Ticket #45067: 45067.diff

src/wp-includes/kses.php

@@ -549 +549 @@
         $allowed_html = wp_kses_allowed_html( 'post' );
         $allowed_protocols = wp_allowed_protocols();
         $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
-        
+
         // Preserve leading and trailing whitespace.
         $matches = array();
         preg_match('/^\s*/', $string, $matches);
@@ -561 +561 @@
         } else {
                 $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
         }
-        
+
         // Parse attribute name and value from input.
         $split = preg_split( '/\s*=\s*/', $string, 2 );
         $name = $split[0];
@@ -598 +598 @@
                 $value = '';
                 $vless = 'y';
         }
-        
+
         // Sanitize attribute by name.
         wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
 
@@ -1062 +1062 @@
         } else {
                 $xhtml_slash = '';
         }
-        
+
         // Split it
         $attrarr = wp_kses_hair_parse( $attr );
         if ( false === $attrarr ) {
@@ -1072 +1072 @@
         // Make sure all input is returned by adding front and back matter.
         array_unshift( $attrarr, $begin . $slash . $elname );
         array_push( $attrarr, $xhtml_slash . $end );
-        
+
         return $attrarr;
 }
 
@@ -1215 +1215 @@
  * @param array  $allowed_protocols Allowed protocols to keep
  * @return string Filtered content
  */
-function wp_kses_bad_protocol($string, $allowed_protocols) {
-        $string = wp_kses_no_null($string);
+function wp_kses_bad_protocol( $string, $allowed_protocols = array() ) {
+        if ( empty( $allowed_protocols ) ) {
+                $allowed_protocols = wp_allowed_protocols();
+        }
+        $string     = wp_kses_no_null( $string );
         $iterations = 0;
 
         do {
@@ -1693 +1696 @@
         $css = wp_kses_no_null($css);
         $css = str_replace(array("\n","\r","\t"), '', $css);
 
-        if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments
-                return '';
-
         $css_array = explode( ';', trim( $css ) );
 
         /**
@@ -1710 +1710 @@
         $allowed_attr = apply_filters( 'safe_style_css', array(
                 'background',
                 'background-color',
+                'background-image',
 
                 'border',
                 'border-width',
@@ -1778 +1779 @@
                 'list-style-type',
         ) );
 
-        if ( empty($allowed_attr) )
+
+        /*
+         * CSS attributes that accept URL data types.
+         *
+         * This is in accordance to the CSS spec and unrelated to
+         * the sub-set of supported attributes above.
+         *
+         * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
+         */
+        $css_url_data_types = array(
+                'background',
+                'background-image',
+
+                'cursor',
+
+                'list-style',
+                'list-style-image',
+        );
+
+        if ( empty( $allowed_attr ) ) {
                 return $css;
+        }
 
         $css = '';
         foreach ( $css_array as $css_item ) {
                 if ( $css_item == '' )
                         continue;
-                $css_item = trim( $css_item );
-                $found = false;
+                $css_item        = trim( $css_item );
+                $css_test_string = $css_item;
+                $found           = false;
+                $url_attr        = false;
                 if ( strpos( $css_item, ':' ) === false ) {
                         $found = true;
                 } else {
-                        $parts = explode( ':', $css_item );
-                        if ( in_array( trim( $parts[0] ), $allowed_attr ) )
+                        $parts = explode( ':', $css_item, 2 );
+                        if ( in_array( trim( $parts[0] ), $allowed_attr ) ) {
                                 $found = true;
+                        }
+                        if ( $found && in_array( trim( $parts[0] ), $css_url_data_types, true ) ) {
+                                $url_attr = true;
+                        }
+                }
+                if ( $found && $url_attr ) {
+                        // Simplified: matches the sequence `url(*)`.
+                        preg_match_all( '/url\(\s*([^)]+)\s*\)/', $parts[1],$url_matches );
+                        foreach ( $url_matches[1] as $url_match ) {
+                                // Extract URL from each of the matches above.
+                                preg_match( '/^([\'\"]?)\s*(.*)\s*(\g1)$/', $url_match, $url_pieces );
+                                if ( empty( $url_pieces ) || $url_pieces[1] !== wp_kses_bad_protocol( $url_pieces[1] ) ) {
+                                        $found = false;
+                                        break;
+                                } else {
+                                        $css_test_string = str_replace( $url_match, '', $css_test_string );
+                                }
+                        }
                 }
-                if ( $found ) {
-                        if( $css != '' )
+                if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) {
+                        if ( $css != '' ) {
                                 $css .= ';';
+                        }
                         $css .= $css_item;
                 }
         }