Changeset 17172
- Timestamp:
- 12/29/2010 08:49:02 PM (14 years ago)
- Location:
- branches/3.0/wp-includes
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.0/wp-includes/formatting.php
r15378 r17172 2237 2237 // Replace ampersands and single quotes only when displaying. 2238 2238 if ( 'display' == $_context ) { 2239 $url = preg_replace('/&([^#])(?![a-z]{2,8};)/', '&$1', $url); 2239 $url = wp_kses_normalize_entities( $url ); 2240 $url = str_replace( '&', '&', $url ); 2240 2241 $url = str_replace( "'", ''', $url ); 2241 2242 } -
branches/3.0/wp-includes/kses.php
r15384 r17172 671 671 } 672 672 673 if ( $arreach['name']== 'style' ) {673 if ( strtolower($arreach['name']) == 'style' ) { 674 674 $orig_value = $arreach['value']; 675 675 … … 763 763 { 764 764 $thisval = $match[1]; 765 if ( in_array( $attrname, $uris) )765 if ( in_array(strtolower($attrname), $uris) ) 766 766 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 767 767 … … 779 779 { 780 780 $thisval = $match[1]; 781 if ( in_array( $attrname, $uris) )781 if ( in_array(strtolower($attrname), $uris) ) 782 782 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 783 783 … … 795 795 { 796 796 $thisval = $match[1]; 797 if ( in_array( $attrname, $uris) )797 if ( in_array(strtolower($attrname), $uris) ) 798 798 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 799 799 … … 1018 1018 */ 1019 1019 function wp_kses_bad_protocol_once($string, $allowed_protocols) { 1020 global $_kses_allowed_protocols; 1021 $_kses_allowed_protocols = $allowed_protocols; 1022 1023 $string2 = preg_split('/:|:|:/i', $string, 2); 1024 if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) ) 1025 $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]); 1026 else 1027 $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string); 1020 $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); 1021 if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) ) 1022 $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] ); 1028 1023 1029 1024 return $string; … … 1039 1034 * @since 1.0.0 1040 1035 * 1041 * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols 1036 * @param string $string URI scheme to check against the whitelist 1037 * @param string $allowed_protocols Allowed protocols 1042 1038 * @return string Sanitized content 1043 1039 */ 1044 function wp_kses_bad_protocol_once2($matches) { 1045 global $_kses_allowed_protocols; 1046 1047 if ( is_array($matches) ) { 1048 if ( empty($matches[1]) ) 1049 return ''; 1050 1051 $string = $matches[1]; 1052 } else { 1053 $string = $matches; 1054 } 1055 1040 function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 1056 1041 $string2 = wp_kses_decode_entities($string); 1057 1042 $string2 = preg_replace('/\s/', '', $string2); … … 1060 1045 1061 1046 $allowed = false; 1062 foreach ( (array) $ _kses_allowed_protocols as $one_protocol)1063 if ( strtolower($one_protocol) == $string2) {1047 foreach ( (array) $allowed_protocols as $one_protocol ) 1048 if ( strtolower($one_protocol) == $string2 ) { 1064 1049 $allowed = true; 1065 1050 break;
Note: See TracChangeset
for help on using the changeset viewer.