Make WordPress Core

Ticket #22951: 22951.patch

File 22951.patch, 2.1 KB (added by mukesh27, 20 months ago)
  • wp-includes/kses.php

     
    16391639/**
    16401640 * Sanitizes a string and removed disallowed URL protocols.
    16411641 *
    1642  * This function removes all non-allowed protocols from the beginning of the
     1642 * This function first tries to return early by checking for a standard http(s)
     1643 * url, and otherwise removes all non-allowed protocols from the beginning of the
    16431644 * string. It ignores whitespace and the case of the letters, and it does
    16441645 * understand HTML entities. It does its work recursively, so it won't be
    16451646 * fooled by a string like `javascript:javascript:alert(57)`.
    16461647 *
     1648 * The regular expression is based on the pattern from @diegoperini compared
     1649 * here: https://mathiasbynens.be/demo/url-regex
     1650 *
    16471651 * @since 1.0.0
    16481652 *
    16491653 * @param string   $string            Content to filter bad protocols from.
     
    16511655 * @return string Filtered content.
    16521656 */
    16531657function wp_kses_bad_protocol( $string, $allowed_protocols ) {
     1658
     1659        // Detect standard HTTP(S) URL and return early.
     1660        $regex = '_^(?:(?<protocol>https?)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS';
     1661        $matches = array();
     1662        if ( 1 === preg_match( $regex, $string, $matches ) ) {
     1663                $protocol = false;
     1664
     1665                if ( array_key_exists('protocol', $matches ) ) {
     1666                        $protocol = strtolower( $matches['protocol'] );
     1667                }
     1668
     1669                if ( false === $protocol ) {
     1670                        return $string;
     1671                }
     1672
     1673                if ( in_array( $protocol, $allowed_protocols, true ) ) {
     1674                        return str_replace( $matches['protocol'], $protocol, $string );
     1675                }
     1676        }
     1677
    16541678        $string     = wp_kses_no_null( $string );
    16551679        $iterations = 0;
    16561680