Ticket #20210: 20210.3.diff
| File 20210.3.diff, 12.9 KB (added by , 13 years ago) |
|---|
-
wp-includes/kses.php
51 51 $allowedposttags = array( 52 52 'address' => array(), 53 53 'a' => array( 54 'class' => true,55 54 'href' => true, 56 'id' => true,57 'title' => true,58 55 'rel' => true, 59 56 'rev' => true, 60 57 'name' => true, 61 58 'target' => true, 62 59 ), 63 'abbr' => array( 64 'class' => true, 65 'title' => true, 60 'abbr' => array(), 61 'acronym' => array(), 62 'area' => array( 63 'alt' => true, 64 'coords' => true, 65 'href' => true, 66 'nohref' => true, 67 'shape' => true, 68 'target' => true, 66 69 ), 67 'acronym' => array(68 'title' => true,69 ),70 70 'article' => array( 71 71 'align' => true, 72 'class' => true,73 72 'dir' => true, 74 73 'lang' => true, 75 'style' => true,76 74 'xml:lang' => true, 77 75 ), 78 76 'aside' => array( 79 77 'align' => true, 80 'class' => true,81 78 'dir' => true, 82 79 'lang' => true, 83 'style' => true,84 80 'xml:lang' => true, 85 81 ), 86 82 'b' => array(), 87 83 'big' => array(), 88 84 'blockquote' => array( 89 'id' => true,90 85 'cite' => true, 91 'class' => true,92 86 'lang' => true, 93 87 'xml:lang' => true, 94 88 ), 95 'br' => array ( 96 'class' => true, 97 ), 89 'br' => array (), 98 90 'button' => array( 99 91 'disabled' => true, 100 92 'name' => true, … … 103 95 ), 104 96 'caption' => array( 105 97 'align' => true, 106 'class' => true,107 98 ), 108 99 'cite' => array ( 109 'class' => true,110 100 'dir' => true, 111 101 'lang' => true, 112 102 'title' => true, 113 103 ), 114 'code' => array ( 115 'style' => true, 116 ), 104 'code' => array (), 117 105 'col' => array( 118 106 'align' => true, 119 107 'char' => true, 120 108 'charoff' => true, 121 109 'span' => true, 122 110 'dir' => true, 123 'style' => true,124 111 'valign' => true, 125 112 'width' => true, 126 113 ), … … 130 117 'dd' => array(), 131 118 'details' => array( 132 119 'align' => true, 133 'class' => true,134 120 'dir' => true, 135 121 'lang' => true, 136 122 'open' => true, 137 'style' => true,138 123 'xml:lang' => true, 139 124 ), 140 125 'div' => array( 141 126 'align' => true, 142 'class' => true,143 127 'dir' => true, 144 128 'lang' => true, 145 'style' => true,146 129 'xml:lang' => true, 147 130 ), 148 131 'dl' => array(), … … 151 134 'fieldset' => array(), 152 135 'figure' => array( 153 136 'align' => true, 154 'class' => true,155 137 'dir' => true, 156 138 'lang' => true, 157 'style' => true,158 139 'xml:lang' => true, 159 140 ), 160 141 'figcaption' => array( 161 142 'align' => true, 162 'class' => true,163 143 'dir' => true, 164 144 'lang' => true, 165 'style' => true,166 145 'xml:lang' => true, 167 146 ), 168 147 'font' => array( … … 172 151 ), 173 152 'footer' => array( 174 153 'align' => true, 175 'class' => true,176 154 'dir' => true, 177 155 'lang' => true, 178 'style' => true,179 156 'xml:lang' => true, 180 157 ), 181 158 'form' => array( … … 189 166 ), 190 167 'h1' => array( 191 168 'align' => true, 192 'class' => true,193 'id' => true,194 'style' => true,195 169 ), 196 170 'h2' => array ( 197 171 'align' => true, 198 'class' => true,199 'id' => true,200 'style' => true,201 172 ), 202 173 'h3' => array ( 203 174 'align' => true, 204 'class' => true,205 'id' => true,206 'style' => true,207 175 ), 208 176 'h4' => array ( 209 177 'align' => true, 210 'class' => true,211 'id' => true,212 'style' => true,213 178 ), 214 179 'h5' => array ( 215 180 'align' => true, 216 'class' => true,217 'id' => true,218 'style' => true,219 181 ), 220 182 