Ticket #33924: 33924.2.patch
File 33924.2.patch, 1.6 KB (added by , 9 years ago) |
---|
-
formatting.php
1641 1641 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty 1642 1642 * string then it will return the alternative value supplied. 1643 1643 * 1644 * @todo Expand to support the full range of CDATA that a class attribute can contain.1645 *1646 1644 * @since 2.8.0 1647 1645 * 1648 1646 * @param string $class The classname to be sanitized 1649 1647 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string. 1650 1648 * Defaults to an empty string. 1649 * @param bool $strict Optional, since 4.4.0. When true, a blacklist of characters will be striped out from the $class, else a whitelist will be used. 1651 1650 * @return string The sanitized value 1652 1651 */ 1653 function sanitize_html_class( $class, $fallback = '' ) {1652 function sanitize_html_class( $class, $fallback = '', $strict = false ) { 1654 1653 //Strip out any % encoded octets 1655 1654 $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class ); 1656 1655 1657 //Limit to A-Z,a-z,0-9,_,- 1658 $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized ); 1656 if ( false === $strict ) { 1657 // Limit to A-Z,a-z,0-9,_,-, the whitelist 1658 $pattern = '/[^A-Za-z0-9@_-]/'; 1659 } else { // Since 4.4.0 1660 // Remove meaningful CSS characters, the blacklist 1661 $pattern = '/[\\\\#%&\',-\/:;<=>@`~\^\$\.\!\[\]\|\{\}\(\)\?\*\+"\s]/'; 1662 } 1663 $sanitized = preg_replace( $pattern, '', $sanitized ); 1659 1664 1660 1665 if ( '' == $sanitized && $fallback ) { 1661 1666 return sanitize_html_class( $fallback );