WordPress.org

Make WordPress Core

Changeset 38785


Ignore:
Timestamp:
10/13/16 22:24:27 (9 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/deprecated.php

    r38755 r38785  
    37733773    return get_query_template( 'paged' ); 
    37743774} 
     3775 
     3776/** 
     3777 * Removes the HTML JavaScript entities found in early versions of Netscape 4. 
     3778 * 
     3779 * Previously, this function was pulled in from the original 
     3780 * import of kses and removed a specific vulnerability only 
     3781 * existent in early version of Netscape 4. However, this 
     3782 * vulnerability never affected any other browsers and can 
     3783 * be considered safe for the modern web. 
     3784 * 
     3785 * The regular expression which sanitized this vulnerability 
     3786 * has been removed in consideration of the performance and 
     3787 * energy demands it placed, now merely passing through its 
     3788 * input to the return. 
     3789 * 
     3790 * @since 1.0.0 
     3791 * @deprecated deprecated since 4.7 
     3792 * 
     3793 * @param string $string 
     3794 * @return string 
     3795 */ 
     3796function wp_kses_js_entities( $string ) { 
     3797    _deprecated_function( __FUNCTION__, '4.7.0' ); 
     3798 
     3799    return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string ); 
     3800} 
  • trunk/src/wp-includes/kses.php

    r38511 r38785  
    528528        $allowed_protocols = wp_allowed_protocols(); 
    529529    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 
    530     $string = wp_kses_js_entities($string); 
    531530    $string = wp_kses_normalize_entities($string); 
    532531    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 
     
    551550    $allowed_protocols = wp_allowed_protocols(); 
    552551    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 
    553     $string = wp_kses_js_entities( $string ); 
    554552     
    555553    // Preserve leading and trailing whitespace. 
     
    12971295 
    12981296/** 
    1299  * Removes the HTML JavaScript entities found in early versions of Netscape 4. 
    1300  * 
    1301  * @since 1.0.0 
    1302  * 
    1303  * @param string $string 
    1304  * @return string 
    1305  */ 
    1306 function wp_kses_js_entities($string) { 
    1307     return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); 
    1308 } 
    1309  
    1310 /** 
    13111297 * Handles parsing errors in wp_kses_hair(). 
    13121298 * 
  • trunk/tests/phpunit/tests/kses.php

    r38511 r38785  
    196196            switch ( $attack->name ) { 
    197197                case 'XSS Locator': 
    198                     $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result); 
     198                    $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result); 
    199199                    break; 
    200200                case 'XSS Quick Test': 
    201                     $this->assertEquals('\'\';!--"=', $result); 
     201                    $this->assertEquals('\'\';!--"=&{()}', $result); 
    202202                    break; 
    203203                case 'SCRIPT w/Alert()': 
Note: See TracChangeset for help on using the changeset viewer.