WordPress.org
Get WordPress

Make WordPress Core

Ticket #24251: 24251-poc-kses.diff

File 24251-poc-kses.diff, 15.0 KB (added by pollett, 9 years ago)

Filter SVG using KSES PoC

  • wp-includes/functions.php

     
    19551955        'bmp' => 'image/bmp',
    19561956        'tif|tiff' => 'image/tiff',
    19571957        'ico' => 'image/x-icon',
     1958        'svg' => 'image/svg+xml',
    19581959        // Video formats
    19591960        'asf|asx' => 'video/x-ms-asf',
    19601961        'wmv' => 'video/x-ms-wmv',

  • wp-includes/kses.php

     
    451451        );
    452452
    453453        $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
     454
     455        /**
     456         * Kses global for default allowable SVG tags.
     457         *
     458         * Can be override by using CUSTOM_TAGS constant.
     459         *
     460         * @global array $allowedsvgtags
     461         * @since 2.0.0
     462         */
     463        $allowedsvgtags = array(
     464                'a' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'href' => array(), 'xlink:href' => array(), 'xlink:title' => array() ),
     465                'circle' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'cx' => array(), 'cy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'r' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     466                'clippath' => array( 'class' => array(), 'clippathunits' => array(), 'id' => array() ),
     467                'defs' => array(),
     468            'style' => array( 'type' => array() ),
     469                'desc' => array(),
     470                'ellipse' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'cx' => array(), 'cy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rx' => array(), 'ry' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     471                'fegaussianblur' => array( 'class' => array(), 'color-interpolation-filters' => array(), 'id' => array(), 'requiredfeatures' => array(), 'stddeviation' => array() ),
     472                'filter' => array( 'class' => array(), 'color-interpolation-filters' => array(), 'filterres' => array(), 'filterunits' => array(), 'height' => array(), 'id' => array(), 'primitiveunits' => array(), 'requiredfeatures' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     473                'foreignobject' => array( 'class' => array(), 'font-size' => array(), 'height' => array(), 'id' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'style' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     474                'g' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'display' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'text-anchor' => array() ),
     475                'image' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'xlink:title' => array(), 'y' => array() ),
     476                'line' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'x1' => array(), 'x2' => array(), 'y1' => array(), 'y2' => array() ),
     477                'lineargradient' => array( 'class' => array(), 'id' => array(), 'gradienttransform' => array(), 'gradientunits' => array(), 'requiredfeatures' => array(), 'spreadmethod' => array(), 'systemlanguage' => array(), 'x1' => array(), 'x2' => array(), 'xlink:href' => array(), 'y1' => array(), 'y2' => array() ),
     478                'marker' => array( 'id' => array(), 'class' => array(), 'markerheight' => array(), 'markerunits' => array(), 'markerwidth' => array(), 'orient' => array(), 'preserveaspectratio' => array(), 'refx' => array(), 'refy' => array(), 'systemlanguage' => array(), 'viewbox' => array() ),
     479                'mask' => array( 'class' => array(), 'height' => array(), 'id' => array(), 'maskcontentunits' => array(), 'maskunits' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     480                'metadata' => array( 'class' => array(), 'id' => array() ),
     481                'path' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'd' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     482                'pattern' => array('class' => array(), 'height' => array(), 'id' => array(), 'patterncontentunits' => array(), 'patterntransform' => array(), 'patternunits' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'viewbox' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     483                'polygon' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'class' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'points' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     484                'polyline' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'points' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     485                'radialgradient' => array('class' => array(), 'cx' => array(), 'cy' => array(), 'fx' => array(), 'fy' => array(), 'gradienttransform' => array(), 'gradientunits' => array(), 'id' => array(), 'r' => array(), 'requiredfeatures' => array(), 'spreadmethod' => array(), 'systemlanguage' => array(), 'xlink:href' => array() ),
     486                'rect' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rx' => array(), 'ry' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     487                'stop' => array('class' => array(), 'id' => array(), 'offset' => array(), 'requiredfeatures' => array(), 'stop-color' => array(), 'stop-opacity' => array(), 'style' => array(), 'systemlanguage' => array() ),
     488                'svg' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'filter' => array(), 'id' => array(), 'height' => array(), 'mask' => array(), 'preserveaspectratio' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'viewbox' => array(), 'width' => array(), 'x' => array(), 'xmlns' => array(), 'xmlns:se' => array(), 'xmlns:xlink' => array(), 'y' => array() ),
     489                'switch' => array('class' => array(), 'id' => array(), 'requiredfeatures' => array(), 'systemlanguage' => array() ),
     490                'symbol' => array('class' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'opacity' => array(), 'preserveaspectratio' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'viewbox' => array() ),
     491                'text' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'text-anchor' => array(), 'transform' => array(), 'x' => array(), 'xml:space' => array(), 'y' => array() ),
     492                'textpath' => array('class' => array(), 'id' => array(), 'method' => array(), 'requiredfeatures' => array(), 'spacing' => array(), 'startoffset' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'xlink:href' => array() ),
     493                'title' => array(),
     494                'tspan' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'dx' => array(), 'dy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rotate' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'text-anchor' => array(), 'textlength' => array(), 'transform' => array(), 'x' => array(), 'xml:space' => array(), 'y' => array() ),
     495                'use' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     496        );
     497
    454498} else {
    455499        $allowedtags = wp_kses_array_lc( $allowedtags );
    456500        $allowedposttags = wp_kses_array_lc( $allowedposttags );
     501        $allowedsvgtags = wp_kses_array_lc( $allowedsvgtags );
    457502}
    458503
    459504/**
     
    524569}
    525570
    526571/**
     572 * Return a list of allowed xml tags and attributes for a given context.
     573 *
     574 * @params string $context The context for which to retrieve tags. Allowed values are
     575 *  svg
     576 * @return array List of allowed xml tags and their allowed attributes.
     577 */
     578function wp_kses_allowed_xml( $context = '' ){
     579        global $allowedsvgtags;
     580
     581        if ( is_array( $context ) )
     582                return apply_filters( 'wp_kses_allowed_xml', $context, 'explicit' );
     583
     584        switch ( $context ) {
     585                case 'svg':
     586                case 'image/svg+xml':
     587                        return apply_filters( 'wp_kses_allowed_xml', $allowedsvgtags, $context );
     588                        break;
     589                default:
     590                        return apply_filters( 'wp_kses_allowed_xml', array(), $context );
     591        }
     592}
     593
     594/**
    527595 * You add any kses hooks here.
    528596 *
    529597 * There is currently only one kses WordPress hook and it is called here. All

  • wp-admin/includes/file.php

     
    11091109<?php
    11101110        return false;
    11111111}
     1112
     1113function wp_validate_upload( $params, $type ){
     1114        if ( preg_match( '#\bxml\b#', $params[ 'type' ] ) ) {
     1115                $content = file_get_contents( $params[ 'file' ] );
     1116                $filtered_content = wp_kses( $content, wp_kses_allowed_xml( $params[ 'type' ] ), array() );
     1117                file_put_contents( $params[ 'file' ], $filtered_content );
     1118        }
     1119        return $params;
     1120}
     1121add_filter( 'wp_handle_upload', 'wp_validate_upload', 10, 2 );