WordPress.org

Make WordPress Core

Changeset 17172


Ignore:
Timestamp:
12/29/10 20:49:02 (3 years ago)
Author:
ryan
Message:

Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove

Location:
branches/3.0/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.0/wp-includes/formatting.php

    r15378 r17172  
    22372237    // Replace ampersands and single quotes only when displaying. 
    22382238    if ( 'display' == $_context ) { 
    2239         $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 
     2239        $url = wp_kses_normalize_entities( $url ); 
     2240        $url = str_replace( '&', '&', $url ); 
    22402241        $url = str_replace( "'", ''', $url ); 
    22412242    } 
  • branches/3.0/wp-includes/kses.php

    r15384 r17172  
    671671                } 
    672672 
    673             if ( $arreach['name'] == 'style' ) { 
     673            if ( strtolower($arreach['name']) == 'style' ) { 
    674674                $orig_value = $arreach['value']; 
    675675 
     
    763763                    { 
    764764                    $thisval = $match[1]; 
    765                     if ( in_array($attrname, $uris) ) 
     765                    if ( in_array(strtolower($attrname), $uris) ) 
    766766                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
    767767 
     
    779779                    { 
    780780                    $thisval = $match[1]; 
    781                     if ( in_array($attrname, $uris) ) 
     781                    if ( in_array(strtolower($attrname), $uris) ) 
    782782                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
    783783 
     
    795795                    { 
    796796                    $thisval = $match[1]; 
    797                     if ( in_array($attrname, $uris) ) 
     797                    if ( in_array(strtolower($attrname), $uris) ) 
    798798                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 
    799799 
     
    10181018 */ 
    10191019function wp_kses_bad_protocol_once($string, $allowed_protocols) { 
    1020     global $_kses_allowed_protocols; 
    1021     $_kses_allowed_protocols = $allowed_protocols; 
    1022  
    1023     $string2 = preg_split('/:|:|:/i', $string, 2); 
    1024     if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) ) 
    1025         $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]); 
    1026     else 
    1027         $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string); 
     1020    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 ); 
     1021    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) 
     1022        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] ); 
    10281023 
    10291024    return $string; 
     
    10391034 * @since 1.0.0 
    10401035 * 
    1041  * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols 
     1036 * @param string $string URI scheme to check against the whitelist 
     1037 * @param string $allowed_protocols Allowed protocols 
    10421038 * @return string Sanitized content 
    10431039 */ 
    1044 function wp_kses_bad_protocol_once2($matches) { 
    1045     global $_kses_allowed_protocols; 
    1046  
    1047     if ( is_array($matches) ) { 
    1048         if ( empty($matches[1]) ) 
    1049             return ''; 
    1050  
    1051         $string = $matches[1]; 
    1052     } else { 
    1053         $string = $matches; 
    1054     } 
    1055  
     1040function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 
    10561041    $string2 = wp_kses_decode_entities($string); 
    10571042    $string2 = preg_replace('/\s/', '', $string2); 
     
    10601045 
    10611046    $allowed = false; 
    1062     foreach ( (array) $_kses_allowed_protocols as $one_protocol) 
    1063         if (strtolower($one_protocol) == $string2) { 
     1047    foreach ( (array) $allowed_protocols as $one_protocol ) 
     1048        if ( strtolower($one_protocol) == $string2 ) { 
    10641049            $allowed = true; 
    10651050            break; 
Note: See TracChangeset for help on using the changeset viewer.