WordPress.org

Make WordPress Core

Changeset 32860


Ignore:
Timestamp:
06/19/2015 06:46:11 PM (5 years ago)
Author:
wonderboymusic
Message:

Don't strip \0 (backslash+zero) from post content for users without "unfiltered_html"

Adds unit tests.

Props miqrogroove.
Fixes #28699.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r32733 r32860  
    522522    if ( empty( $allowed_protocols ) )
    523523        $allowed_protocols = wp_allowed_protocols();
    524     $string = wp_kses_no_null($string);
     524    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    525525    $string = wp_kses_js_entities($string);
    526526    $string = wp_kses_normalize_entities($string);
     
    10451045 *
    10461046 * @param string $string
     1047 * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
    10471048 * @return string
    10481049 */
    1049 function wp_kses_no_null($string) {
    1050     $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);
    1051     $string = preg_replace('/(\\\\0)+/', '', $string);
     1050function wp_kses_no_null( $string, $options = null ) {
     1051    if ( ! isset( $options['slash_zero'] ) ) {
     1052        $options = array( 'slash_zero' => 'remove' );
     1053    }
     1054
     1055    $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
     1056    if ( 'remove' == $options['slash_zero'] ) {
     1057        $string = preg_replace( '/\\\\+0+/', '', $string );
     1058    }
    10521059
    10531060    return $string;
  • trunk/tests/phpunit/tests/kses.php

    r28942 r32860  
    412412        );
    413413    }
     414   
     415    /**
     416     * Test removal of '\0' strings.
     417     *
     418     * @ticket 28699
     419     * @dataProvider data_slash_zero_removal
     420     */
     421    function test_slash_zero_removal( $input, $output ) {
     422        global $allowedposttags;
     423
     424        return $this->assertEquals( $output, wp_kses( $input, $allowedposttags ) );
     425    }
     426   
     427    function data_slash_zero_removal() {
     428        return array(
     429            array(
     430                'This \\0 should be no big deal.',
     431                'This \\0 should be no big deal.',
     432            ),
     433            array(
     434                '<div>This \\0 should be no big deal.</div>',
     435                '<div>This \\0 should be no big deal.</div>',
     436            ),
     437            array(
     438                '<div align="\\0left">This should be no big deal.</div>',
     439                '<div align="\\0left">This should be no big deal.</div>',
     440            ),
     441            array(
     442                'This <div style="float:\\0left"> is more of a concern.',
     443                'This <div style="float:left"> is more of a concern.',
     444            ),
     445            array(
     446                'This <div style="float:\\0\\0left"> is more of a concern.',
     447                'This <div style="float:left"> is more of a concern.',
     448            ),
     449            array(
     450                'This <div style="float:\\\\00left"> is more of a concern.',
     451                'This <div style="float:left"> is more of a concern.',
     452            ),
     453            array(
     454                'This <div style="float:\\\\\\\\0000left"> is more of a concern.',
     455                'This <div style="float:left"> is more of a concern.',
     456            ),
     457            array(
     458                'This <div style="float:\\0000left"> is more of a concern.',
     459                'This <div style="float:left"> is more of a concern.',
     460            ),
     461            array(
     462                '<style type="text/css">div {background-image:\\0}</style>',
     463                'div {background-image:\\0}',
     464            ),
     465        );
     466    }
    414467}
Note: See TracChangeset for help on using the changeset viewer.