WordPress.org

Make WordPress Core

Changeset 17171


Ignore:
Timestamp:
12/29/2010 08:45:37 PM (8 years ago)
Author:
ryan
Message:

Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r17142 r17171  
    22692269    // Replace ampersands and single quotes only when displaying.
    22702270    if ( 'display' == $_context ) {
    2271         $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url);
     2271        $url = wp_kses_normalize_entities( $url );
     2272        $url = str_replace( '&', '&', $url );
    22722273        $url = str_replace( "'", ''', $url );
    22732274    }
  • trunk/wp-includes/kses.php

    r17119 r17171  
    10281028 */
    10291029function wp_kses_bad_protocol_once($string, $allowed_protocols) {
    1030     global $_kses_allowed_protocols;
    1031     $_kses_allowed_protocols = $allowed_protocols;
    1032 
    1033     $string2 = preg_split('/:|:|:/i', $string, 2);
    1034     if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
    1035         $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
    1036     else
    1037         $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
     1030    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     1031    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
     1032        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
    10381033
    10391034    return $string;
     
    10491044 * @since 1.0.0
    10501045 *
    1051  * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
     1046 * @param string $string URI scheme to check against the whitelist
     1047 * @param string $allowed_protocols Allowed protocols
    10521048 * @return string Sanitized content
    10531049 */
    1054 function wp_kses_bad_protocol_once2($matches) {
    1055     global $_kses_allowed_protocols;
    1056 
    1057     if ( is_array($matches) ) {
    1058         if ( empty($matches[1]) )
    1059             return '';
    1060 
    1061         $string = $matches[1];
    1062     } else {
    1063         $string = $matches;
    1064     }
    1065 
     1050function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
    10661051    $string2 = wp_kses_decode_entities($string);
    10671052    $string2 = preg_replace('/\s/', '', $string2);
     
    10701055
    10711056    $allowed = false;
    1072     foreach ( (array) $_kses_allowed_protocols as $one_protocol)
    1073         if (strtolower($one_protocol) == $string2) {
     1057    foreach ( (array) $allowed_protocols as $one_protocol )
     1058        if ( strtolower($one_protocol) == $string2 ) {
    10741059            $allowed = true;
    10751060            break;
     
    10991084
    11001085    # Change back the allowed entities in our entity whitelist
     1086
    11011087    $string = preg_replace_callback('/&([A-Za-z]{2,8});/', 'wp_kses_named_entities', $string);
    1102     $string = preg_replace_callback('/&#0*([0-9]{1,5});/', 'wp_kses_normalize_entities2', $string);
    1103     $string = preg_replace_callback('/&#[Xx]0*(([0-9A-Fa-f]{2}){1,2});/', 'wp_kses_normalize_entities3', $string);
     1088    $string = preg_replace_callback('/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);
     1089    $string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);
    11041090
    11051091    return $string;
     
    11441130
    11451131    $i = $matches[1];
    1146     return ( ($i > 65535 || ! valid_unicode($i)) ? "&#$i;" : "&#$i;" );
     1132    if (valid_unicode($i)) {
     1133        $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT);
     1134        $i = "&#$i;";
     1135    } else {
     1136        $i = "&#$i;";
     1137    }
     1138
     1139    return $i;
    11471140}
    11481141
     
    11631156
    11641157    $hexchars = $matches[1];
    1165     return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : "&#x$hexchars;" );
     1158    return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' );
    11661159}
    11671160
Note: See TracChangeset for help on using the changeset viewer.