'h6' => array ( 221 183 'align' => true, 222 'class' => true,223 'id' => true,224 'style' => true,225 184 ), 226 185 'header' => array( 227 186 'align' => true, 228 'class' => true,229 187 'dir' => true, 230 188 'lang' => true, 231 'style' => true,232 189 'xml:lang' => true, 233 190 ), 234 191 'hgroup' => array( 235 192 'align' => true, 236 'class' => true,237 193 'dir' => true, 238 194 'lang' => true, 239 'style' => true,240 195 'xml:lang' => true, 241 196 ), 242 197 'hr' => array ( 243 198 'align' => true, 244 'class' => true,245 199 'noshade' => true, 246 200 'size' => true, 247 201 'width' => true, 248 202 ), 249 'i' => array (),203 'i' => array (), 250 204 'img' => array( 251 205 'alt' => true, 252 206 'align' => true, 253 207 'border' => true, 254 'class' => true,255 208 'height' => true, 256 209 'hspace' => true, 257 210 'longdesc' => true, 258 211 'vspace' => true, 259 212 'src' => true, 260 ' style' => true,213 'usemap' => true, 261 214 'width' => true, 262 215 ), 263 216 'ins' => array( 264 217 'datetime' => true, 265 218 'cite' => true, 266 219 ), 267 'kbd' => array (),220 'kbd' => array (), 268 221 'label' => array( 269 222 'for' => true, 270 223 ), … … 273 226 ), 274 227 'li' => array ( 275 228 'align' => true, 276 'class' => true,277 229 ), 230 'map' => array( 231 'name' => true, 232 ), 278 233 'menu' => array ( 279 'class' => true,280 'style' => true,281 234 'type' => true, 282 235 ), 283 236 'nav' => array( 284 237 'align' => true, 285 'class' => true,286 238 'dir' => true, 287 239 'lang' => true, 288 'style' => true,289 240 'xml:lang' => true, 290 241 ), 291 242 'p' => array( 292 'class' => true,293 243 'align' => true, 294 244 'dir' => true, 295 245 'lang' => true, 296 'style' => true,297 246 'xml:lang' => true, 298 247 ), 299 248 'pre' => array( 300 'style' => true,301 249 'width' => true, 302 250 ), 303 251 'q' => array( … … 305 253 ), 306 254 's' => array(), 307 255 'span' => array ( 308 'class' => true,309 256 'dir' => true, 310 257 'align' => true, 311 258 'lang' => true, 312 'style' => true,313 'title' => true,314 259 'xml:lang' => true, 315 260 ), 316 261 'section' => array( 317 262 'align' => true, 318 'class' => true,319 263 'dir' => true, 320 264 'lang' => true, 321 'style' => true,322 265 'xml:lang' => true, 323 266 ), 324 'small' => array (),325 'strike' => array (),326 'strong' => array (),327 'sub' => array (),267 'small' => array (), 268 'strike' => array (), 269 'strong' => array (), 270 'sub' => array (), 328 271 'summary' => array( 329 272 'align' => true, 330 'class' => true,331 273 'dir' => true, 332 274 'lang' => true, 333 'style' => true,334 275 'xml:lang' => true, 335 276 ), 336 'sup' => array (),277 'sup' => array (), 337 278 'table' => array( 338 279 'align' => true, 339 280 'bgcolor' => true, 340 281 'border' => true, 341 282 'cellpadding' => true, 342 283 'cellspacing' => true, 343 'class' => true,344 284 'dir' => true, 345 'id' => true,346 285 'rules' => true, 347 'style' => true,348 286 'summary' => true, 349 287 'width' => true, 350 288 ), … … 361 299 'bgcolor' => true, 362 300 'char' => true, 363 301 'charoff' => true, 364 'class' => true,365 302 'colspan' => true, 366 303 'dir' => true, 367 304 'headers' => true, … … 369 306 'nowrap' => true, 370 307 'rowspan' => true, 371 308 'scope' => true, 372 'style' => true,373 309 'valign' => true, 374 310 'width' => true, 375 311 ), … … 383 319 'tfoot' => array( 384 320 'align' => true, 385 321 'char' => true, 386 'class' => true,387 322 'charoff' => true, 388 323 