Changeset 32860 for trunk/src/wp-includes/kses.php

Timestamp:

06/19/2015 06:46:11 PM (11 years ago)

Author:

wonderboymusic

Message:

Don't strip \0 (backslash+zero) from post content for users without "unfiltered_html"

Adds unit tests.

Props miqrogroove.
Fixes #28699.

File:

• trunk/src/wp-includes/kses.php (modified) (2 diffs)

trunk/src/wp-includes/kses.php

@@ -522 +522 @@
     if ( empty( $allowed_protocols ) )
         $allowed_protocols = wp_allowed_protocols();
-    $string = wp_kses_no_null($string);
+    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
     $string = wp_kses_js_entities($string);
     $string = wp_kses_normalize_entities($string);
@@ -1045 +1045 @@
  *
  * @param string $string
+ * @param array $options Set 'slash_zero' => 'keep' when '\0' is allowed. Default is 'remove'.
  * @return string
  */
-function wp_kses_no_null($string) {
-    $string = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string);
-    $string = preg_replace('/(\\\\0)+/', '', $string);
+function wp_kses_no_null( $string, $options = null ) {
+    if ( ! isset( $options['slash_zero'] ) ) {
+        $options = array( 'slash_zero' => 'remove' );
+    }
+
+    $string = preg_replace( '/[\x00-\x08\x0B\x0C\x0E-\x1F]/', '', $string );
+    if ( 'remove' == $options['slash_zero'] ) {
+        $string = preg_replace( '/\\\\+0+/', '', $string );
+    }
 
     return $string;