Make WordPress Core


Ignore:
Timestamp:
07/23/2015 05:08:15 AM (9 years ago)
Author:
pento
Message:

Shortcodes: Improve the reliablity of shortcodes inside HTML tags.

Merge of [33359] to the 3.8 branch.

Props miqrogroove.

See #15694.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.8/src/wp-includes/kses.php

    r30428 r33388  
    488488
    489489/**
     490 * Filters one attribute only and ensures its value is allowed.
     491 *
     492 * This function has the advantage of being more secure than esc_attr() and can
     493 * escape data in some situations where wp_kses() must strip the whole attribute.
     494 *
     495 * @since 4.2.3
     496 *
     497 * @param string $string The 'whole' attribute, including name and value.
     498 * @param string $element The element name to which the attribute belongs.
     499 * @return string Filtered attribute.
     500 */
     501function wp_kses_one_attr( $string, $element ) {
     502    $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');
     503    $allowed_html = wp_kses_allowed_html( 'post' );
     504    $allowed_protocols = wp_allowed_protocols();
     505    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
     506    $string = wp_kses_js_entities( $string );
     507    $string = wp_kses_normalize_entities( $string );
     508
     509    // Preserve leading and trailing whitespace.
     510    $matches = array();
     511    preg_match('/^\s*/', $string, $matches);
     512    $lead = $matches[0];
     513    preg_match('/\s*$/', $string, $matches);
     514    $trail = $matches[0];
     515    if ( empty( $trail ) ) {
     516        $string = substr( $string, strlen( $lead ) );
     517    } else {
     518        $string = substr( $string, strlen( $lead ), -strlen( $trail ) );
     519    }
     520   
     521    // Parse attribute name and value from input.
     522    $split = preg_split( '/\s*=\s*/', $string, 2 );
     523    $name = $split[0];
     524    if ( count( $split ) == 2 ) {
     525        $value = $split[1];
     526
     527        // Remove quotes surrounding $value.
     528        // Also guarantee correct quoting in $string for this one attribute.
     529        if ( '' == $value ) {
     530            $quote = '';
     531        } else {
     532            $quote = $value[0];
     533        }
     534        if ( '"' == $quote || "'" == $quote ) {
     535            if ( substr( $value, -1 ) != $quote ) {
     536                return '';
     537            }
     538            $value = substr( $value, 1, -1 );
     539        } else {
     540            $quote = '"';
     541        }
     542
     543        // Sanitize quotes and angle braces.
     544        $value = htmlspecialchars( $value, ENT_QUOTES, null, false );
     545
     546        // Sanitize URI values.
     547        if ( in_array( strtolower( $name ), $uris ) ) {
     548            $value = wp_kses_bad_protocol( $value, $allowed_protocols );
     549        }
     550
     551        $string = "$name=$quote$value$quote";
     552        $vless = 'n';
     553    } else {
     554        $value = '';
     555        $vless = 'y';
     556    }
     557   
     558    // Sanitize attribute by name.
     559    wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html );
     560
     561    // Restore whitespace.
     562    return $lead . $string . $trail;
     563}
     564
     565/**
    490566 * Return a list of allowed tags and attributes for a given context.
    491567 *
     
    684760    # in $attr2
    685761    $attr2 = '';
    686 
    687     $allowed_attr = $allowed_html[strtolower($element)];
    688     foreach ($attrarr as $arreach) {
    689         if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) )
    690             continue; # the attribute is not allowed
    691 
    692         $current = $allowed_attr[strtolower($arreach['name'])];
    693         if ( $current == '' )
    694             continue; # the attribute is not allowed
    695 
    696         if ( strtolower( $arreach['name'] ) == 'style' ) {
    697             $orig_value = $arreach['value'];
    698             $value = safecss_filter_attr( $orig_value );
    699 
    700             if ( empty( $value ) )
    701                 continue;
    702 
    703             $arreach['value'] = $value;
    704             $arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] );
     762    foreach ( $attrarr as $arreach ) {
     763        if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) {
     764            $attr2 .= ' '.$arreach['whole'];
    705765        }
    706 
    707         if ( ! is_array($current) ) {
    708             $attr2 .= ' '.$arreach['whole'];
    709         # there are no checks
    710 
    711         } else {
    712             # there are some checks
    713             $ok = true;
    714             foreach ($current as $currkey => $currval) {
    715                 if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) {
    716                     $ok = false;
    717                     break;
    718                 }
    719             }
    720 
    721             if ( $ok )
    722                 $attr2 .= ' '.$arreach['whole']; # it passed them
    723         } # if !is_array($current)
    724     } # foreach
     766    }
    725767
    726768    # Remove any "<" or ">" characters
     
