WordPress.org

Make WordPress Core

Ticket #24251: 24251.2.diff

File 24251.2.diff, 15.0 KB (added by lukecavanagh, 13 months ago)

Patch refresh

  • src/wp-includes/functions.php

     
    24092409        'bmp' => 'image/bmp',
    24102410        'tiff|tif' => 'image/tiff',
    24112411        'ico' => 'image/x-icon',
     2412        'svg' => 'image/svg+xml',
    24122413        // Video formats.
    24132414        'asf|asx' => 'video/x-ms-asf',
    24142415        'wmv' => 'video/x-ms-wmv',
  • src/wp-includes/kses.php

     
    498498        );
    499499
    500500        $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags );
     501
     502        /**
     503         * Kses global for default allowable SVG tags.
     504         *
     505         * Can be override by using CUSTOM_TAGS constant.
     506         *
     507         * @global array $allowedsvgtags
     508         * @since 2.0.0
     509         */
     510        $allowedsvgtags = array(
     511                'a' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'href' => array(), 'xlink:href' => array(), 'xlink:title' => array() ),
     512                'circle' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'cx' => array(), 'cy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'r' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     513                'clippath' => array( 'class' => array(), 'clippathunits' => array(), 'id' => array() ),
     514                'defs' => array(),
     515            'style' => array( 'type' => array() ),
     516                'desc' => array(),
     517                'ellipse' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'cx' => array(), 'cy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rx' => array(), 'ry' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     518                'fegaussianblur' => array( 'class' => array(), 'color-interpolation-filters' => array(), 'id' => array(), 'requiredfeatures' => array(), 'stddeviation' => array() ),
     519                'filter' => array( 'class' => array(), 'color-interpolation-filters' => array(), 'filterres' => array(), 'filterunits' => array(), 'height' => array(), 'id' => array(), 'primitiveunits' => array(), 'requiredfeatures' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     520                'foreignobject' => array( 'class' => array(), 'font-size' => array(), 'height' => array(), 'id' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'style' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     521                'g' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'display' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'text-anchor' => array() ),
     522                'image' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'xlink:title' => array(), 'y' => array() ),
     523                'line' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'x1' => array(), 'x2' => array(), 'y1' => array(), 'y2' => array() ),
     524                'lineargradient' => array( 'class' => array(), 'id' => array(), 'gradienttransform' => array(), 'gradientunits' => array(), 'requiredfeatures' => array(), 'spreadmethod' => array(), 'systemlanguage' => array(), 'x1' => array(), 'x2' => array(), 'xlink:href' => array(), 'y1' => array(), 'y2' => array() ),
     525                'marker' => array( 'id' => array(), 'class' => array(), 'markerheight' => array(), 'markerunits' => array(), 'markerwidth' => array(), 'orient' => array(), 'preserveaspectratio' => array(), 'refx' => array(), 'refy' => array(), 'systemlanguage' => array(), 'viewbox' => array() ),
     526                'mask' => array( 'class' => array(), 'height' => array(), 'id' => array(), 'maskcontentunits' => array(), 'maskunits' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     527                'metadata' => array( 'class' => array(), 'id' => array() ),
     528                'path' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'd' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     529                'pattern' => array('class' => array(), 'height' => array(), 'id' => array(), 'patterncontentunits' => array(), 'patterntransform' => array(), 'patternunits' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'viewbox' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     530                'polygon' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'id' => array(), 'class' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'points' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     531                'polyline' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'id' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'marker-end' => array(), 'marker-mid' => array(), 'marker-start' => array(), 'mask' => array(), 'opacity' => array(), 'points' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array() ),
     532                'radialgradient' => array('class' => array(), 'cx' => array(), 'cy' => array(), 'fx' => array(), 'fy' => array(), 'gradienttransform' => array(), 'gradientunits' => array(), 'id' => array(), 'r' => array(), 'requiredfeatures' => array(), 'spreadmethod' => array(), 'systemlanguage' => array(), 'xlink:href' => array() ),
     533                'rect' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rx' => array(), 'ry' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'y' => array() ),
     534                'stop' => array('class' => array(), 'id' => array(), 'offset' => array(), 'requiredfeatures' => array(), 'stop-color' => array(), 'stop-opacity' => array(), 'style' => array(), 'systemlanguage' => array() ),
     535                'svg' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'filter' => array(), 'id' => array(), 'height' => array(), 'mask' => array(), 'preserveaspectratio' => array(), 'requiredfeatures' => array(), 'style' => array(), 'systemlanguage' => array(), 'viewbox' => array(), 'width' => array(), 'x' => array(), 'xmlns' => array(), 'xmlns:se' => array(), 'xmlns:xlink' => array(), 'y' => array() ),
     536                'switch' => array('class' => array(), 'id' => array(), 'requiredfeatures' => array(), 'systemlanguage' => array() ),
     537                'symbol' => array('class' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'opacity' => array(), 'preserveaspectratio' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'viewbox' => array() ),
     538                'text' => array('class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'text-anchor' => array(), 'transform' => array(), 'x' => array(), 'xml:space' => array(), 'y' => array() ),
     539                'textpath' => array('class' => array(), 'id' => array(), 'method' => array(), 'requiredfeatures' => array(), 'spacing' => array(), 'startoffset' => array(), 'style' => array(), 'systemlanguage' => array(), 'transform' => array(), 'xlink:href' => array() ),
     540                'title' => array(),
     541                'tspan' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'dx' => array(), 'dy' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'font-family' => array(), 'font-size' => array(), 'font-style' => array(), 'font-weight' => array(), 'id' => array(), 'mask' => array(), 'opacity' => array(), 'requiredfeatures' => array(), 'rotate' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'systemlanguage' => array(), 'text-anchor' => array(), 'textlength' => array(), 'transform' => array(), 'x' => array(), 'xml:space' => array(), 'y' => array() ),
     542                'use' => array( 'class' => array(), 'clip-path' => array(), 'clip-rule' => array(), 'fill' => array(), 'fill-opacity' => array(), 'fill-rule' => array(), 'filter' => array(), 'height' => array(), 'id' => array(), 'mask' => array(), 'stroke' => array(), 'stroke-dasharray' => array(), 'stroke-dashoffset' => array(), 'stroke-linecap' => array(), 'stroke-linejoin' => array(), 'stroke-miterlimit' => array(), 'stroke-opacity' => array(), 'stroke-width' => array(), 'style' => array(), 'transform' => array(), 'width' => array(), 'x' => array(), 'xlink:href' => array(), 'y' => array() ),
     543        );
     544
    501545} else {
    502546        $allowedtags = wp_kses_array_lc( $allowedtags );
    503547        $allowedposttags = wp_kses_array_lc( $allowedposttags );
     548        $allowedsvgtags = wp_kses_array_lc( $allowedsvgtags );
    504549}
    505550
    506551/**
     
