Ticket #20210: 20210.5.diff
| File 20210.5.diff, 13.4 KB (added by , 13 years ago) |
|---|
-
wp-includes/kses.php
51 51 $allowedposttags = array( 52 52 'address' => array(), 53 53 'a' => array( 54 'class' => true,55 54 'href' => true, 56 'id' => true,57 'title' => true,58 55 'rel' => true, 59 56 'rev' => true, 60 57 'name' => true, 61 58 'target' => true, 62 59 ), 63 'abbr' => array( 64 'class' => true, 65 'title' => true, 60 'abbr' => array(), 61 'acronym' => array(), 62 'area' => array( 63 'alt' => true, 64 'coords' => true, 65 'href' => true, 66 'nohref' => true, 67 'shape' => true, 68 'target' => true, 66 69 ), 67 'acronym' => array(68 'title' => true,69 ),70 70 'article' => array( 71 71 'align' => true, 72 'class' => true,73 72 'dir' => true, 74 73 'lang' => true, 75 'style' => true,76 74 'xml:lang' => true, 77 75 ), 78 76 'aside' => array( 79 77 'align' => true, 80 'class' => true,81 78 'dir' => true, 82 79 'lang' => true, 83 'style' => true,84 80 'xml:lang' => true, 85 81 ), 86 82 'b' => array(), 87 83 'big' => array(), 88 84 'blockquote' => array( 89 'id' => true,90 85 'cite' => true, 91 'class' => true,92 86 'lang' => true, 93 87 'xml:lang' => true, 94 88 ), 95 'br' => array ( 96 'class' => true, 97 ), 89 'br' => array (), 98 90 'button' => array( 99 91 'disabled' => true, 100 92 'name' => true, … … 103 95 ), 104 96 'caption' => array( 105 97 'align' => true, 106 'class' => true,107 98 ), 108 99 'cite' => array ( 109 'class' => true,110 100 'dir' => true, 111 101 'lang' => true, 112 'title' => true,113 102 ), 114 'code' => array ( 115 'style' => true, 116 ), 103 'code' => array (), 117 104 'col' => array( 118 105 'align' => true, 119 106 'char' => true, 120 107 'charoff' => true, 121 108 'span' => true, 122 109 'dir' => true, 123 'style' => true,124 110 'valign' => true, 125 111 'width' => true, 126 112 ), … … 130 116 'dd' => array(), 131 117 'details' => array( 132 118 'align' => true, 133 'class' => true,134 119 'dir' => true, 135 120 'lang' => true, 136 121 'open' => true, 137 'style' => true,138 122 'xml:lang' => true, 139 123 ), 140 124 'div' => array( 141 125 'align' => true, 142 'class' => true,143 126 'dir' => true, 144 127 'lang' => true, 145 'style' => true,146 128 'xml:lang' => true, 147 129 ), 148 130 'dl' => array(), … … 151 133 'fieldset' => array(), 152 134 'figure' => array( 153 135 'align' => true, 154 'class' => true,155 136 'dir' => true, 156 137 'lang' => true, 157 'style' => true,158 138 'xml:lang' => true, 159 139 ), 160 140 'figcaption' => array( 161 141 'align' => true, 162 'class' => true,163 142 'dir' => true, 164 143 'lang' => true, 165 'style' => true,166 144 'xml:lang' => true, 167 145 ), 168 146 'font' => array( … … 172 150 ), 173 151 'footer' => array( 174 152 'align' => true, 175 'class' => true,176 153 'dir' => true, 177 154 'lang' => true, 178 'style' => true,179 155 'xml:lang' => true, 180 156 ), 181 157 'form' => array( … … 189 165 ), 190 166 'h1' => array( 191 167 'align' => true, 192 'class' => true,193 'id' => true,194 'style' => true,195 168 ), 196 169 'h2' => array ( 197 170 'align' => true, 198 'class' => true,199 'id' => true,200 'style' => true,201 171 ), 202 172 'h3' => array ( 203 173 'align' => true, 204 'class' => true,205 'id' => true,206 'style' => true,207 174 ), 208 175 'h4' => array ( 209 176 'align' => true, 210 'class' => true,211 'id' => true,212 'style' => true,213 177 ), 214 178 'h5' => array ( 215 179 'align' => true, 216 'class' => true,217 'id' => true,218 'style' => true,219 180 ), 220 181 'h6' => array ( 221 182 'align' => true, 222 'class' => true,223 'id' => true,224 'style' => true,225 183 ), 226 184 'header' => array( 227 185 