    728770
    729771    return "<$element$attr2$xhtml_slash>";
     772}
     773
     774/**
     775 * Determine whether an attribute is allowed.
     776 *
     777 * @since 4.2.3
     778 *
     779 * @param string $name The attribute name. Returns empty string when not allowed.
     780 * @param string $value The attribute value. Returns a filtered value.
     781 * @param string $whole The name=value input. Returns filtered input.
     782 * @param string $vless 'y' when attribute like "enabled", otherwise 'n'.
     783 * @param string $element The name of the element to which this attribute belongs.
     784 * @param array $allowed_html The full list of allowed elements and attributes.
     785 * @return bool Is the attribute allowed?
     786 */
     787function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) {
     788    $allowed_attr = $allowed_html[strtolower( $element )];
     789
     790    $name_low = strtolower( $name );
     791    if ( ! isset( $allowed_attr[$name_low] ) || '' == $allowed_attr[$name_low] ) {
     792        $name = $value = $whole = '';
     793        return false;
     794    }
     795
     796    if ( 'style' == $name_low ) {
     797        $new_value = safecss_filter_attr( $value );
     798
     799        if ( empty( $new_value ) ) {
     800            $name = $value = $whole = '';
     801            return false;
     802        }
     803
     804        $whole = str_replace( $value, $new_value, $whole );
     805        $value = $new_value;
     806    }
     807
     808    if ( is_array( $allowed_attr[$name_low] ) ) {
     809        // there are some checks
     810        foreach ( $allowed_attr[$name_low] as $currkey => $currval ) {
     811            if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) {
     812                $name = $value = $whole = '';
     813                return false;
     814            }
     815        }
     816    }
     817
     818    return true;
    730819}
    731820
     
    857946
    858947    return $attrarr;
     948}
     949
     950/**
     951 * Finds all attributes of an HTML element.
     952 *
     953 * Does not modify input.  May return "evil" output.
     954 *
     955 * Based on wp_kses_split2() and wp_kses_attr()
     956 *
     957 * @since 4.2.3
     958 *
     959 * @param string $element HTML element/tag
     960 * @return array|bool List of attributes found in $element. Returns false on failure.
     961 */
     962function wp_kses_attr_parse( $element ) {
     963    $valid = preg_match('%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches);
     964    if ( 1 !== $valid ) {
     965        return false;
     966    }
     967
     968    $begin =  $matches[1];
     969    $slash =  $matches[2];
     970    $elname = $matches[3];
     971    $attr =   $matches[4];
     972    $end =    $matches[5];
     973
     974    if ( '' !== $slash ) {
     975        // Closing elements do not get parsed.
     976        return false;
     977    }
     978
     979    // Is there a closing XHTML slash at the end of the attributes?
     980    if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) {
     981        $xhtml_slash = $matches[0];
     982        $attr = substr( $attr, 0, -strlen( $xhtml_slash ) );
     983    } else {
     984        $xhtml_slash = '';
     985    }
     986   
     987    // Split it
     988    $attrarr = wp_kses_hair_parse( $attr );
     989    if ( false === $attrarr ) {
     990        return false;
     991    }
     992
     993    // Make sure all input is returned by adding front and back matter.
     994    array_unshift( $attrarr, $begin . $slash . $elname );
     995    array_push( $attrarr, $xhtml_slash . $end );
     996   
     997    return $attrarr;
     998}
     999
     1000/**
     1001 * Builds an attribute list from string containing attributes.
     1002 *
     1003 * Does not modify input.  May return "evil" output.
     1004 * In case of unexpected input, returns false instead of stripping things.
     1005 *
     1006 * Based on wp_kses_hair() but does not return a multi-dimensional array.
     1007 *
     1008 * @since 4.2.3
     1009 *
     1010 * @param string $attr Attribute list from HTML element to closing HTML element tag
     1011 * @return array|bool List of attributes found in $attr. Returns false on failure.
     1012 */
     1013function wp_kses_hair_parse( $attr ) {
     1014    if ( '' === $attr ) {
     1015        return array();
     1016    }
     1017
     1018    $regex =
     1019      '(?:'
     1020    .     '[-a-zA-Z:]+'   // Attribute name.
     1021    . '|'
     1022    .     '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html.
     1023    . ')'
     1024    . '(?:'               // Attribute value.
     1025    .     '\s*=\s*'       // All values begin with '='
     1026    .     '(?:'
     1027    .         '"[^"]*"'   // Double-quoted
     1028    .     '|'
     1029    .         "'[^']*'"   // Single-quoted
     1030    .     '|'
     1031    .         '[^\s"\']+' // Non-quoted
     1032    .         '(?:\s|$)'  // Must have a space
     1033    .     ')'
     1034    . '|'
     1035    .     '(?:\s|$)'      // If attribute has no value, space is required.
     1036    . ')'
     1037    . '\s*';              // Trailing space is optional except as mentioned above.
     1038
     1039    // Although it is possible to reduce this procedure to a single regexp,
     1040    // we must run that regexp twice to get exactly the expected result.
     1041
     1042    $validation = "%^($regex)+$%";
     1043    $extraction = "%$regex%";
     1044
     1045    if ( 1 === preg_match( $validation, $attr ) ) {
     1046        preg_match_all( $extraction, $attr, $attrarr );
     1047        return $attrarr[0];
     1048    } else {
     1049        return false;
     1050    }
    8591051}
    8601052
Note: See TracChangeset for help on using the changeset viewer.