WordPress.org

Make WordPress Core

Ticket #22951: improve-wp-kses-bad-protocol-performance.22951.diff

File improve-wp-kses-bad-protocol-performance.22951.diff, 1.8 KB (added by schlessera, 4 years ago)
  • src/wp-includes/kses.php

    diff --git src/wp-includes/kses.php src/wp-includes/kses.php
    index fae60cd..a9b0878 100644
    function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { 
    12051205/**
    12061206 * Sanitize string from bad protocols.
    12071207 *
    1208  * This function removes all non-allowed protocols from the beginning of
     1208 * This function first tries to return early by checking for a standard http(s)
     1209 * url, and otherwise removes all non-allowed protocols from the beginning of
    12091210 * $string. It ignores whitespace and the case of the letters, and it does
    12101211 * understand HTML entities. It does its work in a while loop, so it won't be
    12111212 * fooled by a string like "javascript:javascript:alert(57)".
    12121213 *
     1214 * The regular expression is based on the pattern from @diegoperini compared
     1215 * here: https://mathiasbynens.be/demo/url-regex
     1216 *
    12131217 * @since 1.0.0
    12141218 *
    12151219 * @param string $string            Content to filter bad protocols from
    function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { 
    12171221 * @return string Filtered content
    12181222 */
    12191223function wp_kses_bad_protocol($string, $allowed_protocols) {
     1224        // Detect standard HTTP(S) URL and return early.
     1225        $regex = '_^(?:(?:https?)://)(?:\S+(?::\S*)?@)?(?:(?!10(?:\.\d{1,3}){3})(?!127(?:\.\d{1,3}){3})(?!169\.254(?:\.\d{1,3}){2})(?!192\.168(?:\.\d{1,3}){2})(?!172\.(?:1[6-9]|2\d|3[0-1])(?:\.\d{1,3}){2})(?:[1-9]\d?|1\d\d|2[01]\d|22[0-3])(?:\.(?:1?\d{1,2}|2[0-4]\d|25[0-5])){2}(?:\.(?:[1-9]\d?|1\d\d|2[0-4]\d|25[0-4]))|(?:(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)(?:\.(?:[a-z\x{00a1}-\x{ffff}0-9]+-?)*[a-z\x{00a1}-\x{ffff}0-9]+)*(?:\.(?:[a-z\x{00a1}-\x{ffff}]{2,})))(?::\d{2,5})?(?:/[^\s]*)?$_iuS';
     1226        if ( 1 === preg_match( $regex, $string ) ) {
     1227                return $string;
     1228        }
     1229
    12201230        $string = wp_kses_no_null($string);
    12211231        $iterations = 0;