WordPress.org

Make WordPress Core

Ticket #33924: 33924.2.patch

File 33924.2.patch, 1.6 KB (added by juliobox, 4 years ago)
  • formatting.php

     
    16411641 * Strips the string down to A-Z,a-z,0-9,_,-. If this results in an empty
    16421642 * string then it will return the alternative value supplied.
    16431643 *
    1644  * @todo Expand to support the full range of CDATA that a class attribute can contain.
    1645  *
    16461644 * @since 2.8.0
    16471645 *
    16481646 * @param string $class    The classname to be sanitized
    16491647 * @param string $fallback Optional. The value to return if the sanitization ends up as an empty string.
    16501648 *      Defaults to an empty string.
     1649 * @param bool $strict Optional, since 4.4.0. When true, a blacklist of characters will be striped out from the $class, else a whitelist will be used.
    16511650 * @return string The sanitized value
    16521651 */
    1653 function sanitize_html_class( $class, $fallback = '' ) {
     1652function sanitize_html_class( $class, $fallback = '', $strict = false ) {
    16541653        //Strip out any % encoded octets
    16551654        $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
    16561655
    1657         //Limit to A-Z,a-z,0-9,_,-
    1658         $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
     1656        if ( false === $strict ) {
     1657                // Limit to A-Z,a-z,0-9,_,-, the whitelist
     1658                $pattern = '/[^A-Za-z0-9@_-]/';
     1659        } else { // Since 4.4.0
     1660                // Remove meaningful CSS characters, the blacklist
     1661                $pattern = '/[\\\\#%&\',-\/:;<=>@`~\^\$\.\!\[\]\|\{\}\(\)\?\*\+"\s]/';
     1662        }
     1663        $sanitized = preg_replace( $pattern, '', $sanitized );
    16591664
    16601665        if ( '' == $sanitized && $fallback ) {
    16611666                return sanitize_html_class( $fallback );