WordPress.org

Make WordPress Core

Ticket #7363: 7363_2.patch

File 7363_2.patch, 4.7 KB (added by azaozz, 10 years ago)

Reverts most of the previous changes and adds helper functions used as callbacks instead of create_function()

  • wp-includes/kses.php

     
    850850
    851851        $string2 = preg_split('/:|:|:/i', $string, 2);
    852852        if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
    853                 $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
     853                $string = wp_kses_bad_protocol_once2($string2[0], $allowed_protocols) . trim($string2[1]);
    854854        else
    855                 $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
     855                $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'call_wp_kses_bad_protocol_once2', $string);
    856856
    857857        return $string;
    858858}
    859859
     860// Helper function used instead of create_function() for preg_replace_callback() in wp_kses_bad_protocol_once()
     861function call_wp_kses_bad_protocol_once2( $matches ) {
     862        global $_kses_allowed_protocols;
     863
     864        if ( ! isset($matches[1]) || empty($matches[1]) )
     865                return '';
     866
     867        return wp_kses_bad_protocol_once2($matches[1], $_kses_allowed_protocols);
     868}
     869
    860870/**
    861871 * wp_kses_bad_protocol_once2() - Callback for wp_kses_bad_protocol_once() regular expression.
    862872 *
     
    865875 *
    866876 * @since 1.0.0
    867877 *
    868  * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
     878 * @param string $string Content to check for bad protocols
     879 * @param array $allowed_protocols Allowed protocols
    869880 * @return string Sanitized content
    870881 */
    871 function wp_kses_bad_protocol_once2($matches) {
    872         global $_kses_allowed_protocols;
    873 
    874         if ( is_array($matches) ) {
    875                 if ( ! isset($matches[1]) || empty($matches[1]) )
    876                         return '';
    877 
    878                 $string = $matches[1];
    879         } else {
    880                 $string = $matches;
    881         }
    882 
     882function wp_kses_bad_protocol_once2($string, $allowed_protocols) {
    883883        $string2 = wp_kses_decode_entities($string);
    884884        $string2 = preg_replace('/\s/', '', $string2);
    885885        $string2 = wp_kses_no_null($string2);
     
    888888        $string2 = strtolower($string2);
    889889
    890890        $allowed = false;
    891         foreach ( (array) $_kses_allowed_protocols as $one_protocol)
     891        foreach ($allowed_protocols as $one_protocol)
    892892                if (strtolower($one_protocol) == $string2) {
    893893                        $allowed = true;
    894894                        break;
     
    920920        # Change back the allowed entities in our entity whitelist
    921921
    922922        $string = preg_replace('/&([A-Za-z][A-Za-z0-9]{0,19});/', '&\\1;', $string);
    923         $string = preg_replace_callback('/&#0*([0-9]{1,5});/', 'wp_kses_normalize_entities2', $string);
    924         $string = preg_replace_callback('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', 'wp_kses_normalize_entities3', $string);
     923        $string = preg_replace_callback('/&#0*([0-9]{1,5});/', 'call_wp_kses_normalize_entities2', $string);
     924        $string = preg_replace_callback('/&#([Xx])0*(([0-9A-Fa-f]{2}){1,2});/', 'call_wp_kses_normalize_entities3', $string);
    925925
    926926        return $string;
    927927}
    928928
     929// Helper function used instead of create_function() for preg_replace_callback() in wp_kses_normalize_entities()
     930function call_wp_kses_normalize_entities2($matches) {
     931        if ( ! isset($matches[1]) || empty($matches[1]) )
     932                return '';
     933
     934        return wp_kses_normalize_entities2($matches[1]);
     935}
     936
    929937/**
    930938 * wp_kses_normalize_entities2() - Callback for wp_kses_normalize_entities() regular expression
    931939 *
     
    934942 *
    935943 * @since 1.0.0
    936944 *
    937  * @param array $matches preg_replace_callback() matches array
     945 * @param int $i Number encoded entity
    938946 * @return string Correctly encoded entity
    939947 */
    940 function wp_kses_normalize_entities2($matches) {
    941         if ( ! isset($matches[1]) || empty($matches[1]) )
     948function wp_kses_normalize_entities2($i) {
     949        return ( (!valid_unicode($i)) || ($i > 65535) ? "&#$i;" : "&#$i;");
     950}
     951
     952// Helper function used instead of create_function() for preg_replace_callback() in wp_kses_normalize_entities()
     953function call_wp_kses_normalize_entities3($matches) {
     954        if ( ! isset($matches[2]) || empty($matches[2]) )
    942955                return '';
    943956
    944         $i = $matches[1];
    945         return ( ( ! valid_unicode($i) ) || ($i > 65535) ? "&#$i;" : "&#$i;" );
     957        return wp_kses_normalize_entities3($matches[2]);
    946958}
    947959
    948960/**
     
    951963 * This function helps wp_kses_normalize_entities() to only accept valid Unicode numeric entities
    952964 * in hex form.
    953965 *
    954  * @param array $matches preg_replace_callback() matches array
     966 * @param string $h Hex string of encoded entity
    955967 * @return string Correctly encoded entity
    956968 */
    957 function wp_kses_normalize_entities3($matches) {
    958         if ( ! isset($matches[2]) || empty($matches[2]) )
    959                 return '';
    960 
    961         $hexchars = $matches[2];
    962         return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : "&#x$hexchars;" );
     969function wp_kses_normalize_entities3($hexchars) {
     970        return ( (!valid_unicode(hexdec($hexchars))) ? "&#x$hexchars;" : "&#x$hexchars;");
    963971}
    964972
    965973/**