WordPress.org

Make WordPress Core

Changeset 22811


Ignore:
Timestamp:
11/22/2012 07:23:43 AM (9 years ago)
Author:
nacin
Message:

Do SimplePie sanitization with wp_kses_post() rather than DOMDocument, which cannot be guaranteed to be available.

Overrides SimplePie_Sanitize with WP_SimplePie_Sanitize_KSES.

props markjaquith, rmccue.
see #21990.

Location:
trunk/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/class-feed.php

    r22599 r22811  
    9393    }
    9494}
     95
     96/**
     97 * WordPress SimplePie Sanitization Class
     98 *
     99 * Extension of the SimplePie_Sanitize class to use KSES, because
     100 * we cannot universally count on DOMDocument being available
     101 *
     102 * @package WordPress
     103 * @since 3.5.0
     104 */
     105class WP_SimplePie_Sanitize_KSES extends SimplePie_Sanitize {
     106    public function sanitize( $data, $type, $base = '' ) {
     107        $data = trim( $data );
     108        if ( $type & SIMPLEPIE_CONSTRUCT_MAYBE_HTML ) {
     109            if (preg_match('/(&(#(x[0-9a-fA-F]+|[0-9]+)|[a-zA-Z0-9]+)|<\/[A-Za-z][^\x09\x0A\x0B\x0C\x0D\x20\x2F\x3E]*' . SIMPLEPIE_PCRE_HTML_ATTRIBUTE . '>)/', $data)) {
     110                $type |= SIMPLEPIE_CONSTRUCT_HTML;
     111            }
     112            else {
     113                $type |= SIMPLEPIE_CONSTRUCT_TEXT;
     114            }
     115        }
     116        if ( $type & SIMPLEPIE_CONSTRUCT_BASE64 ) {
     117            $data = base64_decode( $data );
     118        }
     119        if ( $type & ( SIMPLEPIE_CONSTRUCT_HTML | SIMPLEPIE_CONSTRUCT_XHTML ) ) {
     120            $data = wp_kses_post( $data );
     121            if ( $this->output_encoding !== 'UTF-8' ) {
     122                $data = $this->registry->call( 'Misc', 'change_encoding', array( $data, 'UTF-8', $this->output_encoding ) );
     123            }
     124            return $data;
     125        } else {
     126            return parent::sanitize( $data, $type, $base );
     127        }
     128    }
     129}
  • trunk/wp-includes/feed.php

    r22599 r22811  
    529529    $feed = new SimplePie();
    530530
     531    $feed->set_sanitize_class( 'WP_SimplePie_Sanitize_KSES' );
     532    // We must manually overwrite $feed->sanitize because SimplePie's
     533    // constructor sets it before we have a chance to set the sanitization class
     534    $feed->sanitize = new WP_SimplePie_Sanitize_KSES();
     535
    531536    $feed->set_cache_class( 'WP_Feed_Cache' );
    532537    $feed->set_file_class( 'WP_SimplePie_File' );
Note: See TracChangeset for help on using the changeset viewer.