Changeset 33389
- Timestamp:
- 07/23/2015 05:14:09 AM (9 years ago)
- Location:
- branches/3.7
- Files:
-
- 1 added
- 6 edited
Legend:
- Unmodified
- Added
- Removed
-
branches/3.7/src/wp-includes/class-wp-embed.php
r25868 r33389 58 58 59 59 // Do the shortcode (only the [embed] one is registered) 60 $content = do_shortcode( $content );60 $content = do_shortcode( $content, true ); 61 61 62 62 // Put the original shortcodes back … … 281 281 */ 282 282 function autoembed( $content ) { 283 // Strip newlines from all elements. 284 $content = wp_replace_in_html_tags( $content, array( "\n" => " " ) ); 285 286 // Find URLs that are on their own line. 283 287 return preg_replace_callback( '|^\s*(https?://[^\s"]+)\s*$|im', array( $this, 'autoembed_callback' ), $content ); 284 288 } -
branches/3.7/src/wp-includes/formatting.php
r32192 r33389 234 234 $pee = preg_replace('!(</' . $allblocks . '>)!', "$1\n\n", $pee); 235 235 $pee = str_replace(array("\r\n", "\r"), "\n", $pee); // cross-platform newlines 236 237 // Strip newlines from all elements. 238 $pee = wp_replace_in_html_tags( $pee, array( "\n" => " " ) ); 239 236 240 if ( strpos($pee, '<object') !== false ) { 237 241 $pee = preg_replace('|\s*<param([^>]*)>\s*|', "<param$1>", $pee); // no pee inside object/embed … … 265 269 266 270 return $pee; 271 } 272 273 /** 274 * Replace characters or phrases within HTML elements only. 275 * 276 * @since 4.2.3 277 * 278 * @param string $haystack The text which has to be formatted. 279 * @param array $replace_pairs In the form array('from' => 'to', ...). 280 * @return string The formatted text. 281 */ 282 function wp_replace_in_html_tags( $haystack, $replace_pairs ) { 283 // Find all elements. 284 $comments = 285 '!' // Start of comment, after the <. 286 . '(?:' // Unroll the loop: Consume everything until --> is found. 287 . '-(?!->)' // Dash not followed by end of comment. 288 . '[^\-]*+' // Consume non-dashes. 289 . ')*+' // Loop possessively. 290 . '(?:-->)?'; // End of comment. If not found, match all input. 291 292 $regex = 293 '/(' // Capture the entire match. 294 . '<' // Find start of element. 295 . '(?(?=!--)' // Is this a comment? 296 . $comments // Find end of comment. 297 . '|' 298 . '[^>]*>?' // Find end of element. If not found, match all input. 299 . ')' 300 . ')/s'; 301 302 $textarr = preg_split( $regex, $haystack, -1, PREG_SPLIT_DELIM_CAPTURE ); 303 $changed = false; 304 305 // Optimize when searching for one item. 306 if ( 1 === count( $replace_pairs ) ) { 307 // Extract $needle and $replace. 308 foreach ( $replace_pairs as $needle => $replace ); 309 310 // Loop through delimeters (elements) only. 311 for ( $i = 1, $c = count( $textarr ); $i < $c; $i += 2 ) { 312 if ( false !== strpos( $textarr[$i], $needle ) ) { 313 $textarr[$i] = str_replace( $needle, $replace, $textarr[$i] ); 314 $changed = true; 315 } 316 } 317 } else { 318 // Extract all $needles. 319 $needles = array_keys( $replace_pairs ); 320 321 // Loop through delimeters (elements) only. 322 for ( $i = 1, $c = count( $textarr ); $i < $c; $i += 2 ) { 323 foreach ( $needles as $needle ) { 324 if ( false !== strpos( $textarr[$i], $needle ) ) { 325 $textarr[$i] = strtr( $textarr[$i], $replace_pairs ); 326 $changed = true; 327 // After one strtr() break out of the foreach loop and look at next element. 328 break; 329 } 330 } 331 } 332 } 333 334 if ( $changed ) { 335 $haystack = implode( $textarr ); 336 } 337 338 return $haystack; 267 339 } 268 340 -
