Ticket #39724: 39724.2.patch
| File 39724.2.patch, 3.6 KB (added by , 3 years ago) |
|---|
-
src/wp-includes/kses.php
827 827 if (preg_match('%\s*/\s*$%', $attr)) 828 828 $xhtml_slash = ' /'; 829 829 830 // Are any attributes allowed at all for this element? 831 if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) { 832 return "<$element$xhtml_slash>"; 830 /** 831 * Custom function per tag value. The callback takes ($element, $attr) as arguments. 832 */ 833 if ( is_callable( $allowed_html[strtolower($element)] ) ) { 834 $attr2 = call_user_func( $allowed_html[strtolower($element)], $element, $attr ); 833 835 } 836 else { 837 // Are any attributes allowed at all for this element? 838 if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) { 839 return "<$element$xhtml_slash>"; 840 } 834 841 835 // Split it836 $attrarr = wp_kses_hair($attr, $allowed_protocols);842 // Split it 843 $attrarr = wp_kses_hair($attr, $allowed_protocols); 837 844 838 // Go through $attrarr, and save the allowed attributes for this element 839 // in $attr2 840 $attr2 = ''; 841 foreach ( $attrarr as $arreach ) { 842 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 843 $attr2 .= ' '.$arreach['whole']; 845 // Go through $attrarr, and save the allowed attributes for this element 846 // in $attr2 847 $attr2 = ''; 848 foreach ( $attrarr as $arreach ) { 849 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 850 $attr2 .= ' '.$arreach['whole']; 851 } 844 852 } 845 853 } 846 854 … … 872 880 return false; 873 881 } 874 882 883 /** 884 * Custom function per attribute value. The callback takes ($name, $value, $element) as arguments. 885 */ 886 if ( is_callable( $allowed_attr[$name_low] ) ) { 887 $new_value = call_user_func( $allowed_attr[$name_low], $name, $value, $element ); 888 if ( empty( $new_value ) ) { 889 $name = $value = $whole = ''; 890 return false; 891 } 892 return true; 893 } 894 875 895 if ( 'style' == $name_low ) { 876 896 $new_value = safecss_filter_attr( $value ); 877 897 -
tests/phpunit/tests/kses.php
680 680 } 681 681 682 682 /** 683 * @ticket 39724 684 */ 685 function test_wp_kses_attr_check_custom() { 686 add_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 687 688 $input = '<span foo="bar" style="color: rgb(100,100,100);" enable data-test="foo">text</span>'; 689 $this->assertEquals('<span style="color: rgb(100,100,100);" enable data-test="foo">text</span>', wp_kses( $input, '' ) ); 690 691 $input = '<iframe src=""></iframe>'; 692 $this->assertEquals('<iframe src="" disabled></iframe>', wp_kses( $input, '' ) ); 693 694 remove_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 695 } 696 697 function _wp_kses_allowed_html_custom_filter ( $tags, $context ) { 698 // span attributes settings 699 $tags['span']['enable'] = 1; 700 $tags['span']['data-test'] = 1; 701 $tags['span']['style'] = function ( $name, $value, $element ) { 702 return $value; 703 }; 704 705 // iframe callback 706 $tags['iframe'] = function ( $element, $attr ) { 707 return $attr . ' disabled'; 708 }; 709 710 return $tags; 711 } 712 713 /** 683 714 * @ticket 40680 684 715 */ 685 716 function test_wp_kses_attr_no_attributes_allowed_with_empty_array() {