Make WordPress Core

Changeset 34146


Ignore:
Timestamp:
09/14/2015 10:47:50 PM (9 years ago)
Author:
nbachiyski
Message:

Shortcodes: don't allow unclosed HTML elements in attributes

Merges [34134] for 4.1 branch

Location:
branches/4.1/src/wp-includes
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1/src/wp-includes/media.php

    r30674 r34146  
    814814            $attr['caption'] = trim( $matches[2] );
    815815        }
     816    } elseif ( strpos( $attr['caption'], '<' ) !== false ) {
     817        $attr['caption'] = wp_kses( $attr['caption'], 'post' );
    816818    }
    817819
  • branches/4.1/src/wp-includes/shortcodes.php

    r33564 r34146  
    455455                $atts[] = stripcslashes($m[8]);
    456456        }
     457
     458        // Reject any unclosed HTML elements
     459        foreach( $atts as &$value ) {
     460            if ( false !== strpos( $value, '<' ) ) {
     461                if ( 1 !== preg_match( '/^[^<]*+(?:<[^>]*+>[^<]*+)*+$/', $value ) ) {
     462                    $value = '';
     463                }
     464            }
     465        }
    457466    } else {
    458467        $atts = ltrim($text);
Note: See TracChangeset for help on using the changeset viewer.