'valign' => true, 389 324 ), … … 394 329 'bgcolor' => true, 395 330 'char' => true, 396 331 'charoff' => true, 397 'class' => true,398 332 'colspan' => true, 399 333 'headers' => true, 400 334 'height' => true, … … 408 342 'align' => true, 409 343 'char' => true, 410 344 'charoff' => true, 411 'class' => true,412 345 'valign' => true, 413 346 ), 414 347 'title' => array(), … … 417 350 'bgcolor' => true, 418 351 'char' => true, 419 352 'charoff' => true, 420 'class' => true,421 'style' => true,422 353 'valign' => true, 423 354 ), 424 'tt' => array (),425 'u' => array (),355 'tt' => array (), 356 'u' => array (), 426 357 'ul' => array ( 427 'class' => true,428 'style' => true,429 358 'type' => true, 430 359 ), 431 360 'ol' => array ( 432 'class' => true,433 361 'start' => true, 434 'style' => true,435 362 'type' => true, 436 363 ), 437 364 'var' => array(), … … 526 453 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang', 527 454 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams', 528 455 ); 456 } else { 457 $allowedtags = wp_kses_array_lc( $allowedtags ); 458 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 529 459 } 530 460 531 461 /** 462 * Return a list of allowed tags and attributes for a given context. 463 * 464 * @since 3.5.0 465 * 466 * @param string $context The context for which to retrieve tags. Allowed values are 467 * post | strip | data | entities or the name of a field filter such as pre_user_description. 468 * @return array List of allowed tags and their allowed attributes. 469 */ 470 function wp_kses_allowed_html( $context = '' ) { 471 global $allowedposttags, $allowedtags, $allowedentitynames; 472 473 switch ( $context ) { 474 case 'post': 475 return apply_filters( 'wp_kses_allowed_html', array_map( '_wp_add_global_attributes', $allowedposttags ), $context ); 476 break; 477 case 'user_description': 478 case 'pre_user_description': 479 $tags = $allowedtags; 480 $tags['a']['rel'] = true; 481 return apply_filters( 'wp_kses_allowed_html', $tags, $context ); 482 break; 483 case 'strip': 484 return apply_filters( 'wp_kses_allowed_html', array(), $context ); 485 break; 486 case 'entities': 487 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context); 488 break; 489 case 'data': 490 default: 491 return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); 492 } 493 } 494 495 function _wp_add_global_attributes( $value ) { 496 $global_attributes = array( 497 'class' => true, 498 'id' => true, 499 'style' => true, 500 'title' => true, 501 ); 502 503 if ( true === $value ) 504 $value = array(); 505 506 if ( is_array( $value ) ) 507 return array_merge( $value, $global_attributes ); 508 509 return $value; 510 } 511 512 /** 532 513 * Filters content and keeps only allowable HTML elements. 533 514 * 534 515 * This function makes sure that only the allowed HTML element names, attribute … … 554 535 $string = wp_kses_no_null($string); 555 536 $string = wp_kses_js_entities($string); 556 537 $string = wp_kses_normalize_entities($string); 557 $allowed_html_fixed = wp_kses_array_lc($allowed_html); 558 $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 559 return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); 538 $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 539 return wp_kses_split($string, $allowed_html, $allowed_protocols); 560 540 } 561 541 562 542 /** … … 572 552 * @param array $allowed_protocols Allowed protocol in links 573 553 * @return string Filtered content through 'pre_kses' hook 574 554 */ 575 function