Make WordPress Core

Ticket #22951: 22951.2.diff

File 22951.2.diff, 2.2 KB (added by schlessera, 7 years ago)

Refreshed the patch and made changes to fix broken tests

  • src/wp-includes/kses.php

    diff --git src/wp-includes/kses.php src/wp-includes/kses.php
    index c95b0179f2..6319212ef7 100644
    function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { 
    12031203/**
    12041204 * Sanitize string from bad protocols.
    12051205 *
    1206  * This function removes all non-allowed protocols from the beginning of
     1206 * This function first tries to return early by checking for a standard http(s)
     1207 * url, and otherwise removes all non-allowed protocols from the beginning of
    12071208 * $string. It ignores whitespace and the case of the letters, and it does
    12081209 * understand HTML entities. It does its work in a while loop, so it won't be
    12091210 * fooled by a string like "javascript:javascript:alert(57)".
    12101211 *
     1212 * The regular expression is based on the pattern from @diegoperini compared
     1213 * here: https://mathiasbynens.be/demo/url-regex
     1214 *
    12111215 * @since 1.0.0
    12121216 *
    12131217 * @param string $string            Content to filter bad protocols from
    function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { 
    12151219 * @return string Filtered content
    12161220 */
    12171221function wp_kses_bad_protocol($string, $allowed_protocols) {
     1222        // Detect standard HTTP(S) URL and return early.
     1223        $regex = '_^(?:(?<protocol>https?)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS';
     1224        $matches = array();
     1225        if ( 1 === preg_match( $regex, $string, $matches ) ) {
     1226                $protocol = false;
     1227
     1228                if ( array_key_exists('protocol', $matches ) ) {
     1229                        $protocol = strtolower( $matches['protocol'] );
     1230                }
     1231
     1232                if ( false === $protocol ) {
     1233                        return $string;
     1234                }
     1235
     1236                if ( in_array( $protocol, $allowed_protocols, true ) ) {
     1237                        return str_replace( $matches['protocol'], $protocol, $string );
     1238                }
     1239        }
     1240
    12181241        $string = wp_kses_no_null($string);
    12191242        $iterations = 0;
    12201243