'align' => true, 228 'class' => true,229 186 'dir' => true, 230 187 'lang' => true, 231 'style' => true,232 188 'xml:lang' => true, 233 189 ), 234 190 'hgroup' => array( 235 191 'align' => true, 236 'class' => true,237 192 'dir' => true, 238 193 'lang' => true, 239 'style' => true,240 194 'xml:lang' => true, 241 195 ), 242 196 'hr' => array ( 243 197 'align' => true, 244 'class' => true,245 198 'noshade' => true, 246 199 'size' => true, 247 200 'width' => true, 248 201 ), 249 'i' => array (),202 'i' => array (), 250 203 'img' => array( 251 204 'alt' => true, 252 205 'align' => true, 253 206 'border' => true, 254 'class' => true,255 207 'height' => true, 256 208 'hspace' => true, 257 209 'longdesc' => true, 258 210 'vspace' => true, 259 211 'src' => true, 260 ' style' => true,212 'usemap' => true, 261 213 'width' => true, 262 214 ), 263 215 'ins' => array( 264 216 'datetime' => true, 265 217 'cite' => true, 266 218 ), 267 'kbd' => array (),219 'kbd' => array (), 268 220 'label' => array( 269 221 'for' => true, 270 222 ), … … 273 225 ), 274 226 'li' => array ( 275 227 'align' => true, 276 'class' => true,277 228 ), 229 'map' => array( 230 'name' => true, 231 ), 278 232 'menu' => array ( 279 'class' => true,280 'style' => true,281 233 'type' => true, 282 234 ), 283 235 'nav' => array( 284 236 'align' => true, 285 'class' => true,286 237 'dir' => true, 287 238 'lang' => true, 288 'style' => true,289 239 'xml:lang' => true, 290 240 ), 291 241 'p' => array( 292 'class' => true,293 242 'align' => true, 294 243 'dir' => true, 295 244 'lang' => true, 296 'style' => true,297 245 'xml:lang' => true, 298 246 ), 299 247 'pre' => array( 300 'style' => true,301 248 'width' => true, 302 249 ), 303 250 'q' => array( … … 305 252 ), 306 253 's' => array(), 307 254 'span' => array ( 308 'class' => true,309 255 'dir' => true, 310 256 'align' => true, 311 257 'lang' => true, 312 'style' => true,313 'title' => true,314 258 'xml:lang' => true, 315 259 ), 316 260 'section' => array( 317 261 'align' => true, 318 'class' => true,319 262 'dir' => true, 320 263 'lang' => true, 321 'style' => true,322 264 'xml:lang' => true, 323 265 ), 324 'small' => array (),325 'strike' => array (),326 'strong' => array (),327 'sub' => array (),266 'small' => array (), 267 'strike' => array (), 268 'strong' => array (), 269 'sub' => array (), 328 270 'summary' => array( 329 271 'align' => true, 330 'class' => true,331 272 'dir' => true, 332 273 'lang' => true, 333 'style' => true,334 274 'xml:lang' => true, 335 275 ), 336 'sup' => array (),276 'sup' => array (), 337 277 'table' => array( 338 278 'align' => true, 339 279 'bgcolor' => true, 340 280 'border' => true, 341 281 'cellpadding' => true, 342 282 'cellspacing' => true, 343 'class' => true,344 283 'dir' => true, 345 'id' => true,346 284 'rules' => true, 347 'style' => true,348 285 'summary' => true, 349 286 'width' => true, 350 287 ), … … 361 298 'bgcolor' => true, 362 299 'char' => true, 363 300 'charoff' => true, 364 'class' => true,365 301 'colspan' => true, 366 302 'dir' => true, 367 303 'headers' => true, … … 369 305 'nowrap' => true, 370 306 'rowspan' => true, 371 307 'scope' => true, 372 'style' => true,373 308 'valign' => true, 374 309 'width' => true, 375 310 ), … … 383 318 'tfoot' => array( 384 319 'align' => true, 385 320 'char' => true, 386 'class' => true,387 321 'charoff' => true, 388 322 'valign' => true, 389 323 ), … … 394 328 'bgcolor' => true, 395 329 'char' => true, 396 330 'charoff' => true, 397 'class' => true,398 331 'colspan' => true, 399 332 'headers' => true, 400 333 'height' => true, … … 408 341 'align' => true, 409 342 'char' => true, 410 343 'charoff' => true, 411 