Changes in trunk/wp-includes/kses.php [18208:17228]
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/wp-includes/kses.php
r18208 r17228 16 16 * You should have received a copy of the GNU General Public License along 17 17 * with this program; if not, write to the Free Software Foundation, Inc., 18 * 5 1 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA18 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit 19 19 * http://www.gnu.org/licenses/gpl.html 20 20 * … … 514 514 * 515 515 * There is currently only one kses WordPress hook and it is called here. All 516 * parameters are passed to the hooks and expected to rec eive a string.516 * parameters are passed to the hooks and expected to recieve a string. 517 517 * 518 518 * @since 1.0.0 … … 555 555 $pass_allowed_html = $allowed_html; 556 556 $pass_allowed_protocols = $allowed_protocols; 557 return preg_replace_callback( '%( <!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string );557 return preg_replace_callback( '%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%', '_wp_kses_split_callback', $string ); 558 558 } 559 559 … … 566 566 function _wp_kses_split_callback( $match ) { 567 567 global $pass_allowed_html, $pass_allowed_protocols; 568 return wp_kses_split2( $match[ 0], $pass_allowed_html, $pass_allowed_protocols );568 return wp_kses_split2( $match[1], $pass_allowed_html, $pass_allowed_protocols ); 569 569 } 570 570 … … 597 597 # It matched a ">" character 598 598 599 if ( '<!--' == substr( $string, 0, 4 )) {600 $string = str_replace( array('<!--', '-->'), '', $string);601 while ( $string != ($newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )599 if (preg_match('%^<!--(.*?)(-->)?$%', $string, $matches)) { 600 $string = str_replace(array('<!--', '-->'), '', $matches[1]); 601 while ( $string != $newstring = wp_kses($string, $allowed_html, $allowed_protocols) ) 602 602 $string = $newstring; 603 603 if ( $string == '' ) … … 619 619 $attrlist = $matches[3]; 620 620 621 if ( ! isset($allowed_html[strtolower($elem)]))621 if (!@isset($allowed_html[strtolower($elem)])) 622 622 return ''; 623 623 # They are using a not allowed HTML element 624 624 625 625 if ($slash != '') 626 return "< /$elem>";626 return "<$slash$elem>"; 627 627 # No attributes are allowed for closing elements 628 628 629 return wp_kses_attr( $elem, $attrlist, $allowed_html, $allowed_protocols);629 return wp_kses_attr("$slash$elem", $attrlist, $allowed_html, $allowed_protocols); 630 630 } 631 631 … … 655 655 656 656 # Are any attributes allowed at all for this element? 657 if ( ! isset($allowed_html[strtolower($element)]) || count($allowed_html[strtolower($element)]) == 0 ) 657 658 if (@ count($allowed_html[strtolower($element)]) == 0) 658 659 return "<$element$xhtml_slash>"; 659 660 660 661 # Split it 662 661 663 $attrarr = wp_kses_hair($attr, $allowed_protocols); 662 664 663 665 # Go through $attrarr, and save the allowed attributes for this element 664 666 # in $attr2 667 665 668 $attr2 = ''; 666 669 667 $allowed_attr = $allowed_html[strtolower($element)];668 670 foreach ($attrarr as $arreach) { 669 if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ))671 if (!@ isset ($allowed_html[strtolower($element)][strtolower($arreach['name'])])) 670 672 continue; # the attribute is not allowed 671 673 672 $current = $allowed_ attr[strtolower($arreach['name'])];673 if ( $current == '')674 $current = $allowed_html[strtolower($element)][strtolower($arreach['name'])]; 675 if ($current == '') 674 676 continue; # the attribute is not allowed 675 677 676 if ( ! is_array($current) ) {678 if (!is_array($current)) 677 679 $attr2 .= ' '.$arreach['whole']; 678 680 # there are no checks 679 681 680 }else {682 else { 681 683 # there are some checks 682 684 $ok = true; 683 foreach ($current as $currkey => $currval) {684 if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) {685 foreach ($current as $currkey => $currval) 686 if (!wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval)) { 685 687 $ok = false; 686 688 break; 687 689 } 688 }689 690 690 691 if ( strtolower($arreach['name']) == 'style' ) { 691 692 $orig_value = $arreach['value']; 693 692 694 $value = safecss_filter_attr($orig_value); 693 695 … … 696 698 697 699 $arreach['value'] = $value; 700 698 701 $arreach['whole'] = str_replace($orig_value, $value, $arreach['whole']); 699 702 } … … 705 708 706 709 # Remove any "<" or ">" characters 710 707 711 $attr2 = preg_replace('/[<>]/', '', $attr2); 708 712
Note: See TracChangeset
for help on using the changeset viewer.