diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index 5dddfd023e..e6792532c5 100644
|
|
|
if ( ! CUSTOM_TAGS ) { |
| 708 | 708 | * for the list of accepted context names. |
| 709 | 709 | * @param string[] $allowed_protocols Optional. Array of allowed URL protocols. |
| 710 | 710 | * Defaults to the result of wp_allowed_protocols(). |
| | 711 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
| 711 | 712 | * @return string Filtered content containing only the allowed HTML. |
| 712 | 713 | */ |
| 713 | | function wp_kses( $string, $allowed_html, $allowed_protocols = array() |
| | 714 | function wp_kses( $string, $allowed_html, $allowed_protocols = array(), $allowed_comments = true ) { |
| 714 | 715 | if ( empty( $allowed_protocols ) ) { |
| 715 | 716 | $allowed_protocols = wp_allowed_protocols(); |
| 716 | 717 | } |
| … |
… |
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { |
| 719 | 720 | $string = wp_kses_normalize_entities( $string ); |
| 720 | 721 | $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); |
| 721 | 722 | |
| 722 | | return wp_kses_split( $string, $allowed_html, $allowed_protocols |
| | 723 | return wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments ); |
| 723 | 724 | } |
| 724 | 725 | |
| 725 | 726 | /** |
| … |
… |
function wp_kses_version() { |
| 931 | 932 | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
| 932 | 933 | * or a context name such as 'post'. |
| 933 | 934 | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
| | 935 | * @global bool $pass_allowed_comments Whether or not the HTML comments are allowed. |
| 934 | 936 | * |
| 935 | 937 | * @param string $string Content to filter. |
| 936 | 938 | * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, |
| 937 | 939 | * or a context name such as 'post'. See wp_kses_allowed_html() |
| 938 | 940 | * for the list of accepted context names. |
| 939 | 941 | * @param string[] $allowed_protocols Array of allowed URL protocols. |
| | 942 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
| 940 | 943 | * @return string Content with fixed HTML tags |
| 941 | 944 | */ |
| 942 | | function wp_kses_split( $string, $allowed_html, $allowed_protocols |
| 943 | | global $pass_allowed_html, $pass_allowed_protocols |
| | 945 | function wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments ) { |
| | 946 | global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments; |
| 944 | 947 | |
| 945 | 948 | $pass_allowed_html = $allowed_html; |
| 946 | 949 | $pass_allowed_protocols = $allowed_protocols; |
| | 950 | $pass_allowed_comments = $allowed_comments; |
| 947 | 951 | |
| 948 | 952 | return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); |
| 949 | 953 | } |
| … |
… |
function wp_kses_uri_attributes() { |
| 1008 | 1012 | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
| 1009 | 1013 | * or a context name such as 'post'. |
| 1010 | 1014 | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
| | 1015 | * @global bool $pass_allowed_comments Whether or not the HTML comments are allowed. |
| 1011 | 1016 | * |
| 1012 | 1017 | * @param array $match preg_replace regexp matches |
| 1013 | 1018 | * @return string |
| 1014 | 1019 | */ |
| 1015 | 1020 | function _wp_kses_split_callback( $match ) { |
| 1016 | | global $pass_allowed_html, $pass_allowed_protocols |
| | 1021 | global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments; |
| 1017 | 1022 | |
| 1018 | | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols |
| | 1023 | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments ); |
| 1019 | 1024 | } |
| 1020 | 1025 | |
| 1021 | 1026 | /** |
| … |
… |
function _wp_kses_split_callback( $match ) { |
| 1039 | 1044 | * or a context name such as 'post'. See wp_kses_allowed_html() |
| 1040 | 1045 | * for the list of accepted context names. |
| 1041 | 1046 | * @param string[] $allowed_protocols Array of allowed URL protocols. |
| | 1047 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
| 1042 | 1048 | * @return string Fixed HTML element |
| 1043 | 1049 | */ |
| 1044 | | function wp_kses_split2( $string, $allowed_html, $allowed_protocols |
| | 1050 | function wp_kses_split2( $string, $allowed_html, $allowed_protocols, $allowed_comments ) { |
| 1045 | 1051 | $string = wp_kses_stripslashes( $string ); |
| 1046 | 1052 | |
| 1047 | 1053 | // It matched a ">" character. |
| … |
… |
function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { |
| 1049 | 1055 | return '>'; |
| 1050 | 1056 | } |
| 1051 | 1057 | |
| 1052 | | // Allow HTML comments. |
| | 1058 | // Detect HTML comments. |
| 1053 | 1059 | if ( '<!--' === substr( $string, 0, 4 ) ) { |
| | 1060 | if ( ! $allowed_comments ) { |
| | 1061 | return ''; |
| | 1062 | } |
| 1054 | 1063 | $string = str_replace( array( '<!--', '-->' ), '', $string ); |
| 1055 | 1064 | while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) { |
| 1056 | 1065 | $string = $newstring; |
| … |
… |
function wp_kses_post_deep( $data ) { |
| 2133 | 2142 | * @return string Filtered content without any HTML. |
| 2134 | 2143 | */ |
| 2135 | 2144 | function wp_filter_nohtml_kses( $data ) { |
| 2136 | | return addslashes( wp_kses( stripslashes( $data ), 'strip' |
| | 2145 | return addslashes( wp_kses( stripslashes( $data ), 'strip', array(), false ) ); |
| 2137 | 2146 | } |
| 2138 | 2147 | |
| 2139 | 2148 | /** |