branches/3.7/src/wp-includes/kses.php
r30429 r33389 486 486 487 487 /** 488 * Filters one attribute only and ensures its value is allowed. 489 * 490 * This function has the advantage of being more secure than esc_attr() and can 491 * escape data in some situations where wp_kses() must strip the whole attribute. 492 * 493 * @since 4.2.3 494 * 495 * @param string $string The 'whole' attribute, including name and value. 496 * @param string $element The element name to which the attribute belongs. 497 * @return string Filtered attribute. 498 */ 499 function wp_kses_one_attr( $string, $element ) { 500 $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action'); 501 $allowed_html = wp_kses_allowed_html( 'post' ); 502 $allowed_protocols = wp_allowed_protocols(); 503 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 504 $string = wp_kses_js_entities( $string ); 505 $string = wp_kses_normalize_entities( $string ); 506 507 // Preserve leading and trailing whitespace. 508 $matches = array(); 509 preg_match('/^\s*/', $string, $matches); 510 $lead = $matches[0]; 511 preg_match('/\s*$/', $string, $matches); 512 $trail = $matches[0]; 513 if ( empty( $trail ) ) { 514 $string = substr( $string, strlen( $lead ) ); 515 } else { 516 $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 517 } 518 519 // Parse attribute name and value from input. 520 $split = preg_split( '/\s*=\s*/', $string, 2 ); 521 $name = $split[0]; 522 if ( count( $split ) == 2 ) { 523 $value = $split[1]; 524 525 // Remove quotes surrounding $value. 526 // Also guarantee correct quoting in $string for this one attribute. 527 if ( '' == $value ) { 528 $quote = ''; 529 } else { 530 $quote = $value[0]; 531 } 532 if ( '"' == $quote || "'" == $quote ) { 533 if ( substr( $value, -1 ) != $quote ) { 534 return ''; 535 } 536 $value = substr( $value, 1, -1 ); 537 } else { 538 $quote = '"'; 539 } 540 541 // Sanitize quotes and angle braces. 542 $value = htmlspecialchars( $value, ENT_QUOTES, null, false ); 543 544 // Sanitize URI values. 545 if ( in_array( strtolower( $name ), $uris ) ) { 546 $value = wp_kses_bad_protocol( $value, $allowed_protocols ); 547 } 548 549 $string = "$name=$quote$value$quote"; 550 $vless = 'n'; 551 } else { 552 $value = ''; 553 $vless = 'y'; 554 } 555 556 // Sanitize attribute by name. 557 wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); 558 559 // Restore whitespace. 560 return $lead . $string . $trail; 561 } 562 563 /** 488 564 * Return a list of allowed tags and attributes for a given context. 489 565 * … … 682 758 # in $attr2 683 759 $attr2 = ''; 684 685 $allowed_attr = $allowed_html[strtolower($element)]; 686 foreach ($attrarr as $arreach) { 687 if ( ! isset( $allowed_attr[strtolower($arreach['name'])] ) ) 688 continue; # the attribute is not allowed 689 690 $current = $allowed_attr[strtolower($arreach['name'])]; 691 if ( $current == '' ) 692 continue; # the attribute is not allowed 693 694 if ( strtolower( $arreach['name'] ) == 'style' ) { 695 $orig_value = $arreach['value']; 696 $value = safecss_filter_attr( $orig_value ); 697 698 if ( empty( $value ) ) 699 continue; 700 701 $arreach['value'] = $value; 702 $arreach['whole'] = str_replace( $orig_value, $value, $arreach['whole'] ); 760 foreach ( $attrarr as $arreach ) { 761 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 762 $attr2 .= ' '.$arreach['whole']; 703 763 } 704 705 if ( ! is_array($current) ) { 706 $attr2 .= ' '.