Make WordPress Core


Ignore:
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/kses.php

    r18208 r17228  
    1616 * You should have received a copy of the GNU General Public License along
    1717 * with this program; if not, write to the Free Software Foundation, Inc.,
    18  * 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
     18 * 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA  or visit
    1919 * http://www.gnu.org/licenses/gpl.html
    2020 *
     
    514514 *
    515515 * There is currently only one kses WordPress hook and it is called here. All
    516  * parameters are passed to the hooks and expected to receive a string.
     516 * parameters are passed to the hooks and expected to recieve a string.
    517517 *
    518518 * @since 1.0.0
     
    555555    $pass_allowed_html = $allowed_html;
    556556    $pass_allowed_protocols = $allowed_protocols;
    557     return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );
     557    return preg_replace_callback( '%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%', '_wp_kses_split_callback', $string );
    558558}
    559559
     
    566566function _wp_kses_split_callback( $match ) {
    567567    global $pass_allowed_html, $pass_allowed_protocols;
    568     return wp_kses_split2( $match[0], $pass_allowed_html, $pass_allowed_protocols );
     568    return wp_kses_split2( $match[1], $pass_allowed_html, $pass_allowed_protocols );
    569569}
    570570
     
    597597    # It matched a ">" character
    598598
    599     if ( '<!--' == substr( $string, 0, 4 ) ) {
    600         $string = str_replace( array('<!--', '-->'), '', $string );
    601         while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )
     599    if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) {
     600        $string = str_replace(array('<!--', '-->'), '', $matches[1]);
     601        while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) )
    602602            $string = $newstring;
    603603        if ( $string == '' )
     
    619619    $attrlist = $matches[3];
    620620
    621     if ( ! isset($allowed_html[strtolower($elem)]) )
     621    if (!@isset($allowed_html[strtolower($elem)]))
    622622        return '';
    623623    # They are using a not allowed HTML element
    624624
    625625    if ($slash != '')
    626         return "</$elem>";
     626        return "<$slash$elem>";
    627627    # No attributes are allowed for closing elements
    628628
    629     return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols );
     629    return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols);
    630630}
    631631
     
    655655
    656656    # Are any attributes allowed at all for this element?
    657     if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 )
     657
     658    if (@ count($allowed_html[strtolower($element)]) == 0)
    658659        return "<$element$xhtml_slash>";
    659660
    660661    # Split it
     662
    661663    $attrarr = wp_kses_hair($attr, $allowed_protocols);
    662664
    663665    # Go through $attrarr, and save the allowed attributes for this element
    664666    # in $attr2
     667
    665668    $attr2 = '';
    666669
    667     $allowed_attr = $allowed_html[strtolower($element)];
    668670    foreach ($attrarr as $arreach) {
    669         if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
     671        if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])]))
    670672            continue; # the attribute is not allowed
    671673
    672         $current = $allowed_attr[strtolower($arreach['name'])];
    673         if ( $current == '' )
     674        $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])];
     675        if ($current == '')
    674676            continue; # the attribute is not allowed
    675677
    676         if ( ! is_array($current) ) {
     678        if (!is_array($current))
    677679            $attr2 .= ' '.$arreach['whole'];
    678680        # there are no checks
    679681
    680         } else {
     682        else {
    681683            # there are some checks
    682684            $ok = true;
    683             foreach ($current as $currkey => $currval) {
    684                 if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
     685            foreach ($current as $currkey => $currval)
     686                if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {
    685687                    $ok = false;
    686688                    break;
    687689                }
    688             }
    689690
    690691            if ( strtolower($arreach['name']) == 'style' ) {
    691692                $orig_value = $arreach['value'];
     693
    692694                $value = safecss_filter_attr($orig_value);
    693695
     
    696698
    697699                $arreach['value'] = $value;
     700
    698701                $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']);
    699702            }
     
    705708
    706709    # Remove any "<" or ">" characters
     710
    707711    $attr2 = preg_replace('/[<>]/', '', $attr2);
    708712
Note: See TracChangeset for help on using the changeset viewer.