wp_kses_hook( $string, $allowed_html, $allowed_protocols) {555 function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) { 576 556 $string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols); 577 557 return $string; 578 558 } … … 600 580 * @param array $allowed_protocols Allowed protocols to keep 601 581 * @return string Content with fixed HTML tags 602 582 */ 603 function wp_kses_split( $string, $allowed_html, $allowed_protocols) {583 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 604 584 global $pass_allowed_html, $pass_allowed_protocols; 605 585 $pass_allowed_html = $allowed_html; 606 586 $pass_allowed_protocols = $allowed_protocols; … … 668 648 $elem = $matches[2]; 669 649 $attrlist = $matches[3]; 670 650 651 if ( ! is_array( $allowed_html ) ) 652 $allowed_html = wp_kses_allowed_html( $allowed_html ); 653 671 654 if ( ! isset($allowed_html[strtolower($elem)]) ) 672 655 return ''; 673 656 # They are using a not allowed HTML element … … 699 682 function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { 700 683 # Is there a closing XHTML slash at the end of the attributes? 701 684 685 if ( ! is_array( $allowed_html ) ) 686 $allowed_html = wp_kses_allowed_html( $allowed_html ); 687 702 688 $xhtml_slash = ''; 703 689 if (preg_match('%\s*/\s*$%', $attr)) 704 690 $xhtml_slash = ' /'; … … 1286 1272 * @param string $data Content to filter, expected to be escaped with slashes 1287 1273 * @return string Filtered content 1288 1274 */ 1289 function wp_filter_kses($data) { 1290 global $allowedtags; 1291 return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); 1275 function wp_filter_kses( $data ) { 1276 return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); 1292 1277 } 1293 1278 1294 1279 /** … … 1300 1285 * @param string $data Content to filter, expected to not be escaped 1301 1286 * @return string Filtered content 1302 1287 */ 1303 function wp_kses_data($data) { 1304 global $allowedtags; 1305 return wp_kses( $data , $allowedtags ); 1288 function wp_kses_data( $data ) { 1289 return wp_kses( $data , current_filter() ); 1306 1290 } 1307 1291 1308 1292 /** … … 1312 1296 * data from forms. 1313 1297 * 1314 1298 * @since 2.0.0 1315 * @uses $allowedposttags1316 1299 * 1317 1300 * @param string $data Post content to filter, expected to be escaped with slashes 1318 1301 * @return string Filtered post content with allowed HTML tags and attributes intact. 1319 1302 */ 1320 1303 function wp_filter_post_kses($data) { 1321 global $allowedposttags; 1322 return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) ); 1304 return addslashes ( wp_kses( stripslashes( $data ), 'post' ) ); 1323 1305 } 1324 1306 1325 1307 /** … … 1329 1311 * data from forms. 1330 1312 * 1331 1313 * @since 2.9.0 1332 * @uses $allowedposttags1333 1314 * 1334 1315 * @param string $data Post content to filter 1335 1316 * @return string Filtered post content with allowed HTML tags and attributes intact. 1336 1317 */ 1337 1318 function wp_kses_post($data) { 1338 global $allowedposttags; 1339 return wp_kses( $data , $allowedposttags ); 1319 return wp_kses( $data , 'post' ); 1340 1320 } 1341 1321 1342 1322 /** … … 1347 1327 * @param string $data Content to strip all HTML from 1348 1328 * @return string Filtered content without any HTML 1349 1329 */ 1350 function wp_filter_nohtml_kses( $data) {1351 return addslashes ( wp_kses( stripslashes( $data ), array()) );1330 function wp_filter_nohtml_kses( $data ) { 1331 return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) ); 1352 1332 } 1353 1333 1354 1334 /**