Changeset 32860

Timestamp:

06/19/2015 06:46:11 PM (10 years ago)

Author:

wonderboymusic

Message:

Don't strip \0 (backslash+zero) from post content for users without "unfiltered_html"

Adds unit tests.

Props miqrogroove.
Fixes #28699.

Location:

trunk

Files:

• src/wp-includes/kses.php (modified) (2 diffs)
• tests/phpunit/tests/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -522 +522 @@
     if ( empty( $allowed_protocols ) )
         $allowed_protocols = wp_allowed_protocols();
-    $string = wp_kses_no_null($string);
+    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
     $string = wp_kses_js_entities($string);
     $string = wp_kses_normalize_entities($string);
@@ -1045 +1045 @@
  *
  * @param string $string
+ * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
  * @return string
  */
-function wp_kses_no_null($string) {
-    $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);
-    $string = preg_replace('/(\\\\0)+/', '', $string);
+function wp_kses_no_null( $string, $options = null ) {
+    if ( ! isset( $options['slash_zero'] ) ) {
+        $options = array( 'slash_zero' => 'remove' );
+    }
+
+    $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
+    if ( 'remove' == $options['slash_zero'] ) {
+        $string = preg_replace( '/\\\\+0+/', '', $string );
+    }
 
     return $string;

trunk/tests/phpunit/tests/kses.php

@@ -412 +412 @@
         );
     }
+    
+    /**
+     * Test removal of '\0' strings.
+     *
+     * @ticket 28699
+     * @dataProvider data_slash_zero_removal
+     */
+    function test_slash_zero_removal( $input, $output ) {
+        global $allowedposttags;
+
+        return $this->assertEquals( $output, wp_kses( $input, $allowedposttags ) );
+    }
+    
+    function data_slash_zero_removal() {
+        return array(
+            array(
+                'This \\0 should be no big deal.',
+                'This \\0 should be no big deal.',
+            ),
+            array(
+                '<div>This \\0 should be no big deal.</div>',
+                '<div>This \\0 should be no big deal.</div>',
+            ),
+            array(
+                '<div align="\\0left">This should be no big deal.</div>',
+                '<div align="\\0left">This should be no big deal.</div>',
+            ),
+            array(
+                'This <div style="float:\\0left"> is more of a concern.',
+                'This <div style="float:left"> is more of a concern.',
+            ),
+            array(
+                'This <div style="float:\\0\\0left"> is more of a concern.',
+                'This <div style="float:left"> is more of a concern.',
+            ),
+            array(
+                'This <div style="float:\\\\00left"> is more of a concern.',
+                'This <div style="float:left"> is more of a concern.',
+            ),
+            array(
+                'This <div style="float:\\\\\\\\0000left"> is more of a concern.',
+                'This <div style="float:left"> is more of a concern.',
+            ),
+            array(
+                'This <div style="float:\\0000left"> is more of a concern.',
+                'This <div style="float:left"> is more of a concern.',
+            ),
+            array(
+                '<style type="text/css">div {background-image:\\0}</style>',
+                'div {background-image:\\0}',
+            ),
+        );
+    }
 }