$arreach['whole']; 707 # there are no checks 708 709 } else { 710 # there are some checks 711 $ok = true; 712 foreach ($current as $currkey => $currval) { 713 if ( ! wp_kses_check_attr_val($arreach['value'], $arreach['vless'], $currkey, $currval) ) { 714 $ok = false; 715 break; 716 } 717 } 718 719 if ( $ok ) 720 $attr2 .= ' '.$arreach['whole']; # it passed them 721 } # if !is_array($current) 722 } # foreach 764 } 723 765 724 766 # Remove any "<" or ">" characters … … 726 768 727 769 return "<$element$attr2$xhtml_slash>"; 770 } 771 772 /** 773 * Determine whether an attribute is allowed. 774 * 775 * @since 4.2.3 776 * 777 * @param string $name The attribute name. Returns empty string when not allowed. 778 * @param string $value The attribute value. Returns a filtered value. 779 * @param string $whole The name=value input. Returns filtered input. 780 * @param string $vless 'y' when attribute like "enabled", otherwise 'n'. 781 * @param string $element The name of the element to which this attribute belongs. 782 * @param array $allowed_html The full list of allowed elements and attributes. 783 * @return bool Is the attribute allowed? 784 */ 785 function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { 786 $allowed_attr = $allowed_html[strtolower( $element )]; 787 788 $name_low = strtolower( $name ); 789 if ( ! isset( $allowed_attr[$name_low] ) || '' == $allowed_attr[$name_low] ) { 790 $name = $value = $whole = ''; 791 return false; 792 } 793 794 if ( 'style' == $name_low ) { 795 $new_value = safecss_filter_attr( $value ); 796 797 if ( empty( $new_value ) ) { 798 $name = $value = $whole = ''; 799 return false; 800 } 801 802 $whole = str_replace( $value, $new_value, $whole ); 803 $value = $new_value; 804 } 805 806 if ( is_array( $allowed_attr[$name_low] ) ) { 807 // there are some checks 808 foreach ( $allowed_attr[$name_low] as $currkey => $currval ) { 809 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { 810 $name = $value = $whole = ''; 811 return false; 812 } 813 } 814 } 815 816 return true; 728 817 } 729 818 … … 855 944 856 945 return $attrarr; 946 } 947 948 /** 949 * Finds all attributes of an HTML element. 950 * 951 * Does not modify input. May return "evil" output. 952 * 953 * Based on wp_kses_split2() and wp_kses_attr() 954 * 955 * @since 4.2.3 956 * 957 * @param string $element HTML element/tag 958 * @return array|bool List of attributes found in $element. Returns false on failure. 959 */ 960 function wp_kses_attr_parse( $element ) { 961 $valid = preg_match('%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches); 962 if ( 1 !== $valid ) { 963 return false; 964 } 965 966 $begin = $matches[1]; 967 $slash = $matches[2]; 968 $elname = $matches[3]; 969 $attr = $matches[4]; 970 $end = $matches[5]; 971 972 if ( '' !== $slash ) { 973 // Closing elements do not get parsed. 974 return false; 975 } 976 977 // Is there a closing XHTML slash at the end of the attributes? 978 if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) { 979 $xhtml_slash = $matches[0]; 980 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) ); 981 } else { 982 $xhtml_slash = ''; 983 } 984 985 // Split it 986 $attrarr = wp_kses_hair_parse( $attr ); 987 if ( false === $attrarr ) { 988 return false; 989 } 990 991 // Make sure all input is returned by adding front and back matter. 992 array_unshift( $attrarr, $begin . $slash . $elname ); 993 array_push( $attrarr, $xhtml_slash . $end ); 994 995 return $attrarr; 996 } 997 998 /** 999 * Builds an attribute list from string containing attributes. 