diff --git src/wp-includes/kses.php src/wp-includes/kses.php
index 5dddfd023e..e6792532c5 100644
|
|
if ( ! CUSTOM_TAGS ) { |
708 | 708 | * for the list of accepted context names. |
709 | 709 | * @param string[] $allowed_protocols Optional. Array of allowed URL protocols. |
710 | 710 | * Defaults to the result of wp_allowed_protocols(). |
| 711 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
711 | 712 | * @return string Filtered content containing only the allowed HTML. |
712 | 713 | */ |
713 | | function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { |
| 714 | function wp_kses( $string, $allowed_html, $allowed_protocols = array(), $allowed_comments = true ) { |
714 | 715 | if ( empty( $allowed_protocols ) ) { |
715 | 716 | $allowed_protocols = wp_allowed_protocols(); |
716 | 717 | } |
… |
… |
function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { |
719 | 720 | $string = wp_kses_normalize_entities( $string ); |
720 | 721 | $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); |
721 | 722 | |
722 | | return wp_kses_split( $string, $allowed_html, $allowed_protocols ); |
| 723 | return wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments ); |
723 | 724 | } |
724 | 725 | |
725 | 726 | /** |
… |
… |
function wp_kses_version() { |
931 | 932 | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
932 | 933 | * or a context name such as 'post'. |
933 | 934 | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
| 935 | * @global bool $pass_allowed_comments Whether or not the HTML comments are allowed. |
934 | 936 | * |
935 | 937 | * @param string $string Content to filter. |
936 | 938 | * @param array[]|string $allowed_html An array of allowed HTML elements and attributes, |
937 | 939 | * or a context name such as 'post'. See wp_kses_allowed_html() |
938 | 940 | * for the list of accepted context names. |
939 | 941 | * @param string[] $allowed_protocols Array of allowed URL protocols. |
| 942 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
940 | 943 | * @return string Content with fixed HTML tags |
941 | 944 | */ |
942 | | function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { |
943 | | global $pass_allowed_html, $pass_allowed_protocols; |
| 945 | function wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments ) { |
| 946 | global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments; |
944 | 947 | |
945 | 948 | $pass_allowed_html = $allowed_html; |
946 | 949 | $pass_allowed_protocols = $allowed_protocols; |
| 950 | $pass_allowed_comments = $allowed_comments; |
947 | 951 | |
948 | 952 | return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); |
949 | 953 | } |
… |
… |
function wp_kses_uri_attributes() { |
1008 | 1012 | * @global array[]|string $pass_allowed_html An array of allowed HTML elements and attributes, |
1009 | 1013 | * or a context name such as 'post'. |
1010 | 1014 | * @global string[] $pass_allowed_protocols Array of allowed URL protocols. |
| 1015 | * @global bool $pass_allowed_comments Whether or not the HTML comments are allowed. |
1011 | 1016 | * |
1012 | 1017 | * @param array $match preg_replace regexp matches |
1013 | 1018 | * @return string |
1014 | 1019 | */ |
1015 | 1020 | function _wp_kses_split_callback( $match ) { |
1016 | | global $pass_allowed_html, $pass_allowed_protocols; |
| 1021 | global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments; |
1017 | 1022 | |
1018 | | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols ); |
| 1023 | return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments ); |
1019 | 1024 | } |
1020 | 1025 | |
1021 | 1026 | /** |
… |
… |
function _wp_kses_split_callback( $match ) { |
1039 | 1044 | * or a context name such as 'post'. See wp_kses_allowed_html() |
1040 | 1045 | * for the list of accepted context names. |
1041 | 1046 | * @param string[] $allowed_protocols Array of allowed URL protocols. |
| 1047 | * @param bool $allowed_comments Whether or not the HTML comments are allowed. |
1042 | 1048 | * @return string Fixed HTML element |
1043 | 1049 | */ |
1044 | | function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { |
| 1050 | function wp_kses_split2( $string, $allowed_html, $allowed_protocols, $allowed_comments ) { |
1045 | 1051 | $string = wp_kses_stripslashes( $string ); |
1046 | 1052 | |
1047 | 1053 | // It matched a ">" character. |
… |
… |
function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { |
1049 | 1055 | return '>'; |
1050 | 1056 | } |
1051 | 1057 | |
1052 | | // Allow HTML comments. |
| 1058 | // Detect HTML comments. |
1053 | 1059 | if ( '<!--' === substr( $string, 0, 4 ) ) { |
| 1060 | if ( ! $allowed_comments ) { |
| 1061 | return ''; |
| 1062 | } |
1054 | 1063 | $string = str_replace( array( '<!--', '-->' ), '', $string ); |
1055 | 1064 | while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) { |
1056 | 1065 | $string = $newstring; |
… |
… |
function wp_kses_post_deep( $data ) { |
2133 | 2142 | * @return string Filtered content without any HTML. |
2134 | 2143 | */ |
2135 | 2144 | function wp_filter_nohtml_kses( $data ) { |
2136 | | return addslashes( wp_kses( stripslashes( $data ), 'strip' ) ); |
| 2145 | return addslashes( wp_kses( stripslashes( $data ), 'strip', array(), false ) ); |
2137 | 2146 | } |
2138 | 2147 | |
2139 | 2148 | /** |