Ticket #37698: 37698.4.diff

src/wp-includes/deprecated.php

@@ -4203 +4203 @@
         <?php
         wp_strict_cross_origin_referrer();
 }
+
+/**
+ * Callback for `wp_kses_split()`.
+ *
+ * @since 3.1.0
+ * @access private
+ * @deprecated 5.7.0
+ * @ignore
+ *
+ * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
+ *                                                or a context name such as 'post'.
+ * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
+ *
+ * @param array $matches preg_replace regexp matches
+ * @return string
+ */
+function _wp_kses_split_callback( $match ) {
+        global $pass_allowed_html, $pass_allowed_protocols;
+
+        _deprecated_function( __FUNCTION__, '5.7.0' );
+
+        return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
+}

src/wp-includes/kses.php

@@ -965 +965 @@
  * @return string Content with fixed HTML tags
  */
 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
-        global $pass_allowed_html, $pass_allowed_protocols;
-
-        $pass_allowed_html      = $allowed_html;
-        $pass_allowed_protocols = $allowed_protocols;
-
-        return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
+        return preg_replace_callback(
+                '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%',
+                function ( $match ) use ( $allowed_html, $allowed_protocols ) {
+                        return wp_kses_split2( $match[0], $allowed_html, $allowed_protocols );
+                },
+                $string
+        );
 }
 
 /**
@@ -1023 +1024 @@
         return $uri_attributes;
 }
 
-/**
- * Callback for `wp_kses_split()`.
- *
- * @since 3.1.0
- * @access private
- * @ignore
- *
- * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
- *                                                or a context name such as 'post'.
- * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
- *
- * @param array $matches preg_replace regexp matches
- * @return string
- */
-function _wp_kses_split_callback( $match ) {
-        global $pass_allowed_html, $pass_allowed_protocols;
-
-        return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
-}
-
 /**
  * Callback for `wp_kses_split()` for fixing malformed HTML tags.
  *

tests/phpunit/tests/kses.php

@@ -1206 +1206 @@
                 );
         }
 
+        /**
+         * Test whether wp_kses_split works properly when called multiple times.
+         *
+         * @ticket 37698
+         */
+        function test_wp_kses_split_global_pollution() {
+                $result_inner = '';
+                $func = function ( $attributes ) use ( &$result_inner ) {
+                        $result_inner = wp_kses_split( '<img src=x style="color: red;" >', [ 'img' => [ 'src' => [] ] ], [] ); // this triggers the bug
+                        return $attributes;
+                }
+                add_filter( 'safe_style_css', $func );
+
+                $expected = "<a style='color: red'>I link this</a>";
+                $result   = wp_kses_split( "<a style='color: red;'>I link this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) );
+                $this->assertEquals( $expected, $result );
+                $this->assertEquals( '<img src="x">', $result_inner );
+        }
+
         /**
          * Test URL sanitization in the style tag.
          *