WordPress.org

Make WordPress Core

Changeset 17171


Ignore:
Timestamp:
12/29/10 20:45:37 (7 years ago)
Author:
ryan
Message:

Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/formatting.php

    r17142 r17171  
    22692269    // Replace ampersands and single quotes only when displaying. 
    22702270    if ( 'display' == $_context ) { 
    2271         $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     2271        $url = wp_kses_normalize_entities( $url ); 
     2272        $url = str_replace( '&', '&', $url ); 
    22722273        $url = str_replace( "'", ''', $url ); 
    22732274    } 
  • trunk/wp-includes/kses.php

    r17119 r17171  
    10281028 */ 
    10291029function wp_kses_bad_protocol_once($string, $allowed_protocols) { 
    1030     global $_kses_allowed_protocols; 
    1031     $_kses_allowed_protocols = $allowed_protocols; 
    1032  
    1033     $string2 = preg_split('/:|:|:/i', $string, 2); 
    1034     if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) ) 
    1035         $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]); 
    1036     else 
    1037         $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string); 
     1030    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 ); 
     1031    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) 
     1032        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] ); 
    10381033 
    10391034    return $string; 
     
    10491044 * @since 1.0.0 
    10501045 * 
    1051  * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols 
     1046 * @param string $string URI scheme to check against the whitelist 
     1047 * @param string $allowed_protocols Allowed protocols 
    10521048 * @return string Sanitized content 
    10531049 */ 
    1054 function wp_kses_bad_protocol_once2($matches) { 
    1055     global $_kses_allowed_protocols; 
    1056  
    1057     if ( is_array($matches) ) { 
    1058         if ( empty($matches[1]) ) 
    1059             return ''; 
    1060  
    1061         $string = $matches[1]; 
    1062     } else { 
    1063         $string = $matches; 
    1064     } 
    1065  
     1050function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 
    10661051    $string2 = wp_kses_decode_entities($string); 
    10671052    $string2 = preg_replace('/\s/', '', $string2); 
     
    10701055 
    10711056    $allowed = false; 
    1072     foreach ( (array) $_kses_allowed_protocols as $one_protocol) 
    1073         if (strtolower($one_protocol) == $string2) { 
     1057    foreach ( (array) $allowed_protocols as $one_protocol ) 
     1058        if ( strtolower($one_protocol) == $string2 ) { 
    10741059            $allowed = true; 
    10751060            break; 
     
    10991084 
    11001085    # Change back the allowed entities in our entity whitelist 
     1086 
    11011087    $string = preg_replace_callback('/&([A-Za-z]{2,8});/', 'wp_kses_named_entities', $string); 
    1102     $string = preg_replace_callback('/&#0*([0-9]{1,5});/', 'wp_kses_normalize_entities2', $string); 
    1103     $string = preg_replace_callback('/&#[Xx]0*(([0-9A-Fa-f]{2}){1,2});/', 'wp_kses_normalize_entities3', $string); 
     1088    $string = preg_replace_callback('/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string); 
     1089    $string = preg_replace_callback('/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string); 
    11041090 
    11051091    return $string; 
     
    11441130 
    11451131    $i = $matches[1]; 
    1146     return ( ($i > 65535 || ! valid_unicode($i)) ? "&#$i;" : "&#$i;" ); 
     1132    if (valid_unicode($i)) { 
     1133        $i = str_pad(ltrim($i,'0'), 3, '0', STR_PAD_LEFT); 
     1134        $i = "&#$i;"; 
     1135    } else { 
     1136        $i = "&#$i;"; 
     1137    } 
     1138 
     1139    return $i; 
    11471140} 
    11481141 
     
    11631156 
    11641157    $hexchars = $matches[1]; 
    1165     return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : "&#x$hexchars;" ); 
     1158    return ( ( ! valid_unicode(hexdec($hexchars)) ) ? "&#x$hexchars;" : '&#x'.ltrim($hexchars,'0').';' ); 
    11661159} 
    11671160 
Note: See TracChangeset for help on using the changeset viewer.