'class' => true,412 344 'valign' => true, 413 345 ), 414 346 'title' => array(), … … 417 349 'bgcolor' => true, 418 350 'char' => true, 419 351 'charoff' => true, 420 'class' => true,421 'style' => true,422 352 'valign' => true, 423 353 ), 424 'tt' => array (),425 'u' => array (),354 'tt' => array (), 355 'u' => array (), 426 356 'ul' => array ( 427 'class' => true,428 'style' => true,429 357 'type' => true, 430 358 ), 431 359 'ol' => array ( 432 'class' => true,433 360 'start' => true, 434 'style' => true,435 361 'type' => true, 436 362 ), 437 363 'var' => array(), … … 526 452 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang', 527 453 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams', 528 454 ); 455 456 $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); 457 } else { 458 $allowedtags = wp_kses_array_lc( $allowedtags ); 459 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 529 460 } 530 461 531 462 /** … … 554 485 $string = wp_kses_no_null($string); 555 486 $string = wp_kses_js_entities($string); 556 487 $string = wp_kses_normalize_entities($string); 557 $allowed_html_fixed = wp_kses_array_lc($allowed_html); 558 $string = wp_kses_hook($string, $allowed_html_fixed, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 559 return wp_kses_split($string, $allowed_html_fixed, $allowed_protocols); 488 $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 489 return wp_kses_split($string, $allowed_html, $allowed_protocols); 560 490 } 561 491 562 492 /** 493 * Return a list of allowed tags and attributes for a given context. 494 * 495 * @since 3.5.0 496 * 497 * @param string $context The context for which to retrieve tags. Allowed values are 498 * post | strip | data | entities or the name of a field filter such as pre_user_description. 499 * @return array List of allowed tags and their allowed attributes. 500 */ 501 function wp_kses_allowed_html( $context = '' ) { 502 global $allowedposttags, $allowedtags, $allowedentitynames; 503 504 if ( is_array( $context ) ) 505 return apply_filters( 'wp_kses_allowed_html', $context, 'explicit' ); 506 507 switch ( $context ) { 508 case 'post': 509 return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context ); 510 break; 511 case 'user_description': 512 case 'pre_user_description': 513 $tags = $allowedtags; 514 $tags['a']['rel'] = true; 515 return apply_filters( 'wp_kses_allowed_html', $tags, $context ); 516 break; 517 case 'strip': 518 return apply_filters( 'wp_kses_allowed_html', array(), $context ); 519 break; 520 case 'entities': 521 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context); 522 break; 523 case 'data': 524 default: 525 return apply_filters( 'wp_kses_allowed_html', $allowedtags, $context ); 526 } 527 } 528 529 /** 563 530 * You add any kses hooks here. 564 531 * 565 532 * There is currently only one kses WordPress hook and it is called here. All … … 572 539 * @param array $allowed_protocols Allowed protocol in links 573 540 * @return string Filtered content through 'pre_kses' hook 574 541 */ 575 function wp_kses_hook( $string, $allowed_html, $allowed_protocols) {542 function wp_kses_hook( $string, $allowed_html, $allowed_protocols ) { 576 543 $string = apply_filters('pre_kses', $string, $allowed_html, $allowed_protocols); 577 544 return $string; 578 545 } … … 600 567 * @param array $allowed_protocols Allowed protocols to keep 601 568 * @return string Content with fixed HTML tags 602 569 */ 603 function wp_kses_split( $string, $allowed_html, $allowed_protocols) {570 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 604 571 global $pass_allowed_html, $pass_allowed_protocols; 605 572 $pass_allowed_html = $allowed_html; 606 573 $pass_allowed_protocols = $allowed_protocols; … … 668 635 $elem = $matches[2]; 669 636 $attrlist = $matches[3]; 670 637 638 if ( ! is_array( $allowed_html ) ) 639 $allowed_html = wp_kses_allowed_html( $allowed_html ); 640 671 641 if ( ! isset($allowed_html[strtolower($elem)]) ) 672 642 return ''; 673 643 # They are using a not allowed HTML element … … 699 669 function wp_kses_attr($element, $attr, $allowed_html, $allowed_protocols) { 700 670 # Is there a closing XHTML slash at the end of the attributes? 