Ticket #33848: no_js_entities.diff
File no_js_entities.diff, 1.8 KB (added by , 9 years ago) |
---|
-
wp-includes/kses.php
525 525 if ( empty( $allowed_protocols ) ) 526 526 $allowed_protocols = wp_allowed_protocols(); 527 527 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 528 $string = wp_kses_js_entities($string);529 528 $string = wp_kses_normalize_entities($string); 530 529 $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 531 530 return wp_kses_split($string, $allowed_html, $allowed_protocols); … … 548 547 $allowed_html = wp_kses_allowed_html( 'post' ); 549 548 $allowed_protocols = wp_allowed_protocols(); 550 549 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 551 $string = wp_kses_js_entities( $string );552 550 553 551 // Preserve leading and trailing whitespace. 554 552 $matches = array(); … … 1294 1292 } 1295 1293 1296 1294 /** 1297 * Removes the HTML JavaScript entities found in early versions of Netscape 4.1295 * Stub for maintaining plugin compatability. 1298 1296 * 1297 * Previously, this function was pulled in from the original 1298 * import of kses and removed a specific vulnerability only 1299 * existent in early version of Netscape 4. However, this 1300 * vulnerability never affected any other browsers and can 1301 * be considered safe for the modern web. 1302 * 1303 * The regular expression which sanitized this vulnerability 1304 * has been removed in consideration of the performance and 1305 * energy demands it placed, now merely passing through its 1306 * input to the return. 1307 * 1299 1308 * @since 1.0.0 1309 * @deprecated deprecated since 4.4 1300 1310 * 1301 1311 * @param string $string 1302 1312 * @return string 1303 1313 */ 1304 1314 function wp_kses_js_entities($string) { 1305 return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);1315 return $string; 1306 1316 } 1307 1317 1308 1318 /**