WordPress.org

Make WordPress Core


Ignore:
Timestamp:
10/13/16 22:24:27 (13 months ago)
Author:
pento
Message:

KSES: Deprecate wp_kses_js_entities().

This function was originally introduced to fix an XSS attack in Netscape 4, which never affected any other browsers, or later versions of Netscape.

I'm willing to go out on a limb, and say that we've officially dropped security support for Netscape 4.

Props dmsnell, desrosj.
Fixes #33848.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/kses.php

    r38511 r38785  
    528528        $allowed_protocols = wp_allowed_protocols(); 
    529529    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 
    530     $string = wp_kses_js_entities($string); 
    531530    $string = wp_kses_normalize_entities($string); 
    532531    $string = wp_kses_hook($string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook 
     
    551550    $allowed_protocols = wp_allowed_protocols(); 
    552551    $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 
    553     $string = wp_kses_js_entities( $string ); 
    554552     
    555553    // Preserve leading and trailing whitespace. 
     
    12971295 
    12981296/** 
    1299  * Removes the HTML JavaScript entities found in early versions of Netscape 4. 
    1300  * 
    1301  * @since 1.0.0 
    1302  * 
    1303  * @param string $string 
    1304  * @return string 
    1305  */ 
    1306 function wp_kses_js_entities($string) { 
    1307     return preg_replace('%&\s*\{[^}]*(\}\s*;?|$)%', '', $string); 
    1308 } 
    1309  
    1310 /** 
    13111297 * Handles parsing errors in wp_kses_hair(). 
    13121298 * 
Note: See TracChangeset for help on using the changeset viewer.