diff --git a/src/wp-includes/deprecated.php b/src/wp-includes/deprecated.php
index 90a2696c25..352bfbf1e2 100644
a
|
b
|
function wp_sensitive_page_meta() { |
4203 | 4203 | <?php |
4204 | 4204 | wp_strict_cross_origin_referrer(); |
4205 | 4205 | } |
| 4206 | |
| 4207 | /** |
| 4208 | * Callback for `wp_kses_split()`. |
| 4209 | * |
| 4210 | * @since 3.1.0 |
| 4211 | * @access private |
| 4212 | * @deprecated 5.7.0 |
| 4213 | * @ignore |
| 4214 | * |
| 4215 | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
| 4216 | * or a context name such as 'post'. |
| 4217 | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
| 4218 | * |
| 4219 | * @param array $matches preg_replace regexp matches |
| 4220 | * @return string |
| 4221 | */ |
| 4222 | function _wp_kses_split_callback( $match ) { |
| 4223 | global $pass_allowed_html, $pass_allowed_protocols; |
| 4224 | |
| 4225 | _deprecated_function( __FUNCTION__, '5.7.0' ); |
| 4226 | |
| 4227 | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); |
| 4228 | } |
diff --git a/src/wp-includes/kses.php b/src/wp-includes/kses.php
index b7f135377c..b21b3633c1 100644
a
|
b
|
function wp_kses_version() { |
965 | 965 | * @return string Content with fixed HTML tags |
966 | 966 | */ |
967 | 967 | function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { |
968 | | global $pass_allowed_html, $pass_allowed_protocols; |
969 | | |
970 | | $pass_allowed_html = $allowed_html; |
971 | | $pass_allowed_protocols = $allowed_protocols; |
972 | | |
973 | | return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); |
| 968 | return preg_replace_callback( |
| 969 | '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', |
| 970 | function ( $match ) use ( $allowed_html, $allowed_protocols ) { |
| 971 | return wp_kses_split2( $match[0], $allowed_html, $allowed_protocols ); |
| 972 | }, |
| 973 | $string |
| 974 | ); |
974 | 975 | } |
975 | 976 | |
976 | 977 | /** |
… |
… |
function wp_kses_uri_attributes() { |
1023 | 1024 | return $uri_attributes; |
1024 | 1025 | } |
1025 | 1026 | |
1026 | | /** |
1027 | | * Callback for `wp_kses_split()`. |
1028 | | * |
1029 | | * @since 3.1.0 |
1030 | | * @access private |
1031 | | * @ignore |
1032 | | * |
1033 | | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
1034 | | * or a context name such as 'post'. |
1035 | | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
1036 | | * |
1037 | | * @param array $matches preg_replace regexp matches |
1038 | | * @return string |
1039 | | */ |
1040 | | function _wp_kses_split_callback( $match ) { |
1041 | | global $pass_allowed_html, $pass_allowed_protocols; |
1042 | | |
1043 | | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); |
1044 | | } |
1045 | | |
1046 | 1027 | /** |
1047 | 1028 | * Callback for `wp_kses_split()` for fixing malformed HTML tags. |
1048 | 1029 | * |
diff --git a/tests/phpunit/tests/kses.php b/tests/phpunit/tests/kses.php
index 410c0665eb..3a54092135 100644
a
|
b
|
EOF; |
1206 | 1206 | ); |
1207 | 1207 | } |
1208 | 1208 | |
| 1209 | /** |
| 1210 | * Test whether wp_kses_split works properly when called multiple times. |
| 1211 | * |
| 1212 | * @ticket 37698 |
| 1213 | */ |
| 1214 | function test_wp_kses_split_global_pollution() { |
| 1215 | $result_inner = ''; |
| 1216 | $func = function ( $attributes ) use ( &$result_inner ) { |
| 1217 | $result_inner = wp_kses_split( '<img src=x style="color: red;" >', [ 'img' => [ 'src' => [] ] ], [] ); // this triggers the bug |
| 1218 | return $attributes; |
| 1219 | } |
| 1220 | add_filter( 'safe_style_css', $func ); |
| 1221 | |
| 1222 | $expected = "<a style='color: red'>I link this</a>"; |
| 1223 | $result = wp_kses_split( "<a style='color: red;'>I link this</a>", array( 'a' => array( 'style' => array() ) ), array( 'http' ) ); |
| 1224 | $this->assertEquals( $expected, $result ); |
| 1225 | $this->assertEquals( '<img src="x">', $result_inner ); |
| 1226 | } |
| 1227 | |
1209 | 1228 | /** |
1210 | 1229 | * Test URL sanitization in the style tag. |
1211 | 1230 | * |