Make WordPress Core


Ignore:
Timestamp:
09/14/2015 10:49:09 PM (9 years ago)
Author:
nbachiyski
Message:

Shortcodes: don't allow unclosed HTML elements in attributes

Merges [34134] for 3.7 branch

File:
1 edited

Legend:

Unmodified
Added
Removed
  • branches/3.7/src/wp-includes/shortcodes.php

    r33568 r34150  
    449449                $atts[] = stripcslashes($m[8]);
    450450        }
     451
     452        // Reject any unclosed HTML elements
     453        foreach( $atts as &$value ) {
     454            if ( false !== strpos( $value, '<' ) ) {
     455                if ( 1 !== preg_match( '/^[^<]*+(?:<[^>]*+>[^<]*+)*+$/', $value ) ) {
     456                    $value = '';
     457                }
     458            }
     459        }
    451460    } else {
    452461        $atts = ltrim($text);
Note: See TracChangeset for help on using the changeset viewer.