Changes in branches/3.0/wp-includes/kses.php [17172:15384]

File:

• branches/3.0/wp-includes/kses.php (modified) (7 diffs)

branches/3.0/wp-includes/kses.php

@@ -671 +671 @@
                 }
 
-            if ( strtolower($arreach['name']) == 'style' ) {
+            if ( $arreach['name'] == 'style' ) {
                 $orig_value = $arreach['value'];
 
@@ -763 +763 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array(strtolower($attrname), $uris) )
+                    if ( in_array($attrname, $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -779 +779 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array(strtolower($attrname), $uris) )
+                    if ( in_array($attrname, $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -795 +795 @@
                     {
                     $thisval = $match[1];
-                    if ( in_array(strtolower($attrname), $uris) )
+                    if ( in_array($attrname, $uris) )
                         $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
 
@@ -1018 +1018 @@
  */
 function wp_kses_bad_protocol_once($string, $allowed_protocols) {
-    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
-    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
-        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
+    global $_kses_allowed_protocols;
+    $_kses_allowed_protocols = $allowed_protocols;
+
+    $string2 = preg_split('/:|:|:/i', $string, 2);
+    if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
+        $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
+    else
+        $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
 
     return $string;
@@ -1034 +1039 @@
  * @since 1.0.0
  *
- * @param string $string URI scheme to check against the whitelist
- * @param string $allowed_protocols Allowed protocols
+ * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
  * @return string Sanitized content
  */
-function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
+function wp_kses_bad_protocol_once2($matches) {
+    global $_kses_allowed_protocols;
+
+    if ( is_array($matches) ) {
+        if ( empty($matches[1]) )
+            return '';
+
+        $string = $matches[1];
+    } else {
+        $string = $matches;
+    }
+
     $string2 = wp_kses_decode_entities($string);
     $string2 = preg_replace('/\s/', '', $string2);
@@ -1045 +1060 @@
 
     $allowed = false;
-    foreach ( (array) $allowed_protocols as $one_protocol )
-        if ( strtolower($one_protocol) == $string2 ) {
+    foreach ( (array) $_kses_allowed_protocols as $one_protocol)
+        if (strtolower($one_protocol) == $string2) {
             $allowed = true;
             break;