Ticket #39724: 39724.patch
| File 39724.patch, 3.5 KB (added by , 3 years ago) |
|---|
-
src/wp-includes/kses.php
827 827 if (preg_match('%\s*/\s*$%', $attr)) 828 828 $xhtml_slash = ' /'; 829 829 830 // Are any attributes allowed at all for this element? 831 if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 ) 832 return "<$element$xhtml_slash>"; 833 834 // Split it 835 $attrarr = wp_kses_hair($attr, $allowed_protocols); 836 837 // Go through $attrarr, and save the allowed attributes for this element 838 // in $attr2 839 $attr2 = ''; 840 foreach ( $attrarr as $arreach ) { 841 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 842 $attr2 .= ' '.$arreach['whole']; 830 /** 831 * Custom function per tag value. The callback takes ($element, $attr) as arguments. 832 */ 833 if ( is_callable( $allowed_html[strtolower($element)] ) ) { 834 $attr2 = call_user_func( $allowed_html[strtolower($element)], $element, $attr ); 835 } 836 else { 837 838 // Are any attributes allowed at all for this element? 839 if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 ) 840 return "<$element$xhtml_slash>"; 841 842 // Split it 843 $attrarr = wp_kses_hair($attr, $allowed_protocols); 844 845 // Go through $attrarr, and save the allowed attributes for this element 846 // in $attr2 847 $attr2 = ''; 848 foreach ( $attrarr as $arreach ) { 849 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 850 $attr2 .= ' '.$arreach['whole']; 851 } 843 852 } 844 853 } 845 854 … … 871 880 return false; 872 881 } 873 882 883 /** 884 * Custom function per attribute value. The callback takes ($name, $value, $element) as arguments. 885 */ 886 if ( is_callable( $allowed_attr[$name_low] ) ) { 887 $new_value = call_user_func( $allowed_attr[$name_low], $name, $value, $element ); 888 if ( empty( $new_value ) ) { 889 $name = $value = $whole = ''; 890 return false; 891 } 892 return true; 893 } 894 874 895 if ( 'style' == $name_low ) { 875 896 $new_value = safecss_filter_attr( $value ); 876 897 -
tests/phpunit/tests/kses.php
678 678 679 679 $this->assertEquals( $input, wp_kses( $input, $allowedposttags ) ); 680 680 } 681 682 /** 683 * @ticket 39724 684 */ 685 function test_wp_kses_attr_check_custom() { 686 add_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 687 688 $input = '<span foo="bar" style="color: rgb(100,100,100);" enable data-test="foo">text</span>'; 689 $this->assertEquals('<span style="color: rgb(100,100,100);" enable data-test="foo">text</span>', wp_kses( $input, '' ) ); 690 691 $input = '<iframe src=""></iframe>'; 692 $this->assertEquals('<iframe src="" disabled></iframe>', wp_kses( $input, '' ) ); 693 694 remove_filter( 'wp_kses_allowed_html', array( $this, '_wp_kses_allowed_html_custom_filter' ), 10, 2 ); 695 } 696 697 function _wp_kses_allowed_html_custom_filter ( $tags, $context ) { 698 // span attributes settings 699 $tags['span']['enable'] = 1; 700 $tags['span']['data-test'] = 1; 701 $tags['span']['style'] = function ( $name, $value, $element ) { 702 return $value; 703 }; 704 705 // iframe callback 706 $tags['iframe'] = function ( $element, $attr ) { 707 return $attr . ' disabled'; 708 }; 709 710 return $tags; 711 } 681 712 }