1000 * 1001 * Does not modify input. May return "evil" output. 1002 * In case of unexpected input, returns false instead of stripping things. 1003 * 1004 * Based on wp_kses_hair() but does not return a multi-dimensional array. 1005 * 1006 * @since 4.2.3 1007 * 1008 * @param string $attr Attribute list from HTML element to closing HTML element tag 1009 * @return array|bool List of attributes found in $attr. Returns false on failure. 1010 */ 1011 function wp_kses_hair_parse( $attr ) { 1012 if ( '' === $attr ) { 1013 return array(); 1014 } 1015 1016 $regex = 1017 '(?:' 1018 . '[-a-zA-Z:]+' // Attribute name. 1019 . '|' 1020 . '\[\[?[^\[\]]+\]\]?' // Shortcode in the name position implies unfiltered_html. 1021 . ')' 1022 . '(?:' // Attribute value. 1023 . '\s*=\s*' // All values begin with '=' 1024 . '(?:' 1025 . '"[^"]*"' // Double-quoted 1026 . '|' 1027 . "'[^']*'" // Single-quoted 1028 . '|' 1029 . '[^\s"\']+' // Non-quoted 1030 . '(?:\s|$)' // Must have a space 1031 . ')' 1032 . '|' 1033 . '(?:\s|$)' // If attribute has no value, space is required. 1034 . ')' 1035 . '\s*'; // Trailing space is optional except as mentioned above. 1036 1037 // Although it is possible to reduce this procedure to a single regexp, 1038 // we must run that regexp twice to get exactly the expected result. 1039 1040 $validation = "%^($regex)+$%"; 1041 $extraction = "%$regex%"; 1042 1043 if ( 1 === preg_match( $validation, $attr ) ) { 1044 preg_match_all( $extraction, $attr, $attrarr ); 1045 return $attrarr[0]; 1046 } else { 1047 return false; 1048 } 857 1049 } 858 1050 -
branches/3.7/src/wp-includes/shortcodes.php
r25881 r33389 177 177 * 178 178 * @param string $content Content to search for shortcodes 179 * @param bool $ignore_html When true, shortcodes inside HTML elements will be skipped. 179 180 * @return string Content with shortcodes filtered out. 180 181 */ 181 function do_shortcode($content) { 182 global $shortcode_tags; 182 function do_shortcode( $content, $ignore_html = false ) { 183 global $shortcode_tags; 184 185 if ( false === strpos( $content, '[' ) ) { 186 return $content; 187 } 183 188 184 189 if (empty($shortcode_tags) || !is_array($shortcode_tags)) 185 190 return $content; 186 191 192 $tagnames = array_keys($shortcode_tags); 193 $tagregexp = join( '|', array_map('preg_quote', $tagnames) ); 194 $pattern = "/\\[($tagregexp)/s"; 195 196 if ( 1 !== preg_match( $pattern, $content ) ) { 197 // Avoids parsing HTML when there are no shortcodes or embeds anyway. 198 return $content; 199 } 200 201 $content = do_shortcodes_in_html_tags( $content, $ignore_html ); 202 187 203 $pattern = get_shortcode_regex(); 188 return preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $content ); 204 $content = preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $content ); 205 206 // Always restore square braces so we don't break things like <!--[if IE ]> 207 $content = unescape_invalid_shortcodes( $content ); 208 209 return $content; 189 210 } 190 211 … … 279 300 280 301 /** 302 * Search only inside HTML elements for shortcodes and process them. 303 * 304 * Any [ or ] characters remaining inside elements will be HTML encoded 305 * to prevent interference with shortcodes that are outside the elements. 306 * Assumes $content processed by KSES already. Users with unfiltered_html 307 * capability may get unexpected output if angle braces are nested in tags. 308 * 309 * @since 4.2.3 310 * 311 * @param string $content Content to search for shortcodes 312 * @param bool $ignore_html When true, all square braces inside elements will be encoded. 