222 | | function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet')) |
223 | | ############################################################################### |
224 | | # This function makes sure that only the allowed HTML element names, attribute |
225 | | # names and attribute values plus only sane HTML entities will occur in |
226 | | # $string. You have to remove any slashes from PHP's magic quotes before you |
227 | | # call this function. |
228 | | ############################################################################### |
229 | | { |
| 242 | /** |
| 243 | * wp_kses() - {@internal Missing Short Description}} |
| 244 | * |
| 245 | * This function makes sure that only the allowed HTML element names, |
| 246 | * attribute names and attribute values plus only sane HTML entities |
| 247 | * will occur in $string. You have to remove any slashes from PHP's |
| 248 | * magic quotes before you call this function. |
| 249 | * |
| 250 | * The default allowed protocols are 'http', 'https', 'ftp', 'mailto', |
| 251 | * 'news', 'irc', 'gopher', 'nntp', 'feed', and finally 'telnet. This |
| 252 | * covers all common link protocols, except for 'javascript' which |
| 253 | * should not be allowed for untrusted users. |
| 254 | * |
| 255 | * @since 1.0.0 |
| 256 | * |
| 257 | * @param string $string Content to filter through kses |
| 258 | * @param array $allowed_html List of allowed HTML elements |
| 259 | * @param array $allowed_protocols Optional. Allowed protocol in links. |
| 260 | * @return string {@internal Missing Description}} |
| 261 | */ |
| 262 | function wp_kses($string, $allowed_html, $allowed_protocols = array ('http', 'https', 'ftp', 'ftps', 'mailto', 'news', 'irc', 'gopher', 'nntp', 'feed', 'telnet')) { |
238 | | function wp_kses_hook($string, $allowed_html, $allowed_protocols) |
239 | | ############################################################################### |
240 | | # You add any kses hooks here. |
241 | | ############################################################################### |
242 | | { |
| 271 | /** |
| 272 | * wp_kses_hook() - You add any kses hooks here. |
| 273 | * |
| 274 | * There is currently only one kses WordPress hook and it is |
| 275 | * called here. All parameters are passed to the hooks and |
| 276 | * expected to recieve a string. |
| 277 | * |
| 278 | * @since 1.0.0 |
| 279 | * |
| 280 | * @param string $string Content to filter through kses |
| 281 | * @param array $allowed_html List of allowed HTML elements |
| 282 | * @param array $allowed_protocols Allowed protocol in links |
| 283 | * @return string Filtered content through 'pre_kses' hook |
| 284 | */ |
| 285 | function wp_kses_hook($string, $allowed_html, $allowed_protocols) { |
255 | | function wp_kses_split($string, $allowed_html, $allowed_protocols) |
256 | | ############################################################################### |
257 | | # This function searches for HTML tags, no matter how malformed. It also |
258 | | # matches stray ">" characters. |
259 | | ############################################################################### |
260 | | { |
| 301 | /** |
| 302 | * wp_kses_split() - Searches for HTML tags, no matter how malformed |
| 303 | * |
| 304 | * It also matches stray ">" characters. |
| 305 | * |
| 306 | * @since 1.0.0 |
| 307 | * |
| 308 | * @param string $string Content to filter |
| 309 | * @param array $allowed_html Allowed HTML elements |
| 310 | * @param array $allowed_protocols Allowed protocols to keep |
| 311 | * @return string {@internal Missing Description}} |
| 312 | */ |
| 313 | function wp_kses_split($string, $allowed_html, $allowed_protocols) { |
265 | | function wp_kses_split2($string, $allowed_html, $allowed_protocols) |
266 | | ############################################################################### |
267 | | # This function does a lot of work. It rejects some very malformed things |
268 | | # like <:::>. It returns an empty string, if the element isn't allowed (look |
269 | | # ma, no strip_tags()!). Otherwise it splits the tag into an element and an |
270 | | # attribute list. |
271 | | ############################################################################### |
272 | | { |
| 318 | /** |
| 319 | * wp_kses_split2() - {@internal Missing Short Description}} |
| 320 | * |
| 321 | * This function does a lot of work. It rejects some very malformed things |
| 322 | * like <:::>. It returns an empty string, if the element isn't allowed (look |
| 323 | * ma, no strip_tags()!). Otherwise it splits the tag into an element and an |
| 324 | * attribute list. |
| 325 | * |
| 326 | * @since 1.0.0 |
| 327 | * |
| 328 | * @param string $string Content to filter |
| 329 | * @param array $allowed_html Allowed HTML elements |
| 330 | * @param array $allowed_protocols Allowed protocols to keep |
| 331 | * @return string {@internal Missing Description}} |
| 332 | */ |
| 333 | function wp_kses_split2($string, $allowed_html, $allowed_protocols) { |
| 369 | /** |
| 370 | * wp_kses_attr() - Removes all attributes, if none are allowed for this element |
| 371 | * |
| 372 | * If some are allowed it calls wp_kses_hair() to split them further, and then |
| 373 | * it builds up new HTML code from the data that kses_hair() returns. It also |
