WordPress.org

Make WordPress Core

Ticket #33848: no_js_entities.2.diff

File no_js_entities.2.diff, 2.7 KB (added by dmsnell, 6 years ago)

Version 2 of the patch to remove wp_kses_js_entities()

  • src/wp-includes/kses.php

     
    525525        if ( empty( $allowed_protocols ) )
    526526                $allowed_protocols = wp_allowed_protocols();
    527527        $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    528         $string = wp_kses_js_entities($string);
    529528        $string = wp_kses_normalize_entities($string);
    530529        $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
    531530        return wp_kses_split($string, $allowed_html, $allowed_protocols);
     
    548547        $allowed_html = wp_kses_allowed_html( 'post' );
    549548        $allowed_protocols = wp_allowed_protocols();
    550549        $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    551         $string = wp_kses_js_entities( $string );
    552550       
    553551        // Preserve leading and trailing whitespace.
    554552        $matches = array();
     
    12941292}
    12951293
    12961294/**
    1297  * Removes the HTML JavaScript entities found in early versions of Netscape 4.
     1295 * Stub for maintaining plugin compatability.
    12981296 *
     1297 * Previously, this function was pulled in from the original
     1298 * import of kses and removed a specific vulnerability only
     1299 * existent in early version of Netscape 4. However, this
     1300 * vulnerability never affected any other browsers and can
     1301 * be considered safe for the modern web.
     1302 *
     1303 * The regular expression which sanitized this vulnerability
     1304 * has been removed in consideration of the performance and
     1305 * energy demands it placed, now merely passing through its
     1306 * input to the return.
     1307 *
    12991308 * @since 1.0.0
     1309 * @deprecated deprecated since 4.4
    13001310 *
    13011311 * @param string $string
    13021312 * @return string
    13031313 */
    13041314function wp_kses_js_entities($string) {
    1305         return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
     1315        return $string;
    13061316}
    13071317
    13081318/**
  • tests/phpunit/tests/kses.php

     
    195195
    196196                        switch ( $attack->name ) {
    197197                                case 'XSS Locator':
    198                                         $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
     198                                        $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
    199199                                        break;
    200200                                case 'XSS Quick Test':
    201201                                        $this->assertEquals('\'\';!--"=', $result);