Make WordPress Core

Ticket #54488: 54488.updated.diff

File 54488.updated.diff, 5.1 KB (added by johnregan3, 19 months ago)

Refreshed patch for merging, originally by konradyoast

  • src/wp-includes/kses.php

    diff --git src/wp-includes/kses.php src/wp-includes/kses.php
    index 5dddfd023e..e6792532c5 100644
    if ( ! CUSTOM_TAGS ) { 
    708708 *                                          for the list of accepted context names.
    709709 * @param string[]       $allowed_protocols Optional. Array of allowed URL protocols.
    710710 *                                          Defaults to the result of wp_allowed_protocols().
     711 * @param bool           $allowed_comments  Whether or not the HTML comments are allowed.
    711712 * @return string Filtered content containing only the allowed HTML.
    712713 */
    713 function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) {
     714function wp_kses( $string, $allowed_html, $allowed_protocols = array(), $allowed_comments = true ) {
    714715        if ( empty( $allowed_protocols ) ) {
    715716                $allowed_protocols = wp_allowed_protocols();
    716717        }
    function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { 
    719720        $string = wp_kses_normalize_entities( $string );
    720721        $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols );
    721722
    722         return wp_kses_split( $string, $allowed_html, $allowed_protocols );
     723        return wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments );
    723724}
    724725
    725726/**
    function wp_kses_version() { 
    931932 * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
    932933 *                                                or a context name such as 'post'.
    933934 * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
     935 * @global bool           $pass_allowed_comments  Whether or not the HTML comments are allowed.
    934936 *
    935937 * @param string         $string            Content to filter.
    936938 * @param array[]|string $allowed_html      An array of allowed HTML elements and attributes,
    937939 *                                          or a context name such as 'post'. See wp_kses_allowed_html()
    938940 *                                          for the list of accepted context names.
    939941 * @param string[]       $allowed_protocols Array of allowed URL protocols.
     942 * @param bool           $allowed_comments  Whether or not the HTML comments are allowed.
    940943 * @return string Content with fixed HTML tags
    941944 */
    942 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) {
    943         global $pass_allowed_html, $pass_allowed_protocols;
     945function wp_kses_split( $string, $allowed_html, $allowed_protocols, $allowed_comments ) {
     946        global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments;
    944947
    945948        $pass_allowed_html      = $allowed_html;
    946949        $pass_allowed_protocols = $allowed_protocols;
     950        $pass_allowed_comments  = $allowed_comments;
    947951
    948952        return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
    949953}
    function wp_kses_uri_attributes() { 
    10081012 * @global array[]|string $pass_allowed_html      An array of allowed HTML elements and attributes,
    10091013 *                                                or a context name such as 'post'.
    10101014 * @global string[]       $pass_allowed_protocols Array of allowed URL protocols.
     1015 * @global bool           $pass_allowed_comments  Whether or not the HTML comments are allowed.
    10111016 *
    10121017 * @param array $match preg_replace regexp matches
    10131018 * @return string
    10141019 */
    10151020function _wp_kses_split_callback( $match ) {
    1016         global $pass_allowed_html, $pass_allowed_protocols;
     1021        global $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments;
    10171022
    1018         return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
     1023        return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols, $pass_allowed_comments );
    10191024}
    10201025
    10211026/**
    function _wp_kses_split_callback( $match ) { 
    10391044 *                                          or a context name such as 'post'. See wp_kses_allowed_html()
    10401045 *                                          for the list of accepted context names.
    10411046 * @param string[]       $allowed_protocols Array of allowed URL protocols.
     1047 * @param bool           $allowed_comments  Whether or not the HTML comments are allowed.
    10421048 * @return string Fixed HTML element
    10431049 */
    1044 function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) {
     1050function wp_kses_split2( $string, $allowed_html, $allowed_protocols, $allowed_comments ) {
    10451051        $string = wp_kses_stripslashes( $string );
    10461052
    10471053        // It matched a ">" character.
    function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { 
    10491055                return '&gt;';
    10501056        }
    10511057
    1052         // Allow HTML comments.
     1058        // Detect HTML comments.
    10531059        if ( '<!--' === substr( $string, 0, 4 ) ) {
     1060                if ( ! $allowed_comments ) {
     1061                        return '';
     1062                }
    10541063                $string = str_replace( array( '<!--', '-->' ), '', $string );
    10551064                while ( ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) != $string ) {
    10561065                        $string = $newstring;
    function wp_kses_post_deep( $data ) { 
    21332142 * @return string Filtered content without any HTML.
    21342143 */
    21352144function wp_filter_nohtml_kses( $data ) {
    2136         return addslashes( wp_kses( stripslashes( $data ), 'strip' ) );
     2145        return addslashes( wp_kses( stripslashes( $data ), 'strip', array(), false ) );
    21372146}
    21382147
    21392148/**