Changeset 38785
- Timestamp:
- 10/13/2016 10:24:27 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/deprecated.php
r38755 r38785 3773 3773 return get_query_template( 'paged' ); 3774 3774 } 3775 3776 /** 3777 * Removes the HTML JavaScript entities found in early versions of Netscape 4. 3778 * 3779 * Previously, this function was pulled in from the original 3780 * import of kses and removed a specific vulnerability only 3781 * existent in early version of Netscape 4. However, this 3782 * vulnerability never affected any other browsers and can 3783 * be considered safe for the modern web. 3784 * 3785 * The regular expression which sanitized this vulnerability 3786 * has been removed in consideration of the performance and 3787 * energy demands it placed, now merely passing through its 3788 * input to the return. 3789 * 3790 * @since 1.0.0 3791 * @deprecated deprecated since 4.7 3792 * 3793 * @param string $string 3794 * @return string 3795 */ 3796 function wp_kses_js_entities( $string ) { 3797 _deprecated_function( __FUNCTION__, '4.7.0' ); 3798 3799 return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string ); 3800 } -
trunk/src/wp-includes/kses.php
r38511 r38785 528 528 $allowed_protocols = wp_allowed_protocols(); 529 529 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 530 $string = wp_kses_js_entities($string);531 530 $string = wp_kses_normalize_entities($string); 532 531 $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook … … 551 550 $allowed_protocols = wp_allowed_protocols(); 552 551 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 553 $string = wp_kses_js_entities( $string );554 552 555 553 // Preserve leading and trailing whitespace. … … 1297 1295 1298 1296 /** 1299 * Removes the HTML JavaScript entities found in early versions of Netscape 4.1300 *1301 * @since 1.0.01302 *1303 * @param string $string1304 * @return string1305 */1306 function wp_kses_js_entities($string) {1307 return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);1308 }1309 1310 /**1311 1297 * Handles parsing errors in wp_kses_hair(). 1312 1298 * -
trunk/tests/phpunit/tests/kses.php
r38511 r38785 196 196 switch ( $attack->name ) { 197 197 case 'XSS Locator': 198 $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))= ', $result);198 $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result); 199 199 break; 200 200 case 'XSS Quick Test': 201 $this->assertEquals('\'\';!--"= ', $result);201 $this->assertEquals('\'\';!--"=&{()}', $result); 202 202 break; 203 203 case 'SCRIPT w/Alert()':
Note: See TracChangeset
for help on using the changeset viewer.