33848.diff on Ticket #33848 – Attachment – WordPress Trac

src/wp-includes/deprecated.php

         return get_query_template( 'paged' );
+}
+/**
+ * Removes the HTML JavaScript entities found in early versions of Netscape 4.
+ *
+ * Previously, this function was pulled in from the original
+ * import of kses and removed a specific vulnerability only
+ * existent in early version of Netscape 4. However, this
+ * vulnerability never affected any other browsers and can
+ * be considered safe for the modern web.
+ *
+ * The regular expression which sanitized this vulnerability
+ * has been removed in consideration of the performance and
+ * energy demands it placed, now merely passing through its
+ * input to the return.
+ *
+ * @since 1.0.0
+ * @deprecated deprecated since 4.7
+ *
+ * @param string $string
+ * @return string
+ */
+function wp_kses_js_entities( $string ) {
+        _deprecated_function( __FUNCTION__, '4.7.0' );
+        return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
+}
+ No newline at end of file

         if ( empty( $allowed_protocols ) )
                 $allowed_protocols = wp_allowed_protocols();
         $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
-        $string = wp_kses_js_entities($string);
         $string = wp_kses_normalize_entities($string);
         $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
         return wp_kses_split($string, $allowed_html, $allowed_protocols);
 …
         $allowed_html = wp_kses_allowed_html( 'post' );
         $allowed_protocols = wp_allowed_protocols();
         $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
-        $string = wp_kses_js_entities( $string );
         // Preserve leading and trailing whitespace.
         $matches = array();
 …
+}
 /**
- * Removes the HTML JavaScript entities found in early versions of Netscape 4.
+ *
- * @since 1.0.0
+ *
- * @param string $string
- * @return string
- */
-function wp_kses_js_entities($string) {
-        return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
+}
-/**
  * Handles parsing errors in wp_kses_hair().
+ *
  * The general plan is to remove everything to and including some whitespace,

                         switch ( $attack->name ) {
                                 case 'XSS Locator':
                                         $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--&gt;"&gt;\'&gt;alert(String.fromCharCode(88,83,83))=', $result);
+                                        $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--&gt;"&gt;\'&gt;alert(String.fromCharCode(88,83,83))=&amp;{}', $result);
                                         break;
                                 case 'XSS Quick Test':
                                         $this->assertEquals('\'\';!--"=', $result);
+                                        $this->assertEquals('\'\';!--"=&amp;{()}', $result);
                                         break;
                                 case 'SCRIPT w/Alert()':
                                         $this->assertEquals( "alert('XSS')", $result );