| 374 | * removes "<" and ">" characters, if there are any left. One more thing it |
| 375 | * does is to check if the tag has a closing XHTML slash, and if it does, it |
| 376 | * puts one in the returned code as well. |
| 377 | * |
| 378 | * @since 1.0.0 |
| 379 | * |
| 380 | * @param string $element {@internal Missing Description}} |
| 381 | * @param string $attr {@internal Missing Description}} |
| 382 | * @param array $allowed_html Allowed HTML elements |
| 383 | * @param array $allowed_protocols Allowed protocols to keep |
| 384 | * @return string {@internal Missing Description}} |
| 385 | */ |
309 | | ############################################################################### |
310 | | # This function removes all attributes, if none are allowed for this element. |
311 | | # If some are allowed it calls wp_kses_hair() to split them further, and then it |
312 | | # builds up new HTML code from the data that kses_hair() returns. It also |
313 | | # removes "<" and ">" characters, if there are any left. One more thing it |
314 | | # does is to check if the tag has a closing XHTML slash, and if it does, |
315 | | # it puts one in the returned code as well. |
316 | | ############################################################################### |
| 441 | /** |
| 442 | * wp_kses_hair() - {@internal Missing Short Description}} |
| 443 | * |
| 444 | * This function does a lot of work. It parses an attribute list into an array |
| 445 | * with attribute data, and tries to do the right thing even if it gets weird |
| 446 | * input. It will add quotes around attribute values that don't have any quotes |
| 447 | * or apostrophes around them, to make it easier to produce HTML code that will |
| 448 | * conform to W3C's HTML specification. It will also remove bad URL protocols |
| 449 | * from attribute values. |
| 450 | * |
| 451 | * @since 1.0.0 |
| 452 | * |
| 453 | * @param string $attr {@internal Missing Description}} |
| 454 | * @param array $allowed_protocols Allowed protocols to keep |
| 455 | * @return string {@internal Missing Description}} |
| 456 | */ |
372 | | ############################################################################### |
373 | | # This function does a lot of work. It parses an attribute list into an array |
374 | | # with attribute data, and tries to do the right thing even if it gets weird |
375 | | # input. It will add quotes around attribute values that don't have any quotes |
376 | | # or apostrophes around them, to make it easier to produce HTML code that will |
377 | | # conform to W3C's HTML specification. It will also remove bad URL protocols |
378 | | # from attribute values. |
379 | | ############################################################################### |
| 555 | /** |
| 556 | * wp_kses_check_attr_val() - Performs different checks for attribute values. |
| 557 | * |
| 558 | * The currently implemented checks are "maxlen", "minlen", "maxval", "minval" |
| 559 | * and "valueless" with even more checks to come soon. |
| 560 | * |
| 561 | * @since 1.0.0 |
| 562 | * |
| 563 | * @param string $value {@internal Missing Description}} |
| 564 | * @param string $vless {@internal Missing Description}} |
| 565 | * @param string $checkname What $checkvalue is checking for. |
| 566 | * @param int $checkvalue {@internal Missing Description}} |
| 567 | * @return bool Whether check passes (true) or not (false) |
| 568 | */ |
| 628 | /** |
| 629 | * wp_kses_bad_protocol() - Sanitize string from bad protocols |
| 630 | * |
| 631 | * This function removes all non-allowed protocols from the beginning |
| 632 | * of $string. It ignores whitespace and the case of the letters, and |
| 633 | * it does understand HTML entities. It does its work in a while loop, |
| 634 | * so it won't be fooled by a string like "javascript:javascript:alert(57)". |
| 635 | * |
| 636 | * @since 1.0.0 |
| 637 | * |
| 638 | * @param string $string Content to filter bad protocols from |
| 639 | * @param array $allowed_protocols Allowed protocols to keep |
| 640 | * @return string Filtered content |
| 641 | */ |
611 | | function wp_kses_html_error($string) |
612 | | ############################################################################### |
613 | | # This function deals with parsing errors in wp_kses_hair(). The general plan is |
614 | | # to remove everything to and including some whitespace, but it deals with |
615 | | # quotes and apostrophes as well. |
616 | | ############################################################################### |
617 | | { |
| 726 | /** |
| 727 | * wp_kses_html_error() - Handles parsing errors in wp_kses_hair() |
| 728 | * |
| 729 | * The general plan is to remove everything to and including some |
| 730 | * whitespace, but it deals with quotes and apostrophes as well. |
| 731 | * |
| 732 | * @since 1.0.0 |
| 733 | * |
| 734 | * @param string $string |
| 735 | * @return string |
| 736 | */ |
| 737 | function wp_kses_html_error($string) { |
621 | | function wp_kses_bad_protocol_once($string, $allowed_protocols) |
622 | | ############################################################################### |
623 | | # This function searches for URL protocols at the beginning of $string, while |
624 | | # handling whitespace and HTML entities. |