313 * @return string Content with shortcodes filtered out. 314 */ 315 function do_shortcodes_in_html_tags( $content, $ignore_html ) { 316 // Normalize entities in unfiltered HTML before adding placeholders. 317 $trans = array( '[' => '[', ']' => ']' ); 318 $content = strtr( $content, $trans ); 319 $trans = array( '[' => '[', ']' => ']' ); 320 321 $pattern = get_shortcode_regex(); 322 323 $comment_regex = 324 '!' // Start of comment, after the <. 325 . '(?:' // Unroll the loop: Consume everything until --> is found. 326 . '-(?!->)' // Dash not followed by end of comment. 327 . '[^\-]*+' // Consume non-dashes. 328 . ')*+' // Loop possessively. 329 . '(?:-->)?'; // End of comment. If not found, match all input. 330 331 $regex = 332 '/(' // Capture the entire match. 333 . '<' // Find start of element. 334 . '(?(?=!--)' // Is this a comment? 335 . $comment_regex // Find end of comment. 336 . '|' 337 . '[^>]*>?' // Find end of element. If not found, match all input. 338 . ')' 339 . ')/s'; 340 341 $textarr = preg_split( $regex, $content, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY ); 342 343 foreach ( $textarr as &$element ) { 344 if ( '<' !== $element[0] ) { 345 continue; 346 } 347 348 $noopen = false === strpos( $element, '[' ); 349 $noclose = false === strpos( $element, ']' ); 350 if ( $noopen || $noclose ) { 351 // This element does not contain shortcodes. 352 if ( $noopen xor $noclose ) { 353 // Need to encode stray [ or ] chars. 354 $element = strtr( $element, $trans ); 355 } 356 continue; 357 } 358 359 if ( $ignore_html || '<!--' === substr( $element, 0, 4 ) ) { 360 // Encode all [ and ] chars. 361 $element = strtr( $element, $trans ); 362 continue; 363 } 364 365 $attributes = wp_kses_attr_parse( $element ); 366 if ( false === $attributes ) { 367 // Looks like we found some crazy unfiltered HTML. Skipping it for sanity. 368 $element = strtr( $element, $trans ); 369 continue; 370 } 371 372 // Get element name 373 $front = array_shift( $attributes ); 374 $back = array_pop( $attributes ); 375 $matches = array(); 376 preg_match('%[a-zA-Z0-9]+%', $front, $matches); 377 $elname = $matches[0]; 378 379 // Look for shortcodes in each attribute separately. 380 foreach ( $attributes as &$attr ) { 381 $open = strpos( $attr, '[' ); 382 $close = strpos( $attr, ']' ); 383 if ( false === $open || false === $close ) { 384 continue; // Go to next attribute. Square braces will be escaped at end of loop. 385 } 386 $double = strpos( $attr, '"' ); 387 $single = strpos( $attr, "'" ); 388 if ( ( false === $single || $open < $single ) && ( false === $double || $open < $double ) ) { 389 // $attr like '[shortcode]' or 'name = [shortcode]' implies unfiltered_html. 390 // In this specific situation we assume KSES did not run because the input 391 // was written by an administrator, so we should avoid changing the output 392 // and we do not need to run KSES here. 393 $attr = preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $attr ); 394 } else { 395 // $attr like 'name = "[shortcode]"' or "name = '[shortcode]'" 396 // We do not know if $content was unfiltered. Assume KSES ran before shortcodes. 397 $count = 0; 398 $new_attr = preg_replace_callback( "/$pattern/s", 'do_shortcode_tag', $attr, -1, $count ); 399 if ( $count > 0 ) { 400 // Sanitize the shortcode output using KSES. 401 $new_attr = wp_kses_one_attr( $new_attr, $elname ); 402 if ( '' !