Make WordPress Core


Ignore:
Timestamp:
12/29/2010 08:49:02 PM (14 years ago)
Author:
ryan
Message:

Don't be case sensitive to attribute names. Handle padded entities when checking for bad protocols. Normalize entities before checking for bad protocols in esc_url(). Props Mauro Gentile, duck_, miqrogroove

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.0/wp-includes/kses.php

    r15384 r17172  
    671671                }
    672672
    673             if ( $arreach['name'] == 'style' ) {
     673            if ( strtolower($arreach['name']) == 'style' ) {
    674674                $orig_value = $arreach['value'];
    675675
     
    763763                    {
    764764                    $thisval = $match[1];
    765                     if ( in_array($attrname, $uris) )
     765                    if ( in_array(strtolower($attrname), $uris) )
    766766                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
    767767
     
    779779                    {
    780780                    $thisval = $match[1];
    781                     if ( in_array($attrname, $uris) )
     781                    if ( in_array(strtolower($attrname), $uris) )
    782782                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
    783783
     
    795795                    {
    796796                    $thisval = $match[1];
    797                     if ( in_array($attrname, $uris) )
     797                    if ( in_array(strtolower($attrname), $uris) )
    798798                        $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols);
    799799
     
    10181018 */
    10191019function wp_kses_bad_protocol_once($string, $allowed_protocols) {
    1020     global $_kses_allowed_protocols;
    1021     $_kses_allowed_protocols = $allowed_protocols;
    1022 
    1023     $string2 = preg_split('/:|:|:/i', $string, 2);
    1024     if ( isset($string2[1]) && !preg_match('%/\?%', $string2[0]) )
    1025         $string = wp_kses_bad_protocol_once2($string2[0]) . trim($string2[1]);
    1026     else
    1027         $string = preg_replace_callback('/^((&[^;]*;|[\sA-Za-z0-9])*)'.'(:|:|&#[Xx]3[Aa];)\s*/', 'wp_kses_bad_protocol_once2', $string);
     1020    $string2 = preg_split( '/:|&#0*58;|&#x0*3a;/i', $string, 2 );
     1021    if ( isset($string2[1]) && ! preg_match('%/\?%', $string2[0]) )
     1022        $string = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ) . trim( $string2[1] );
    10281023
    10291024    return $string;
     
    10391034 * @since 1.0.0
    10401035 *
    1041  * @param mixed $matches string or preg_replace_callback() matches array to check for bad protocols
     1036 * @param string $string URI scheme to check against the whitelist
     1037 * @param string $allowed_protocols Allowed protocols
    10421038 * @return string Sanitized content
    10431039 */
    1044 function wp_kses_bad_protocol_once2($matches) {
    1045     global $_kses_allowed_protocols;
    1046 
    1047     if ( is_array($matches) ) {
    1048         if ( empty($matches[1]) )
    1049             return '';
    1050 
    1051         $string = $matches[1];
    1052     } else {
    1053         $string = $matches;
    1054     }
    1055 
     1040function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) {
    10561041    $string2 = wp_kses_decode_entities($string);
    10571042    $string2 = preg_replace('/\s/', '', $string2);
     
    10601045
    10611046    $allowed = false;
    1062     foreach ( (array) $_kses_allowed_protocols as $one_protocol)
    1063         if (strtolower($one_protocol) == $string2) {
     1047    foreach ( (array) $allowed_protocols as $one_protocol )
     1048        if ( strtolower($one_protocol) == $string2 ) {
    10641049            $allowed = true;
    10651050            break;
Note: See TracChangeset for help on using the changeset viewer.