Ticket #45067: 45067.2.diff
File 45067.2.diff, 4.6 KB (added by , 6 years ago) |
---|
-
src/wp-includes/kses.php
549 549 $allowed_html = wp_kses_allowed_html( 'post' ); 550 550 $allowed_protocols = wp_allowed_protocols(); 551 551 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 552 552 553 553 // Preserve leading and trailing whitespace. 554 554 $matches = array(); 555 555 preg_match('/^\s*/', $string, $matches); … … 561 561 } else { 562 562 $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 563 563 } 564 564 565 565 // Parse attribute name and value from input. 566 566 $split = preg_split( '/\s*=\s*/', $string, 2 ); 567 567 $name = $split[0]; … … 598 598 $value = ''; 599 599 $vless = 'y'; 600 600 } 601 601 602 602 // Sanitize attribute by name. 603 603 wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); 604 604 … … 1062 1062 } else { 1063 1063 $xhtml_slash = ''; 1064 1064 } 1065 1065 1066 1066 // Split it 1067 1067 $attrarr = wp_kses_hair_parse( $attr ); 1068 1068 if ( false === $attrarr ) { … … 1072 1072 // Make sure all input is returned by adding front and back matter. 1073 1073 array_unshift( $attrarr, $begin . $slash . $elname ); 1074 1074 array_push( $attrarr, $xhtml_slash . $end ); 1075 1075 1076 1076 return $attrarr; 1077 1077 } 1078 1078 … … 1215 1215 * @param array $allowed_protocols Allowed protocols to keep 1216 1216 * @return string Filtered content 1217 1217 */ 1218 function wp_kses_bad_protocol($string, $allowed_protocols) { 1219 $string = wp_kses_no_null($string); 1218 function wp_kses_bad_protocol( $string, $allowed_protocols = array() ) { 1219 if ( empty( $allowed_protocols ) ) { 1220 $allowed_protocols = wp_allowed_protocols(); 1221 } 1222 1223 $string = wp_kses_no_null( $string ); 1220 1224 $iterations = 0; 1221 1225 1222 1226 do { … … 1687 1691 * @return string Filtered string of CSS rules. 1688 1692 */ 1689 1693 function safecss_filter_attr( $css, $deprecated = '' ) { 1690 if ( ! empty( $deprecated ) )1694 if ( ! empty( $deprecated ) ) 1691 1695 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented 1692 1696 1693 $css = wp_kses_no_null( $css);1694 $css = str_replace( array("\n","\r","\t"), '', $css);1697 $css = wp_kses_no_null( $css ); 1698 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 1695 1699 1696 if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments1697 return '';1698 1699 1700 $css_array = explode( ';', trim( $css ) ); 1700 1701 1701 1702 /** … … 1710 1711 $allowed_attr = apply_filters( 'safe_style_css', array( 1711 1712 'background', 1712 1713 'background-color', 1714 'background-image', 1713 1715 1714 1716 'border', 1715 1717 'border-width', … … 1778 1780 'list-style-type', 1779 1781 ) ); 1780 1782 1781 if ( empty($allowed_attr) ) 1783 1784 /* 1785 * CSS attributes that accept URL data types. 1786 * 1787 * This is in accordance to the CSS spec and unrelated to 1788 * the sub-set of supported attributes above. 1789 * 1790 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url 1791 */ 1792 $css_url_data_types = array( 1793 'background', 1794 'background-image', 1795 1796 'cursor', 1797 1798 'list-style', 1799 'list-style-image', 1800 ); 1801 1802 if ( empty( $allowed_attr ) ) { 1782 1803 return $css; 1804 } 1783 1805 1784 1806 $css = ''; 1785 1807 foreach ( $css_array as $css_item ) { 1786 if ( $css_item == '' ) 1808 if ( $css_item == '' ) { 1787 1809 continue; 1788 $css_item = trim( $css_item ); 1789 $found = false; 1810 } 1811 1812 $css_item = trim( $css_item ); 1813 $css_test_string = $css_item; 1814 $found = false; 1815 $url_attr = false; 1816 1790 1817 if ( strpos( $css_item, ':' ) === false ) { 1791 1818 $found = true; 1792 1819 } else { 1793 $parts = explode( ':', $css_item ); 1794 if ( in_array( trim( $parts[0] ), $allowed_attr ) ) 1820 $parts = explode( ':', $css_item, 2 ); 1821 $css_selector = trim( $parts[0] ); 1822 1823 if ( in_array( $css_selector, $allowed_attr, true ) ) { 1795 1824 $found = true; 1825 $url_attr = in_array( $css_selector, $css_url_data_types, true ); 1826 } 1796 1827 } 1797 if ( $found ) { 1798 if( $css != '' ) 1828 1829 if ( $found && $url_attr ) { 1830 // Simplified: matches the sequence `url(*)`. 1831 preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); 1832 1833 foreach ( $url_matches[0] as $url_match ) { 1834 // Clean up the URL from each of the matches above. 1835 preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); 1836 $url = trim( $url_pieces[2] ); 1837 1838 if ( empty( $url ) || $url !== wp_kses_bad_protocol( $url ) ) { 1839 $found = false; 1840 break; 1841 } else { 1842 // Remove the whole `url(*)` bit that was matched above from the CSS. 1843 $css_test_string = str_replace( $url_match, '', $css_test_string ); 1844 } 1845 } 1846 } 1847 1848 if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) { 1849 if ( $css != '' ) { 1799 1850 $css .= ';'; 1851 } 1852 1800 1853 $css .= $css_item; 1801 1854 } 1802 1855 }