WordPress.org

Make WordPress Core

Ticket #33924: 33924.diff

File 33924.diff, 719 bytes (added by peterwilsoncc, 4 years ago)
  • src/wp-includes/formatting.php

    diff --git a/src/wp-includes/formatting.php b/src/wp-includes/formatting.php
    index 91b3134..9e4abd5 100644
    a b function sanitize_html_class( $class, $fallback = '' ) { 
    16541654        //Strip out any % encoded octets
    16551655        $sanitized = preg_replace( '|%[a-fA-F0-9][a-fA-F0-9]|', '', $class );
    16561656
    1657         //Limit to A-Z,a-z,0-9,_,-
    1658         $sanitized = preg_replace( '/[^A-Za-z0-9_-]/', '', $sanitized );
     1657        //Remove meaningful CSS characters
     1658        $pattern = '/[\\\\#%&\',-\/:;<=>@`~\^\$\.\!\[\]\|\{\}\(\)\?\*\+"\s]/';
     1659        $sanitized = preg_replace( $pattern, '', $sanitized );
    16591660
    16601661        if ( '' == $sanitized && $fallback ) {
    16611662                return sanitize_html_class( $fallback );