diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index c95b0179f2..6319212ef7 100644
|
|
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { |
1203 | 1203 | /** |
1204 | 1204 | * Sanitize string from bad protocols. |
1205 | 1205 | * |
1206 | | * This function removes all non-allowed protocols from the beginning of |
| 1206 | * This function first tries to return early by checking for a standard http(s) |
| 1207 | * url, and otherwise removes all non-allowed protocols from the beginning of |
1207 | 1208 | * $string. It ignores whitespace and the case of the letters, and it does |
1208 | 1209 | * understand HTML entities. It does its work in a while loop, so it won't be |
1209 | 1210 | * fooled by a string like "javascript:javascript:alert(57)". |
1210 | 1211 | * |
| 1212 | * The regular expression is based on the pattern from @diegoperini compared |
| 1213 | * here: https://mathiasbynens.be/demo/url-regex |
| 1214 | * |
1211 | 1215 | * @since 1.0.0 |
1212 | 1216 | * |
1213 | 1217 | * @param string $string Content to filter bad protocols from |
… |
… |
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { |
1215 | 1219 | * @return string Filtered content |
1216 | 1220 | */ |
1217 | 1221 | function wp_kses_bad_protocol($string, $allowed_protocols) { |
| 1222 | // Detect standard HTTP(S) URL and return early. |
| 1223 | $regex = '_^(?:(?<protocol>https?)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS'; |
| 1224 | $matches = array(); |
| 1225 | if ( 1 === preg_match( $regex, $string, $matches ) ) { |
| 1226 | $protocol = false; |
| 1227 | |
| 1228 | if ( array_key_exists('protocol', $matches ) ) { |
| 1229 | $protocol = strtolower( $matches['protocol'] ); |
| 1230 | } |
| 1231 | |
| 1232 | if ( false === $protocol ) { |
| 1233 | return $string; |
| 1234 | } |
| 1235 | |
| 1236 | if ( in_array( $protocol, $allowed_protocols, true ) ) { |
| 1237 | return str_replace( $matches['protocol'], $protocol, $string ); |
| 1238 | } |
| 1239 | } |
| 1240 | |
1218 | 1241 | $string = wp_kses_no_null($string); |
1219 | 1242 | $iterations = 0; |
1220 | 1243 | |