Ticket #49464: #49464_updated_regex_for_attribute_names_with_unit_tests.diff
File #49464_updated_regex_for_attribute_names_with_unit_tests.diff, 3.8 KB (added by , 5 years ago) |
---|
-
src/wp-includes/kses.php
diff --git src/wp-includes/kses.php src/wp-includes/kses.php index d84fb6f837..903a865f76 100644
function wp_kses_hair( $attr, $allowed_protocols ) { 1248 1248 1249 1249 switch ( $mode ) { 1250 1250 case 0: 1251 if ( preg_match( '/^([ -a-zA-Z:]+)/', $attr, $match ) ) {1251 if ( preg_match( '/^([_a-zA-Z][-_a-zA-Z0-9:.]*)/', $attr, $match ) ) { 1252 1252 $attrname = $match[1]; 1253 1253 $working = 1; 1254 1254 $mode = 1; 1255 $attr = preg_replace( '/^[ -a-zA-Z:]+/', '', $attr );1255 $attr = preg_replace( '/^[_a-zA-Z][-_a-zA-Z0-9:.]*/', '', $attr ); 1256 1256 } 1257 1257 1258 1258 break; … … function wp_kses_hair_parse( $attr ) { 1438 1438 1439 1439 // phpcs:disable Squiz.Strings.ConcatenationSpacing.PaddingFound -- don't remove regex indentation 1440 1440 $regex = 1441 '(?:'1442 . '[-a-zA-Z:]+' // Attribute name.1443 . '|'1444 . '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html.1445 . ')'1446 . '(?:' // Attribute value.1447 . '\s*=\s*' // All values begin with '='.1448 . '(?:'1449 . '"[^"]*"' // Double-quoted.1450 . '|'1451 . "'[^']*'" // Single-quoted.1452 . '|'1453 . '[^\s"\']+' // Non-quoted.1454 . '(?:\s|$)' // Must have a space.1455 . ')'1456 . '|'1457 . '(?:\s|$)' // If attribute has no value, space is required.1458 . ')'1459 . '\s*'; // Trailing space is optional except as mentioned above.1441 '(?:' 1442 . '[_a-zA-Z][-_a-zA-Z0-9:.]*' // Attribute name. 1443 . '|' 1444 . '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html. 1445 . ')' 1446 . '(?:' // Attribute value. 1447 . '\s*=\s*' // All values begin with '='. 1448 . '(?:' 1449 . '"[^"]*"' // Double-quoted. 1450 . '|' 1451 . "'[^']*'" // Single-quoted. 1452 . '|' 1453 . '[^\s"\']+' // Non-quoted. 1454 . '(?:\s|$)' // Must have a space. 1455 . ')' 1456 . '|' 1457 . '(?:\s|$)' // If attribute has no value, space is required. 1458 . ')' 1459 . '\s*'; // Trailing space is optional except as mentioned above. 1460 1460 // phpcs:enable 1461 1461 1462 1462 // Although it is possible to reduce this procedure to a single regexp, … … function wp_kses_normalize_entities3( $matches ) { 1846 1846 */ 1847 1847 function valid_unicode( $i ) { 1848 1848 return ( 0x9 == $i || 0xa == $i || 0xd == $i || 1849 1850 1851 1849 ( 0x20 <= $i && $i <= 0xd7ff ) || 1850 ( 0xe000 <= $i && $i <= 0xfffd ) || 1851 ( 0x10000 <= $i && $i <= 0x10ffff ) ); 1852 1852 } 1853 1853 1854 1854 /** -
tests/phpunit/tests/kses.php
diff --git tests/phpunit/tests/kses.php tests/phpunit/tests/kses.php index a74903bd80..d553349c04 100644
EOF; 574 574 "array[1]='z'z'z'z", 575 575 false, 576 576 ), 577 // using digit in attribute name should work 578 array( 579 'href="https://example.com/[shortcode attr=\'value\']" data-op3-timer-seconds="0"', 580 array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op3-timer-seconds="0"' ), 581 ), 582 // using underscore in attribute name should work 583 array( 584 'href="https://example.com/[shortcode attr=\'value\']" data-op_timer-seconds="0"', 585 array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op_timer-seconds="0"' ), 586 ), 587 // using period in attribute name should work 588 array( 589 'href="https://example.com/[shortcode attr=\'value\']" data-op.timer-seconds="0"', 590 array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op.timer-seconds="0"' ), 591 ), 592 // using digit at a beginning of attribute name should return false 593 array( 594 'href="https://example.com/[shortcode attr=\'value\']" 3data-op-timer-seconds="0"', 595 false, 596 ), 577 597 ); 578 598 } 579 599