701 671 672 if ( ! is_array( $allowed_html ) ) 673 $allowed_html = wp_kses_allowed_html( $allowed_html ); 674 702 675 $xhtml_slash = ''; 703 676 if (preg_match('%\s*/\s*$%', $attr)) 704 677 $xhtml_slash = ' /'; … … 1286 1259 * @param string $data Content to filter, expected to be escaped with slashes 1287 1260 * @return string Filtered content 1288 1261 */ 1289 function wp_filter_kses($data) { 1290 global $allowedtags; 1291 return addslashes( wp_kses(stripslashes( $data ), $allowedtags) ); 1262 function wp_filter_kses( $data ) { 1263 return addslashes( wp_kses( stripslashes( $data ), current_filter() ) ); 1292 1264 } 1293 1265 1294 1266 /** … … 1300 1272 * @param string $data Content to filter, expected to not be escaped 1301 1273 * @return string Filtered content 1302 1274 */ 1303 function wp_kses_data($data) { 1304 global $allowedtags; 1305 return wp_kses( $data , $allowedtags ); 1275 function wp_kses_data( $data ) { 1276 return wp_kses( $data , current_filter() ); 1306 1277 } 1307 1278 1308 1279 /** … … 1312 1283 * data from forms. 1313 1284 * 1314 1285 * @since 2.0.0 1315 * @uses $allowedposttags1316 1286 * 1317 1287 * @param string $data Post content to filter, expected to be escaped with slashes 1318 1288 * @return string Filtered post content with allowed HTML tags and attributes intact. 1319 1289 */ 1320 1290 function wp_filter_post_kses($data) { 1321 global $allowedposttags; 1322 return addslashes ( wp_kses(stripslashes( $data ), $allowedposttags) ); 1291 return addslashes ( wp_kses( stripslashes( $data ), 'post' ) ); 1323 1292 } 1324 1293 1325 1294 /** … … 1329 1298 * data from forms. 1330 1299 * 1331 1300 * @since 2.9.0 1332 * @uses $allowedposttags1333 1301 * 1334 1302 * @param string $data Post content to filter 1335 1303 * @return string Filtered post content with allowed HTML tags and attributes intact. 1336 1304 */ 1337 1305 function wp_kses_post($data) { 1338 global $allowedposttags; 1339 return wp_kses( $data , $allowedposttags ); 1306 return wp_kses( $data , 'post' ); 1340 1307 } 1341 1308 1342 1309 /** … … 1347 1314 * @param string $data Content to strip all HTML from 1348 1315 * @return string Filtered content without any HTML 1349 1316 */ 1350 function wp_filter_nohtml_kses( $data) {1351 return addslashes ( wp_kses( stripslashes( $data ), array()) );1317 function wp_filter_nohtml_kses( $data ) { 1318 return addslashes ( wp_kses( stripslashes( $data ), 'strip' ) ); 1352 1319 } 1353 1320 1354 1321 /** … … 1484 1451 1485 1452 return $css; 1486 1453 } 1454 1455 /** 1456 * Helper function to add global attributes to a tag in the allowed html list. 1457 * 1458 * @since 3.5.0 1459 * @access private 1460 * 1461 * @param array $value An array of attributes. 1462 * @return array The array of attributes with global attributes added. 1463 */ 1464 function _wp_add_global_attributes( $value ) { 1465 $global_attributes = array( 1466 'class' => true, 1467 'id' => true, 1468 'style' => true, 1469 'title' => true, 1470 ); 1471 1472 if ( true === $value ) 1473 $value = array(); 1474 1475 if ( is_array( $value ) ) 1476 return array_merge( $value, $global_attributes ); 1477 1478 return $value; 1479 }