Make WordPress Core

Ticket #37698: 37698.4.diff

File 37698.4.diff, 3.6 KB (added by audrasjb, 4 years ago)

In case we still want to close this ticket with 5.7, here is a patch refresh against trunk.

  • src/wp-includes/deprecated.php

    diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
    index 90a2696c25..352bfbf1e2 100644
    a b function wp_sensitive_page_meta() { 
    42034203        <?php
    42044204        wp_strict_cross_origin_referrer();
    42054205}
     4206
     4207/**
     4208 * Callback for `wp_kses_split()`.
     4209 *
     4210 * @since 3.1.0
     4211 * @access private
     4212 * @deprecated 5.7.0
     4213 * @ignore
     4214 *
     4215 * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
     4216 *                                                or a context name such as 'post'.
     4217 * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
     4218 *
     4219 * @param array $matches preg_replace regexp matches
     4220 * @return string
     4221 */
     4222function _wp_kses_split_callback( $match ) {
     4223        global $pass_allowed_html, $pass_allowed_protocols;
     4224
     4225        _deprecated_function( __FUNCTION__, '5.7.0' );
     4226
     4227        return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
     4228}
  • src/wp-includes/kses.php

    diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
    index b7f135377c..b21b3633c1 100644
    a b function wp_kses_version() { 
    965965 * @return string Content with fixed HTML tags
    966966 */
    967967function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
    968         global $pass_allowed_html, $pass_allowed_protocols;
    969 
    970         $pass_allowed_html      = $allowed_html;
    971         $pass_allowed_protocols = $allowed_protocols;
    972 
    973         return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
     968        return preg_replace_callback(
     969                '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%',
     970                function ( $match ) use ( $allowed_html, $allowed_protocols ) {
     971                        return wp_kses_split2( $match[0], $allowed_html, $allowed_protocols );
     972                },
     973                $string
     974        );
    974975}
    975976
    976977/**
    function wp_kses_uri_attributes() { 
    10231024        return $uri_attributes;
    10241025}
    10251026
    1026 /**
    1027  * Callback for `wp_kses_split()`.
    1028  *
    1029  * @since 3.1.0
    1030  * @access private
    1031  * @ignore
    1032  *
    1033  * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
    1034  *                                                or a context name such as 'post'.
    1035  * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
    1036  *
    1037  * @param array $matches preg_replace regexp matches
    1038  * @return string
    1039  */
    1040 function _wp_kses_split_callback( $match ) {
    1041         global $pass_allowed_html, $pass_allowed_protocols;
    1042 
    1043         return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
    1044 }
    1045 
    10461027/**
    10471028 * Callback for `wp_kses_split()` for fixing malformed HTML tags.
    10481029 *
  • tests/phpunit/tests/kses.php

    diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
    index 410c0665eb..3a54092135 100644
    a b EOF; 
    12061206                );
    12071207        }
    12081208
     1209        /**
     1210         * Test whether wp_kses_split works properly when called multiple times.
     1211         *
     1212         * @ticket 37698
     1213         */
     1214        function test_wp_kses_split_global_pollution() {
     1215                $result_inner = '';
     1216                $func = function ( $attributes ) use ( &$result_inner ) {
     1217                        $result_inner = wp_kses_split( '<img src=x style="color: red;" >', [ 'img' => [ 'src' => [] ] ], [] ); // this triggers the bug
     1218                        return $attributes;
     1219                }
     1220                add_filter( 'safe_style_css', $func );
     1221
     1222                $expected = "<a style='color: red'>I link this</a>";
     1223                $result   = wp_kses_split( "<a style='color: red;'>I link this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) );
     1224                $this->assertEquals( $expected, $result );
     1225                $this->assertEquals( '<img src="x">', $result_inner );
     1226        }
     1227
    12091228        /**
    12101229         * Test URL sanitization in the style tag.
    12111230         *