Ticket #37134: 37134.10.diff
| File 37134.10.diff, 5.0 KB (added by , 3 years ago) |
|---|
-
src/wp-includes/kses.php
2302 2302 } 2303 2303 2304 2304 if ( $found ) { 2305 // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above. 2306 $allow_css = ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ); 2307 2305 2308 /** 2306 * Filters the regex limiting the list of characters not allowed in CSS rules.2309 * Filters the check for unsafe CSS in `safecss_filter_attr`. 2307 2310 * 2308 * Default behaviour is to remove any CSS containing \ ( & } = or comments, 2309 * except for url() usage. 2311 * Enables developers to determine whether a section of CSS should be allowed or discarded. 2312 * By default, the value will be false if the part contains \ ( & } = or comments. 2313 * Return true to allow the CSS part to be included in the output. 2310 2314 * 2311 2315 * @since 5.5.0 2312 2316 * 2313 * @param string $regex Regex pattern of disallowed characters in CSS rules. 2314 * Default is '%[\\\(&=}]|/\*%'. 2315 * @param string $css_test_string CSS value to test. 2317 * @param bool $allow_css Whether the CSS in the test string is considered safe. 2318 * @param string $css_test_string The css string to test. 2316 2319 */ 2317 $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string ); 2318 if ( ! preg_match( $disallowed_chars, $css_test_string ) ) { 2320 $allow_css = apply_filters( 'safecss_filter_attr_allow_css', $allow_css, $css_test_string ); 2321 2322 // Only add the css part if it passes the regex check. 2323 if ( $allow_css ) { 2319 2324 if ( '' !== $css ) { 2320 2325 $css .= ';'; 2321 2326 } 2327 2322 2328 $css .= $css_item; 2323 2329 } 2324 2330 } -
tests/phpunit/tests/kses.php
1263 1263 } 1264 1264 1265 1265 /** 1266 * Filter for disallowed characters never matches thus allowing all characters. 1267 */ 1268 function _safe_style_disallowed_chars_filter( $regex ) { 1269 return '%a^%'; // Regex with no matches. 1270 1271 } 1272 /** 1273 * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter. 1266 * Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter. 1274 1267 * 1275 1268 * @ticket 37134 1276 1269 * … … 1280 1273 * @param string $expected Expected string of CSS rules. 1281 1274 */ 1282 1275 public function test_safecss_filter_attr_filtered( $css, $expected ) { 1283 add_filter( 'safe _style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ));1276 add_filter( 'safecss_filter_attr_allow_css', '__return_true' ); 1284 1277 $this->assertSame( $expected, safecss_filter_attr( $css ) ); 1285 remove_filter( 'safe _style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ));1278 remove_filter( 'safecss_filter_attr_allow_css', '__return_true' ); 1286 1279 } 1287 1280 1288 1281 /** … … 1303 1296 'css' => 'margin-top: 2px', 1304 1297 'expected' => 'margin-top: 2px', 1305 1298 ), 1306 // Backslash \ can be allowed with the 'safe _style_disallowed_chars' filter.1299 // Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter. 1307 1300 array( 1308 1301 'css' => 'margin-top: \2px', 1309 1302 'expected' => 'margin-top: \2px', 1310 1303 ), 1311 // Curly bracket } can be allowed with the 'safe _style_disallowed_chars' filter.1304 // Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter. 1312 1305 array( 1313 1306 'css' => 'margin-bottom: 2px}', 1314 1307 'expected' => 'margin-bottom: 2px}', 1315 1308 ), 1316 // Parenthesis ) can be allowed with the 'safe _style_disallowed_chars' filter.1309 // Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter. 1317 1310 array( 1318 1311 'css' => 'margin-bottom: 2px)', 1319 1312 'expected' => 'margin-bottom: 2px)', 1320 1313 ), 1321 // Ampersand & can be allowed with the 'safe _style_disallowed_chars' filter.1314 // Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter. 1322 1315 array( 1323 1316 'css' => 'margin-bottom: 2px&', 1324 1317 'expected' => 'margin-bottom: 2px&', 1325 1318 ), 1326 // Expressions can be allowed with the 'safe _style_disallowed_chars' filter.1319 // Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter. 1327 1320 array( 1328 1321 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 1329 1322 'expected' => 'height: expression( body.scrollTop + 50 + "px" )', 1330 1323 ), 1331 // RGB color values can be allowed with the 'safe _style_disallowed_chars' filter.1324 // RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter. 1332 1325 array( 1333 1326 'css' => 'color: rgb( 100, 100, 100 )', 1334 1327 'expected' => 'color: rgb( 100, 100, 100 )', 1335 1328 ), 1336 // RGBA color values can be allowed with the 'safe _style_disallowed_chars' filter.1329 // RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter. 1337 1330 array( 1338 1331 'css' => 'color: rgb( 100, 100, 100, .4 )', 1339 1332 'expected' => 'color: rgb( 100, 100, 100, .4 )',