ( ( ! in_array($i, $allowedentitynames) ) ? "&$i;" : "&$i;" ); 1230 } 1231 1232 /** 1233 * Callback for wp_kses_normalize_entities() regular expression. 1234 * 965 1235 * This function helps wp_kses_normalize_entities() to only accept 16 bit values 966 1236 * and nothing more for &#number; entities. 967 1237 * … … 972 1242 * @return string Correctly encoded entity 973 1243 */ 974 1244 function wp_kses_normalize_entities2($matches) { 975 if ( ! isset($matches[1]) empty($matches[1]) )1245 if ( empty($matches[1]) ) 976 1246 return ''; 977 1247 978 1248 $i = $matches[1]; … … 991 1261 * @return string Correctly encoded entity 992 1262 */ 993 1263 function wp_kses_normalize_entities3($matches) { 994 if ( ! isset($matches[2]) empty($matches[2]) )1264 if ( empty($matches[2]) ) 995 1265 return ''; 996 1266 997 1267 $hexchars = $matches[2];