WordPress.org

Make WordPress Core

Changeset 38785


Ignore:
Timestamp:
10/13/2016 10:24:27 PM (21 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/deprecated.php

    r38755 r38785  
    37733773    return get_query_template( 'paged' );
    37743774}
     3775
     3776/**
     3777 * Removes the HTML JavaScript entities found in early versions of Netscape 4.
     3778 *
     3779 * Previously, this function was pulled in from the original
     3780 * import of kses and removed a specific vulnerability only
     3781 * existent in early version of Netscape 4. However, this
     3782 * vulnerability never affected any other browsers and can
     3783 * be considered safe for the modern web.
     3784 *
     3785 * The regular expression which sanitized this vulnerability
     3786 * has been removed in consideration of the performance and
     3787 * energy demands it placed, now merely passing through its
     3788 * input to the return.
     3789 *
     3790 * @since 1.0.0
     3791 * @deprecated deprecated since 4.7
     3792 *
     3793 * @param string $string
     3794 * @return string
     3795 */
     3796function wp_kses_js_entities( $string ) {
     3797    _deprecated_function( __FUNCTION__, '4.7.0' );
     3798
     3799    return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
     3800}
  • trunk/src/wp-includes/kses.php

    r38511 r38785  
    528528        $allowed_protocols = wp_allowed_protocols();
    529529    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    530     $string = wp_kses_js_entities($string);
    531530    $string = wp_kses_normalize_entities($string);
    532531    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
     
    551550    $allowed_protocols = wp_allowed_protocols();
    552551    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    553     $string = wp_kses_js_entities( $string );
    554552   
    555553    // Preserve leading and trailing whitespace.
     
    12971295
    12981296/**
    1299  * Removes the HTML JavaScript entities found in early versions of Netscape 4.
    1300  *
    1301  * @since 1.0.0
    1302  *
    1303  * @param string $string
    1304  * @return string
    1305  */
    1306 function wp_kses_js_entities($string) {
    1307     return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
    1308 }
    1309 
    1310 /**
    13111297 * Handles parsing errors in wp_kses_hair().
    13121298 *
  • trunk/tests/phpunit/tests/kses.php

    r38511 r38785  
    196196            switch ( $attack->name ) {
    197197                case 'XSS Locator':
    198                     $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=', $result);
     198                    $this->assertEquals('\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);
    199199                    break;
    200200                case 'XSS Quick Test':
    201                     $this->assertEquals('\'\';!--"=', $result);
     201                    $this->assertEquals('\'\';!--"=&{()}', $result);
    202202                    break;
    203203                case 'SCRIPT w/Alert()':
Note: See TracChangeset for help on using the changeset viewer.