== $new_attr ) { 403 // The shortcode is safe to use now. 404 $attr = $new_attr; 405 } 406 } 407 } 408 } 409 $element = $front . implode( '', $attributes ) . $back; 410 411 // Now encode any remaining [ or ] chars. 412 $element = strtr( $element, $trans ); 413 } 414 415 $content = implode( '', $textarr ); 416 417 return $content; 418 } 419 420 /** 421 * Remove placeholders added by do_shortcodes_in_html_tags(). 422 * 423 * @since 4.2.3 424 * 425 * @param string $content Content to search for placeholders. 426 * @return string Content with placeholders removed. 427 */ 428 function unescape_invalid_shortcodes( $content ) { 429 // Clean up entire string, avoids re-parsing HTML. 430 $trans = array( '[' => '[', ']' => ']' ); 431 $content = strtr( $content, $trans ); 432 433 return $content; 434 } 435 436 /** 281 437 * Retrieve all attributes from the shortcodes tag. 282 438 * … … 372 528 return $content; 373 529 530 $content = do_shortcodes_in_html_tags( $content, true ); 531 374 532 $pattern = get_shortcode_regex(); 375 376 return preg_replace_callback( "/$pattern/s", 'strip_shortcode_tag', $content ); 533 $content = preg_replace_callback( "/$pattern/s", 'strip_shortcode_tag', $content ); 534 535 // Always restore square braces so we don't break things like <!--[if IE ]> 536 $content = unescape_invalid_shortcodes( $content ); 537 538 return $content; 377 539 } 378 540 -
branches/3.7/tests/phpunit/tests/kses.php
r25002 r33389 360 360 $this->assertEquals( $allowedtags, wp_kses_allowed_html( 'data' ) ); 361 361 } 362 363 /** 364 * Test new function wp_kses_hair_parse(). 365 * 366 * @dataProvider data_hair_parse 367 */ 368 function test_hair_parse( $input, $output ) { 369 return $this->assertEquals( $output, wp_kses_hair_parse( $input ) ); 370 } 371 372 function data_hair_parse() { 373 return array( 374 array( 375 'title="hello" href="#" id="my_id" ', 376 array( 'title="hello" ', 'href="#" ', 'id="my_id" ' ), 377 ), 378 array( 379 '[shortcode attr="value"] href="http://www.google.com/"title="moo"disabled', 380 array( '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled' ), 381 ), 382 array( 383 '', 384 array(), 385 ), 386 array( 387 'a', 388 array( 'a' ), 389 ), 390 array( 391 'title="hello"disabled href=# id=\'my_id\'', 392 array( 'title="hello"', 'disabled ', 'href=# ', "id='my_id'" ), 393 ), 394 array( 395 ' ', // Calling function is expected to strip leading whitespace. 396 false, 397 ), 398 array( 399 'abcd=abcd"abcd"', 400 false, 401 ), 402 array( 403 "array[1]='z'z'z'z", 404 false, 405 ), 406 ); 407 } 408 409 /** 410 * Test new function wp_kses_attr_parse(). 411 * 412 * @dataProvider data_attr_parse 413 */ 414 function test_attr_parse( $input, $output ) { 415 return $this->assertEquals( $output, wp_kses_attr_parse( $input ) ); 416 } 417 418 function data_attr_parse() { 419 return array( 420 array( 421 '<a title="hello" href="#" id="my_id" >', 422 array( '<a ', 'title="hello" ', 'href="#" ', 'id="my_id" ', '>' ), 423 ), 424 array( 425 '<a [shortcode attr="value"] href="http://www.google.com/"title="moo"disabled>', 426 array( '<a ', '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled', '>' ), 427 ), 428 array( 429 '', 430 false, 431 ), 432 array( 433 'a', 434 false, 435 ), 436 array( 437 '<a>', 438 array( '<a', '>' ), 439 ), 440 array( 441 '<a%%&&**>', 442 false, 443 ), 444 array( 445 '<a title="hello"disabled href=# id=\'my_id\'>', 446 array( '<a ', 'title="hello"', 'disabled ', 'href=# ', "id='my_id'", ">" ), 447 ), 448 array( 449 '<a >', 450 array( '<a ', '>' ), 451 ), 452 array( 453 '<a abcd=abcd"abcd">', 454 false, 455 ), 456 array( 457 "<a array[1]='z'z'z'z>", 458 false, 459 ), 460 array( 461 '<img title="hello" src="#" id="my_id" />', 462 array( '<img ', 'title="hello" ', 'src="#" ', 'id="my_id"', ' />' ), 463 ), 464 ); 465 } 466 467 /** 468 * Test new function wp_kses_one_attr(). 