WordPress.org

Make WordPress Core

Ticket #33848: 33848.diff

File 33848.diff, 3.5 KB (added by desrosj, 5 years ago)
  • src/wp-includes/deprecated.php

     
    37723772
    37733773        return get_query_template( 'paged' );
    37743774}
     3775
     3776/**
     3777 * Removes the HTML JavaScript entities found in early versions of Netscape 4.
     3778 *
     3779 * Previously, this function was pulled in from the original
     3780 * import of kses and removed a specific vulnerability only
     3781 * existent in early version of Netscape 4. However, this
     3782 * vulnerability never affected any other browsers and can
     3783 * be considered safe for the modern web.
     3784 *
     3785 * The regular expression which sanitized this vulnerability
     3786 * has been removed in consideration of the performance and
     3787 * energy demands it placed, now merely passing through its
     3788 * input to the return.
     3789 *
     3790 * @since 1.0.0
     3791 * @deprecated deprecated since 4.7
     3792 *
     3793 * @param string $string
     3794 * @return string
     3795 */
     3796function wp_kses_js_entities( $string ) {
     3797        _deprecated_function( __FUNCTION__, '4.7.0' );
     3798
     3799        return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
     3800}
     3801 No newline at end of file
  • src/wp-includes/kses.php

     
    527527        if ( empty( $allowed_protocols ) )
    528528                $allowed_protocols = wp_allowed_protocols();
    529529        $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    530         $string = wp_kses_js_entities($string);
    531530        $string = wp_kses_normalize_entities($string);
    532531        $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
    533532        return wp_kses_split($string, $allowed_html, $allowed_protocols);
     
    550549        $allowed_html = wp_kses_allowed_html( 'post' );
    551550        $allowed_protocols = wp_allowed_protocols();
    552551        $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    553         $string = wp_kses_js_entities( $string );
    554552       
    555553        // Preserve leading and trailing whitespace.
    556554        $matches = array();
     
    12961294}
    12971295
    12981296/**
    1299  * Removes the HTML JavaScript entities found in early versions of Netscape 4.
    1300  *
    1301  * @since 1.0.0
    1302  *
    1303  * @param string $string
    1304  * @return string
    1305  */
    1306 function wp_kses_js_entities($string) {
    1307         return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
    1308 }
    1309 
    1310 /**
    13111297 * Handles parsing errors in wp_kses_hair().
    13121298 *
    13131299 * The general plan is to remove everything to and including some whitespace,
  • tests/phpunit/tests/kses.php

     
    195195
    196196                        switch ( $attack->name ) {
    197197                                case 'XSS Locator':
    198                                         $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
     198                                        $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
    199199                                        break;
    200200                                case 'XSS Quick Test':
    201                                         $this->assertEquals('\'\';!--"=', $result);
     201                                        $this->assertEquals('\'\';!--"=&{()}', $result);
    202202                                        break;
    203203                                case 'SCRIPT w/Alert()':
    204204                                        $this->assertEquals( "alert('XSS')", $result );