625 | | ############################################################################### |
626 | | { |
| 741 | /** |
| 742 | * wp_kses_bad_protocol_once() - Sanitizes content from bad protocols and other characters |
| 743 | * |
| 744 | * This function searches for URL protocols at the beginning of $string, |
| 745 | * while handling whitespace and HTML entities. |
| 746 | * |
| 747 | * @since 1.0.0 |
| 748 | * |
| 749 | * @param string $string Content to check for bad protocols |
| 750 | * @param string $allowed_protocols Allowed protocols |
| 751 | * @return string Sanitized content |
| 752 | */ |
| 753 | function wp_kses_bad_protocol_once($string, $allowed_protocols) { |
630 | | function wp_kses_bad_protocol_once2($string, $allowed_protocols) |
631 | | ############################################################################### |
632 | | # This function processes URL protocols, checks to see if they're in the white- |
633 | | # list or not, and returns different data depending on the answer. |
634 | | ############################################################################### |
635 | | { |
| 757 | /** |
| 758 | * wp_kses_bad_protocol_once2() - Callback for wp_kses_bad_protocol_once() regular expression. |
| 759 | * |
| 760 | * This function processes URL protocols, checks to see if they're in the |
| 761 | * white-list or not, and returns different data depending on the answer. |
| 762 | * |
| 763 | * @since 1.0.0 |
| 764 | * |
| 765 | * @param string $string Content to check for bad protocols |
| 766 | * @param array $allowed_protocols Allowed protocols |
| 767 | * @return string Sanitized content |
| 768 | */ |
| 769 | function wp_kses_bad_protocol_once2($string, $allowed_protocols) { |
656 | | function wp_kses_normalize_entities($string) |
657 | | ############################################################################### |
658 | | # This function normalizes HTML entities. It will convert "AT&T" to the correct |
659 | | # "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" and so on. |
660 | | ############################################################################### |
661 | | { |
| 790 | /** |
| 791 | * wp_kses_normalize_entities() - Converts and fixes HTML entities |
| 792 | * |
| 793 | * This function normalizes HTML entities. It will convert "AT&T" to the |
| 794 | * correct "AT&T", ":" to ":", "&#XYZZY;" to "&#XYZZY;" |
| 795 | * and so on. |
| 796 | * |
| 797 | * @since 1.0.0 |
| 798 | * |
| 799 | * @param string $string Content to normalize entities |
| 800 | * @return string Content with normalized entities |
| 801 | */ |
| 802 | function wp_kses_normalize_entities($string) { |
675 | | function wp_kses_normalize_entities2($i) |
676 | | ############################################################################### |
677 | | # This function helps wp_kses_normalize_entities() to only accept 16 bit values |
678 | | # and nothing more for &#number; entities. |
679 | | ############################################################################### |
680 | | { |
| 816 | /** |
| 817 | * wp_kses_normalize_entities2() - Callback for wp_kses_normalize_entities() regular expression |
| 818 | * |
| 819 | * This function helps wp_kses_normalize_entities() to only accept 16 bit |
| 820 | * values and nothing more for &#number; entities. |
| 821 | * |
| 822 | * @since 1.0.0 |
| 823 | * |
| 824 | * @param int $i Number encoded entity |
| 825 | * @return string Correctly encoded entity |
| 826 | */ |
| 827 | function wp_kses_normalize_entities2($i) { |
684 | | function wp_kses_decode_entities($string) |
685 | | ############################################################################### |
686 | | # This function decodes numeric HTML entities (A and A). It doesn't |
687 | | # do anything with other entities like ä, but we don't need them in the |
688 | | # URL protocol whitelisting system anyway. |
689 | | ############################################################################### |
690 | | { |
| 831 | /** |
| 832 | * wp_kses_decode_entities() - Convert all entities to their character counterparts. |
| 833 | * |
| 834 | * This function decodes numeric HTML entities (A and A). It |
| 835 | * doesn't do anything with other entities like ä, but we don't need |
| 836 | * them in the URL protocol whitelisting system anyway. |
| 837 | * |
| 838 | * @since 1.0.0 |
| 839 | * |
| 840 | * @param string $string Content to change entities |
| 841 | * @return string Content after decoded entities |
| 842 | */ |
| 843 | function wp_kses_decode_entities($string) { |
| 941 | /** |
| 942 | * kses_init() - Sets up most of the Kses filters for input form content |
| 943 | * |
| 944 | * If you remove the kses_init() function from 'init' hook and |
| 945 | * 'set_current_user' (priority is default), then none of the |
| 946 | * Kses filter hooks will be added. |
| 947 | * |
| 948 | * First removes all of the Kses filters in case the current user |
| 949 | * does not need to have Kses filter the content. If the user does |
| 950 | * not have unfiltered html capability, then Kses filters are added. |
| 951 | * |
| 952 | * @uses kses_remove_filters() Removes the Kses filters |
| 953 | * @uses kses_init_filters() Adds the Kses filters back if the user |
| 954 | * does not have unfiltered HTML capability. |
| 955 | * @since 2.0.0 |
| 956 | */ |