WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/2016 10:24:27 PM (21 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r38511 r38785  
    528528        $allowed_protocols = wp_allowed_protocols();
    529529    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    530     $string = wp_kses_js_entities($string);
    531530    $string = wp_kses_normalize_entities($string);
    532531    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook
     
    551550    $allowed_protocols = wp_allowed_protocols();
    552551    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );
    553     $string = wp_kses_js_entities( $string );
    554552   
    555553    // Preserve leading and trailing whitespace.
     
    12971295
    12981296/**
    1299  * Removes the HTML JavaScript entities found in early versions of Netscape 4.
    1300  *
    1301  * @since 1.0.0
    1302  *
    1303  * @param string $string
    1304  * @return string
    1305  */
    1306 function wp_kses_js_entities($string) {
    1307     return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string);
    1308 }
    1309 
    1310 /**
    13111297 * Handles parsing errors in wp_kses_hair().
    13121298 *
Note: See TracChangeset for help on using the changeset viewer.