diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index fae60cd..a9b0878 100644
|
|
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { |
1205 | 1205 | /** |
1206 | 1206 | * Sanitize string from bad protocols. |
1207 | 1207 | * |
1208 | | * This function removes all non-allowed protocols from the beginning of |
| 1208 | * This function first tries to return early by checking for a standard http(s) |
| 1209 | * url, and otherwise removes all non-allowed protocols from the beginning of |
1209 | 1210 | * $string. It ignores whitespace and the case of the letters, and it does |
1210 | 1211 | * understand HTML entities. It does its work in a while loop, so it won't be |
1211 | 1212 | * fooled by a string like "javascript:javascript:alert(57)". |
1212 | 1213 | * |
| 1214 | * The regular expression is based on the pattern from @diegoperini compared |
| 1215 | * here: https://mathiasbynens.be/demo/url-regex |
| 1216 | * |
1213 | 1217 | * @since 1.0.0 |
1214 | 1218 | * |
1215 | 1219 | * @param string $string Content to filter bad protocols from |
… |
… |
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { |
1217 | 1221 | * @return string Filtered content |
1218 | 1222 | */ |
1219 | 1223 | function wp_kses_bad_protocol($string, $allowed_protocols) { |
| 1224 | // Detect standard HTTP(S) URL and return early. |
| 1225 | $regex = '_^(?:(?:https?)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS'; |
| 1226 | if ( 1 === preg_match( $regex, $string ) ) { |
| 1227 | return $string; |
| 1228 | } |
| 1229 | |
1220 | 1230 | $string = wp_kses_no_null($string); |
1221 | 1231 | $iterations = 0; |