Make WordPress Core


Ignore:
Timestamp:
10/13/2016 10:24:27 PM (8 years ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/deprecated.php

    r38755 r38785  
    37733773    return get_query_template( 'paged' );
    37743774}
     3775
     3776/**
     3777 * Removes the HTML JavaScript entities found in early versions of Netscape 4.
     3778 *
     3779 * Previously, this function was pulled in from the original
     3780 * import of kses and removed a specific vulnerability only
     3781 * existent in early version of Netscape 4. However, this
     3782 * vulnerability never affected any other browsers and can
     3783 * be considered safe for the modern web.
     3784 *
     3785 * The regular expression which sanitized this vulnerability
     3786 * has been removed in consideration of the performance and
     3787 * energy demands it placed, now merely passing through its
     3788 * input to the return.
     3789 *
     3790 * @since 1.0.0
     3791 * @deprecated deprecated since 4.7
     3792 *
     3793 * @param string $string
     3794 * @return string
     3795 */
     3796function wp_kses_js_entities( $string ) {
     3797    _deprecated_function( __FUNCTION__, '4.7.0' );
     3798
     3799    return preg_replace( '%&\s*\{[^}]*(\}\s*;?|$)%', '', $string );
     3800}
Note: See TracChangeset for help on using the changeset viewer.