469 * 470 * @dataProvider data_one_attr 471 */ 472 function test_one_attr( $element, $input, $output ) { 473 return $this->assertEquals( $output, wp_kses_one_attr( $input, $element ) ); 474 } 475 476 function data_one_attr() { 477 return array( 478 array( 479 'a', 480 ' title="hello" ', 481 ' title="hello" ', 482 ), 483 array( 484 'a', 485 'title = "hello"', 486 'title="hello"', 487 ), 488 array( 489 'a', 490 "title='hello'", 491 "title='hello'", 492 ), 493 array( 494 'a', 495 'title=hello', 496 'title="hello"', 497 ), 498 array( 499 'a', 500 'href="javascript:alert(1)"', 501 'href="alert(1)"', 502 ), 503 array( 504 'a', 505 'style ="style "', 506 'style="style"', 507 ), 508 array( 509 'a', 510 'style="style "', 511 'style="style"', 512 ), 513 array( 514 'a', 515 'style ="style ="', 516 '', 517 ), 518 array( 519 'img', 520 'src="mypic.jpg"', 521 'src="mypic.jpg"', 522 ), 523 array( 524 'img', 525 'onerror=alert(1)', 526 '', 527 ), 528 array( 529 'img', 530 'title=>', 531 'title=">"', 532 ), 533 array( 534 'img', 535 'title="&garbage";"', 536 'title="&garbage";"', 537 ), 538 ); 539 } 362 540 } -
branches/3.7/tests/phpunit/tests/shortcode.php
r32151 r33389 374 374 } 375 375 376 /** 377 * Check for bugginess using normal input with latest patches. 378 * 379 * @dataProvider data_escaping 380 */ 381 function test_escaping( $input, $output ) { 382 return $this->assertEquals( $output, do_shortcode( $input ) ); 383 } 384 385 function data_escaping() { 386 return array( 387 array( 388 '<!--[if lt IE 7]>', 389 '<!--[if lt IE 7]>', 390 ), 391 array( 392 '[gallery title="<div>hello</div>"]', 393 '', 394 ), 395 array( 396 '[caption caption="test" width="2"]<div>hello</div>[/caption]', 397 '<div style="width: 12px" class="wp-caption alignnone"><div>hello</div><p class="wp-caption-text">test</p></div>', 398 ), 399 array( 400 '<div [gallery]>', 401 '<div >', 402 ), 403 array( 404 '<div [[gallery]]>', 405 '<div [gallery]>', 406 ), 407 array( 408 '[gallery]<div>Hello</div>[/gallery]', 409 '', 410 ), 411 ); 412 } 413 414 /** 415 * Check for bugginess using normal input with latest patches. 416 * 417 * @dataProvider data_escaping2 418 */ 419 function test_escaping2( $input, $output ) { 420 return $this->assertEquals( $output, strip_shortcodes( $input ) ); 421 } 422 423 function data_escaping2() { 424 return array( 425 array( 426 '<!--[if lt IE 7]>', 427 '<!--[if lt IE 7]>', 428 ), 429 array( 430 '[gallery title="<div>hello</div>"]', 431 '', 432 ), 433 array( 434 '[caption caption="test" width="2"]<div>hello</div>[/caption]', 435 '', 436 ), 437 array( 438 '<div [gallery]>', // Shortcodes will never be stripped inside elements. 439 '<div [gallery]>', 440 ), 441 array( 442 '<div [[gallery]]>', // Shortcodes will never be stripped inside elements. 443 '<div [[gallery]]>', 444 ), 445 array( 446 '[gallery]<div>Hello</div>[/gallery]', 447 '', 448 ), 449 ); 450 } 451 376 452 }
Note: See TracChangeset
for help on using the changeset viewer.