Make WordPress Core

Ticket #37134: 37134.8.diff

File 37134.8.diff, 3.0 KB (added by adamsilverstein, 4 years ago)
  • src/wp-includes/kses.php

    diff --git src/wp-includes/kses.php src/wp-includes/kses.php
    index 9c9d094d46..25f39f58d9 100644
    function safecss_filter_attr( $css, $deprecated = '' ) { 
    23012301                        }
    23022302                }
    23032303
    2304                 if ( $found ) {
    2305                         /**
    2306                          * Filters the regex limiting the list of characters not allowed in CSS rules.
    2307                          *
    2308                          * Default behaviour is to remove any CSS containing \ ( & } = or comments,
    2309                          * except for url() usage.
    2310                          *
    2311                          * @since 5.5.0
    2312                          *
    2313                          * @param string $regex           Regex pattern of disallowed characters in CSS rules.
    2314                          *                                Default is '%[\\\(&=}]|/\*%'.
    2315                          * @param string $css_test_string CSS value to test.
    2316                          */
    2317                         $disallowed_chars = apply_filters( 'safe_style_disallowed_chars', '%[\\\(&=}]|/\*%', $css_test_string );
    2318                         if ( ! preg_match( $disallowed_chars, $css_test_string ) ) {
    2319                                 if ( '' !== $css ) {
    2320                                         $css .= ';';
    2321                                 }
    2322                                 $css .= $css_item;
     2304                // Check for any CSS containing \ ( & } = or comments, except for url() usage checked above.
     2305                $unsafe_css_found = (bool) preg_match( '%[\\\(&=}]|/\*%', $css_test_string );
     2306
     2307                /**
     2308                 * Filters the check for unsafe CSS in `safecss_filter_attr`.
     2309                 *
     2310                 * Enables developers to filter the value that determines whether a section of CSS part disallowed characters.
     2311                 *
     2312                 * By default, the value will be true if the part contains \ ( & } = or comments. Return true to allow the part to
     2313                 * be included in the output.
     2314                 *
     2315                 * @param bool   $unsafe_css_found Whether unsafe CSS is found in the test string.
     2316                 * @param string $css_test_string  The css string to test.
     2317                 */
     2318                $unsafe_css_found = apply_filters( 'safe_style_css_has_unsafe_css', $unsafe_css_found, $css_test_string );
     2319
     2320                 // Only add the css part if it passes the regex check.
     2321                if ( $found && ! $unsafe_css_found ) {
     2322                        if ( '' !== $css ) {
     2323                                $css .= ';';
    23232324                        }
     2325
     2326                        $css .= $css_item;
    23242327                }
    23252328        }
    23262329
  • tests/phpunit/tests/kses.php

    diff --git tests/phpunit/tests/kses.php tests/phpunit/tests/kses.php
    index 7a846d5292..36e723bba0 100644
    EOF; 
    12621262                );
    12631263        }
    12641264
    1265         /**
    1266          * Filter for disallowed characters never matches thus allowing all characters.
    1267          */
    1268         function _safe_style_disallowed_chars_filter( $regex ) {
    1269                 return '%a^%'; // Regex with no matches.
    1270 
    1271         }
    12721265        /**
    12731266         * Testing the safecss_filter_attr() function with the safe_style_disallowed_chars filter.
    12741267         *
    EOF; 
    12801273         * @param string $expected Expected string of CSS rules.
    12811274         */
    12821275        public function test_safecss_filter_attr_filtered( $css, $expected ) {
    1283                 add_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
     1276                add_filter( 'safe_style_css_has_disallowed_chars', '__return_false' );
    12841277                $this->assertSame( $expected, safecss_filter_attr( $css ) );
    1285                 remove_filter( 'safe_style_disallowed_chars', array( $this, '_safe_style_disallowed_chars_filter' ) );
     1278                remove_filter( 'safe_style_css_has_disallowed_chars', '__return_false' );
    12861279        }
    12871280
    12881281        /**