    664709}
    665710
    666711/**
     712 * Return a list of allowed xml tags and attributes for a given context.
     713 *
     714 * @params string $context The context for which to retrieve tags. Allowed values are
     715 *  svg
     716 * @return array List of allowed xml tags and their allowed attributes.
     717 */
     718function wp_kses_allowed_xml( $context = '' ){
     719        global $allowedsvgtags;
     720
     721        if ( is_array( $context ) )
     722                return apply_filters( 'wp_kses_allowed_xml', $context, 'explicit' );
     723
     724        switch ( $context ) {
     725                case 'svg':
     726                case 'image/svg+xml':
     727                        return apply_filters( 'wp_kses_allowed_xml', $allowedsvgtags, $context );
     728                        break;
     729                default:
     730                        return apply_filters( 'wp_kses_allowed_xml', array(), $context );
     731        }
     732}
     733
     734/**
    667735 * You add any kses hooks here.
    668736 *
    669737 * There is currently only one kses WordPress hook, {@see 'pre_kses'}, and it is called here.
  • src/wp-admin/includes/file.php

     
    12941294        </div>
    12951295        <?php
    12961296}
     1297
     1298function wp_validate_upload( $params, $type ){
     1299        if ( preg_match( '#\bxml\b#', $params[ 'type' ] ) ) {
     1300                $content = file_get_contents( $params[ 'file' ] );
     1301                $filtered_content = wp_kses( $content, wp_kses_allowed_xml( $params[ 'type' ] ), array() );
     1302                file_put_contents( $params[ 'file' ], $filtered_content );
     1303        }
     1304        return $params;
     1305}
     1306add_filter( 'wp_handle_upload', 'wp_validate_upload', 10, 2 );