Ticket #37698: 37698.3.diff
File 37698.3.diff, 3.3 KB (added by , 5 years ago) |
---|
-
tests/phpunit/tests/kses.php
1047 1047 } 1048 1048 1049 1049 /** 1050 * Test whether wp_kses_split works properly when called multiple times. 1051 * 1052 * @ticket 37698 1053 */ 1054 function test_wp_kses_split_global_pollution() { 1055 $result_inner = ''; 1056 $func = function ( $attributes ) use ( &$result_inner ) { 1057 $result_inner = wp_kses_split( '<img src=x style="color: red;" >', [ 'img' => [ 'src' => [] ] ], [] ); // this triggers the bug 1058 return $attributes; 1059 }; 1060 add_filter( 'safe_style_css', $func ); 1061 1062 $expected = "<a style='color: red'>I link this</a>"; 1063 $result = wp_kses_split( "<a style='color: red;'>I link this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) ); 1064 $this->assertEquals( $expected, $result ); 1065 $this->assertEquals( '<img src="x">', $result_inner ); 1066 } 1067 1068 /** 1050 1069 * Test URL sanitization in the style tag. 1051 1070 * 1052 1071 * @dataProvider data_kses_style_attr_with_url -
src/wp-includes/kses.php
941 941 * @return string Content with fixed HTML tags 942 942 */ 943 943 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 944 global $pass_allowed_html, $pass_allowed_protocols; 945 $pass_allowed_html = $allowed_html; 946 $pass_allowed_protocols = $allowed_protocols; 947 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); 944 return preg_replace_callback( 945 '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', 946 function ( $match ) use ( $allowed_html, $allowed_protocols ) { 947 return wp_kses_split2( $match[0], $allowed_html, $allowed_protocols ); 948 }, 949 $string 950 ); 948 951 } 949 952 950 953 /** … … 998 1001 } 999 1002 1000 1003 /** 1001 * Callback for `wp_kses_split()`.1002 *1003 * @since 3.1.01004 * @access private1005 * @ignore1006 *1007 * @global array $pass_allowed_html1008 * @global array $pass_allowed_protocols1009 *1010 * @return string1011 */1012 function _wp_kses_split_callback( $match ) {1013 global $pass_allowed_html, $pass_allowed_protocols;1014 return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );1015 }1016 1017 /**1018 1004 * Callback for `wp_kses_split()` for fixing malformed HTML tags. 1019 1005 * 1020 1006 * This function does a lot of work. It rejects some very malformed things like -
src/wp-includes/deprecated.php
3995 3995 // register_globals was deprecated in PHP 5.3 and removed entirely in PHP 5.4. 3996 3996 _deprecated_function( __FUNCTION__, '5.5.0' ); 3997 3997 } 3998 3999 /** 4000 * Callback for `wp_kses_split()`. 4001 * 4002 * @since 3.1.0 4003 * @access private 4004 * @deprecated 5.5.0 4005 * @ignore 4006 * 4007 * @global array $pass_allowed_html 4008 * @global array $pass_allowed_protocols 4009 * 4010 * @return string 4011 */ 4012 function _wp_kses_split_callback( $match ) { 4013 global $pass_allowed_html, $pass_allowed_protocols; 4014 _deprecated_function( __FUNCTION__, '5.5.0' ); 4015 return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); 4016 }