diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index 0cf4ce14c4..fde35e8638 100644
|
|
function wp_kses_one_attr( $string, $element ) { |
549 | 549 | $allowed_html = wp_kses_allowed_html( 'post' ); |
550 | 550 | $allowed_protocols = wp_allowed_protocols(); |
551 | 551 | $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); |
552 | | |
| 552 | |
553 | 553 | // Preserve leading and trailing whitespace. |
554 | 554 | $matches = array(); |
555 | 555 | preg_match('/^\s*/', $string, $matches); |
… |
… |
function wp_kses_one_attr( $string, $element ) { |
561 | 561 | } else { |
562 | 562 | $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); |
563 | 563 | } |
564 | | |
| 564 | |
565 | 565 | // Parse attribute name and value from input. |
566 | 566 | $split = preg_split( '/\s*=\s*/', $string, 2 ); |
567 | 567 | $name = $split[0]; |
… |
… |
function wp_kses_one_attr( $string, $element ) { |
598 | 598 | $value = ''; |
599 | 599 | $vless = 'y'; |
600 | 600 | } |
601 | | |
| 601 | |
602 | 602 | // Sanitize attribute by name. |
603 | 603 | wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); |
604 | 604 | |
… |
… |
function wp_kses_attr_parse( $element ) { |
1062 | 1062 | } else { |
1063 | 1063 | $xhtml_slash = ''; |
1064 | 1064 | } |
1065 | | |
| 1065 | |
1066 | 1066 | // Split it |
1067 | 1067 | $attrarr = wp_kses_hair_parse( $attr ); |
1068 | 1068 | if ( false === $attrarr ) { |
… |
… |
function wp_kses_attr_parse( $element ) { |
1072 | 1072 | // Make sure all input is returned by adding front and back matter. |
1073 | 1073 | array_unshift( $attrarr, $begin . $slash . $elname ); |
1074 | 1074 | array_push( $attrarr, $xhtml_slash . $end ); |
1075 | | |
| 1075 | |
1076 | 1076 | return $attrarr; |
1077 | 1077 | } |
1078 | 1078 | |
… |
… |
function wp_kses_check_attr_val($value, $vless, $checkname, $checkvalue) { |
1215 | 1215 | * @param array $allowed_protocols Allowed protocols to keep |
1216 | 1216 | * @return string Filtered content |
1217 | 1217 | */ |
1218 | | function wp_kses_bad_protocol($string, $allowed_protocols) { |
1219 | | $string = wp_kses_no_null($string); |
| 1218 | function wp_kses_bad_protocol( $string, $allowed_protocols = array() ) { |
| 1219 | if ( empty( $allowed_protocols ) ) { |
| 1220 | $allowed_protocols = wp_allowed_protocols(); |
| 1221 | } |
| 1222 | $string = wp_kses_no_null( $string ); |
1220 | 1223 | $iterations = 0; |
1221 | 1224 | |
1222 | 1225 | do { |
… |
… |
function safecss_filter_attr( $css, $deprecated = '' ) { |
1693 | 1696 | $css = wp_kses_no_null($css); |
1694 | 1697 | $css = str_replace(array("\n","\r","\t"), '', $css); |
1695 | 1698 | |
1696 | | if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments |
1697 | | return ''; |
1698 | | |
1699 | 1699 | $css_array = explode( ';', trim( $css ) ); |
1700 | 1700 | |
1701 | 1701 | /** |
… |
… |
function safecss_filter_attr( $css, $deprecated = '' ) { |
1710 | 1710 | $allowed_attr = apply_filters( 'safe_style_css', array( |
1711 | 1711 | 'background', |
1712 | 1712 | 'background-color', |
| 1713 | 'background-image', |
1713 | 1714 | |
1714 | 1715 | 'border', |
1715 | 1716 | 'border-width', |
… |
… |
function safecss_filter_attr( $css, $deprecated = '' ) { |
1778 | 1779 | 'list-style-type', |
1779 | 1780 | ) ); |
1780 | 1781 | |
1781 | | if ( empty($allowed_attr) ) |
| 1782 | |
| 1783 | /* |
| 1784 | * CSS attributes that accept URL data types. |
| 1785 | * |
| 1786 | * This is in accordance to the CSS spec and unrelated to |
| 1787 | * the sub-set of supported attributes above. |
| 1788 | * |
| 1789 | * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url |
| 1790 | */ |
| 1791 | $css_url_data_types = array( |
| 1792 | 'background', |
| 1793 | 'background-image', |
| 1794 | |
| 1795 | 'cursor', |
| 1796 | |
| 1797 | 'list-style', |
| 1798 | 'list-style-image', |
| 1799 | ); |
| 1800 | |
| 1801 | if ( empty( $allowed_attr ) ) { |
1782 | 1802 | return $css; |
| 1803 | } |
1783 | 1804 | |
1784 | 1805 | $css = ''; |
1785 | 1806 | foreach ( $css_array as $css_item ) { |
1786 | 1807 | if ( $css_item == '' ) |
1787 | 1808 | continue; |
1788 | | $css_item = trim( $css_item ); |
1789 | | $found = false; |
| 1809 | $css_item = trim( $css_item ); |
| 1810 | $css_test_string = $css_item; |
| 1811 | $found = false; |
| 1812 | $url_attr = false; |
1790 | 1813 | if ( strpos( $css_item, ':' ) === false ) { |
1791 | 1814 | $found = true; |
1792 | 1815 | } else { |
1793 | | $parts = explode( ':', $css_item ); |
1794 | | if ( in_array( trim( $parts[0] ), $allowed_attr ) ) |
| 1816 | $parts = explode( ':', $css_item, 2 ); |
| 1817 | if ( in_array( trim( $parts[0] ), $allowed_attr ) ) { |
1795 | 1818 | $found = true; |
| 1819 | } |
| 1820 | if ( $found && in_array( trim( $parts[0] ), $css_url_data_types, true ) ) { |
| 1821 | $url_attr = true; |
| 1822 | } |
| 1823 | } |
| 1824 | if ( $found && $url_attr ) { |
| 1825 | // Simplified: matches the sequence `url(*)`. |
| 1826 | preg_match_all( '/url\(\s*([^)]+)\s*\)/', $parts[1],$url_matches ); |
| 1827 | foreach ( $url_matches[1] as $url_match ) { |
| 1828 | // Extract URL from each of the matches above. |
| 1829 | preg_match( '/^([\'\"]?)\s*(.*)\s*(\g1)$/', $url_match, $url_pieces ); |
| 1830 | if ( empty( $url_pieces ) || $url_pieces[1] !== wp_kses_bad_protocol( $url_pieces[1] ) ) { |
| 1831 | $found = false; |
| 1832 | break; |
| 1833 | } else { |
| 1834 | $css_test_string = str_replace( $url_match, '', $css_test_string ); |
| 1835 | } |
| 1836 | } |
1796 | 1837 | } |
1797 | | if ( $found ) { |
1798 | | if( $css != '' ) |
| 1838 | if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) { |
| 1839 | if ( $css != '' ) { |
1799 | 1840 | $css .= ';'; |
| 1841 | } |
1800 | 1842 | $css .= $css_item; |
1801 | 1843 | } |
1802 | 1844 | } |