Ticket #39724: 39724.3.patch
| File 39724.3.patch, 3.6 KB (added by , 4 years ago) |
|---|
-
src/wp-includes/kses.php
826 826 if (preg_match('%\s*/\s*$%', $attr)) 827 827 $xhtml_slash = ' /'; 828 828 829 // Are any attributes allowed at all for this element? 830 if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) { 831 return "<$element$xhtml_slash>"; 829 /** 830 * Custom function per tag value. The callback takes ($element, $attr) as arguments. 831 */ 832 if ( is_callable( $allowed_html[strtolower($element)] ) ) { 833 $attr2 = call_user_func( $allowed_html[strtolower($element)], $element, $attr ); 832 834 } 835 else { 836 // Are any attributes allowed at all for this element? 837 if ( ! isset( $allowed_html[ strtolower( $element ) ] ) || true === $allowed_html[ strtolower( $element ) ] || count( $allowed_html[ strtolower( $element ) ] ) == 0 ) { 838 return "<$element$xhtml_slash>"; 839 } 833 840 834 // Split it835 $attrarr = wp_kses_hair($attr, $allowed_protocols);841 // Split it 842 $attrarr = wp_kses_hair($attr, $allowed_protocols); 836 843 837 // Go through $attrarr, and save the allowed attributes for this element 838 // in $attr2 839 $attr2 = ''; 840 foreach ( $attrarr as $arreach ) { 841 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 842 $attr2 .= ' '.$arreach['whole']; 844 // Go through $attrarr, and save the allowed attributes for this element 845 // in $attr2 846 $attr2 = ''; 847 foreach ( $attrarr as $arreach ) { 848 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 849 $attr2 .= ' '.$arreach['whole']; 850 } 843 851 } 844 852 } 845 853 … … 871 879 return false; 872 880 } 873 881 882 /** 883 * Custom function per attribute value. The callback takes ($name, $value, $element) as arguments. 884 */ 885 if ( is_callable( $allowed_attr[$name_low] ) ) { 886 $new_value = call_user_func( $allowed_attr[$name_low], $name, $value, $element ); 887 if ( empty( $new_value ) ) { 888 $name = $value = $whole = ''; 889 return false; 890 } 891 return true; 892 } 893 874 894 if ( 'style' == $name_low ) { 875 895 $new_value = safecss_filter_attr( $value ); 876 896 -
tests/phpunit/tests/kses.php
680 680 } 681 681 682 682 /** 683 * @ticket 39724 684 */ 685 function test_wp_kses_attr_check_custom() { 686 add_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 687 688 $input = '<span foo="bar" style="color: rgb(100,100,100);" enable data-test="foo">text</span>'; 689 $this->assertEquals('<span style="color: rgb(100,100,100);" enable data-test="foo">text</span>', wp_kses( $input, '' ) ); 690 691 $input = '<iframe src=""></iframe>'; 692 $this->assertEquals('<iframe src="" disabled></iframe>', wp_kses( $input, '' ) ); 693 694 remove_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 695 } 696 697 function _wp_kses_allowed_html_custom_filter ( $tags, $context ) { 698 // span attributes settings 699 $tags['span']['enable'] = 1; 700 $tags['span']['data-test'] = 1; 701 $tags['span']['style'] = function ( $name, $value, $element ) { 702 return $value; 703 }; 704 705 // iframe callback 706 $tags['iframe'] = function ( $element, $attr ) { 707 return $attr . ' disabled'; 708 }; 709 710 return $tags; 711 } 712 713 /** 683 714 * @ticket 40680 684 715 */ 685 716 function test_wp_kses_attr_no_attributes_allowed_with_empty_array() {