Make WordPress Core

Ticket #37698: 37698.3.diff

File 37698.3.diff, 3.3 KB (added by xknown, 5 years ago)

Add documentation for the related unit test

  • tests/phpunit/tests/kses.php

     
    10471047        }
    10481048
    10491049        /**
     1050         * Test whether wp_kses_split works properly when called multiple times.
     1051         *
     1052         * @ticket 37698
     1053         */
     1054        function test_wp_kses_split_global_pollution() {
     1055                $result_inner = '';
     1056                $func = function ( $attributes ) use ( &$result_inner ) {
     1057                        $result_inner = wp_kses_split( '<img src=x style="color: red;" >', [ 'img' => [ 'src' => [] ] ], [] ); // this triggers the bug
     1058                        return $attributes;
     1059                };
     1060                add_filter( 'safe_style_css', $func );
     1061
     1062                $expected = "<a style='color: red'>I link this</a>";
     1063                $result   = wp_kses_split( "<a style='color: red;'>I link this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) );
     1064                $this->assertEquals( $expected, $result );
     1065                $this->assertEquals( '<img src="x">', $result_inner );
     1066        }
     1067
     1068        /**
    10501069         * Test URL sanitization in the style tag.
    10511070         *
    10521071         * @dataProvider data_kses_style_attr_with_url
  • src/wp-includes/kses.php

     
    941941 * @return string Content with fixed HTML tags
    942942 */
    943943function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
    944         global $pass_allowed_html, $pass_allowed_protocols;
    945         $pass_allowed_html      = $allowed_html;
    946         $pass_allowed_protocols = $allowed_protocols;
    947         return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
     944        return preg_replace_callback(
     945                '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%',
     946                function ( $match ) use ( $allowed_html, $allowed_protocols ) {
     947                        return wp_kses_split2( $match[0], $allowed_html, $allowed_protocols );
     948                },
     949                $string
     950        );
    948951}
    949952
    950953/**
     
    9981001}
    9991002
    10001003/**
    1001  * Callback for `wp_kses_split()`.
    1002  *
    1003  * @since 3.1.0
    1004  * @access private
    1005  * @ignore
    1006  *
    1007  * @global array $pass_allowed_html
    1008  * @global array $pass_allowed_protocols
    1009  *
    1010  * @return string
    1011  */
    1012 function _wp_kses_split_callback( $match ) {
    1013         global $pass_allowed_html, $pass_allowed_protocols;
    1014         return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
    1015 }
    1016 
    1017 /**
    10181004 * Callback for `wp_kses_split()` for fixing malformed HTML tags.
    10191005 *
    10201006 * This function does a lot of work. It rejects some very malformed things like
  • src/wp-includes/deprecated.php

     
    39953995        // register_globals was deprecated in PHP 5.3 and removed entirely in PHP 5.4.
    39963996        _deprecated_function( __FUNCTION__, '5.5.0' );
    39973997}
     3998
     3999/**
     4000 * Callback for `wp_kses_split()`.
     4001 *
     4002 * @since 3.1.0
     4003 * @access private
     4004 * @deprecated 5.5.0
     4005 * @ignore
     4006 *
     4007 * @global array $pass_allowed_html
     4008 * @global array $pass_allowed_protocols
     4009 *
     4010 * @return string
     4011 */
     4012function _wp_kses_split_callback( $match ) {
     4013        global $pass_allowed_html, $pass_allowed_protocols;
     4014        _deprecated_function( __FUNCTION__, '5.5.0' );
     4015        return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
     4016}