Changeset 42343 for trunk/src/wp-includes/kses.php
- Timestamp:
- 11/30/2017 11:09:33 PM (7 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/kses.php
r42249 r42343 29 29 * @package External 30 30 * @subpackage KSES 31 *32 31 */ 33 32 … … 43 42 * @since 1.2.0 44 43 */ 45 if ( ! defined( 'CUSTOM_TAGS' ) ) 44 if ( ! defined( 'CUSTOM_TAGS' ) ) { 46 45 define( 'CUSTOM_TAGS', false ); 46 } 47 47 48 48 // Ensure that these variables are added to the global namespace … … 60 60 */ 61 61 $allowedposttags = array( 62 'address' => array(),63 'a' => array(64 'href' => true,65 'rel' => true,66 'rev' => true,67 'name' => true,62 'address' => array(), 63 'a' => array( 64 'href' => true, 65 'rel' => true, 66 'rev' => true, 67 'name' => true, 68 68 'target' => true, 69 69 ), 70 'abbr' => array(),71 'acronym' => array(),72 'area' => array(73 'alt' => true,70 'abbr' => array(), 71 'acronym' => array(), 72 'area' => array( 73 'alt' => true, 74 74 'coords' => true, 75 'href' => true,75 'href' => true, 76 76 'nohref' => true, 77 'shape' => true,77 'shape' => true, 78 78 'target' => true, 79 79 ), 80 'article' => array(81 'align' => true,82 'dir' => true,83 'lang' => true,80 'article' => array( 81 'align' => true, 82 'dir' => true, 83 'lang' => true, 84 84 'xml:lang' => true, 85 85 ), 86 'aside' => array(87 'align' => true,88 'dir' => true,89 'lang' => true,86 'aside' => array( 87 'align' => true, 88 'dir' => true, 89 'lang' => true, 90 90 'xml:lang' => true, 91 91 ), 92 'audio' => array(92 'audio' => array( 93 93 'autoplay' => true, 94 94 'controls' => true, 95 'loop' => true,96 'muted' => true,97 'preload' => true,98 'src' => true,99 ), 100 'b' => array(),101 'bdo' => array(95 'loop' => true, 96 'muted' => true, 97 'preload' => true, 98 'src' => true, 99 ), 100 'b' => array(), 101 'bdo' => array( 102 102 'dir' => true, 103 103 ), 104 'big' => array(),104 'big' => array(), 105 105 'blockquote' => array( 106 'cite' => true, 106 'cite' => true, 107 'lang' => true, 108 'xml:lang' => true, 109 ), 110 'br' => array(), 111 'button' => array( 112 'disabled' => true, 113 'name' => true, 114 'type' => true, 115 'value' => true, 116 ), 117 'caption' => array( 118 'align' => true, 119 ), 120 'cite' => array( 121 'dir' => true, 107 122 'lang' => true, 123 ), 124 'code' => array(), 125 'col' => array( 126 'align' => true, 127 'char' => true, 128 'charoff' => true, 129 'span' => true, 130 'dir' => true, 131 'valign' => true, 132 'width' => true, 133 ), 134 'colgroup' => array( 135 'align' => true, 136 'char' => true, 137 'charoff' => true, 138 'span' => true, 139 'valign' => true, 140 'width' => true, 141 ), 142 'del' => array( 143 'datetime' => true, 144 ), 145 'dd' => array(), 146 'dfn' => array(), 147 'details' => array( 148 'align' => true, 149 'dir' => true, 150 'lang' => true, 151 'open' => true, 108 152 'xml:lang' => true, 109 153 ), 110 'br' => array(), 111 'button' => array( 112 'disabled' => true, 113 'name' => true, 114 'type' => true, 115 'value' => true, 116 ), 117 'caption' => array( 154 'div' => array( 155 'align' => true, 156 'dir' => true, 157 'lang' => true, 158 'xml:lang' => true, 159 ), 160 'dl' => array(), 161 'dt' => array(), 162 'em' => array(), 163 'fieldset' => array(), 164 'figure' => array( 165 'align' => true, 166 'dir' => true, 167 'lang' => true, 168 'xml:lang' => true, 169 ), 170 'figcaption' => array( 171 'align' => true, 172 'dir' => true, 173 'lang' => true, 174 'xml:lang' => true, 175 ), 176 'font' => array( 177 'color' => true, 178 'face' => true, 179 'size' => true, 180 ), 181 'footer' => array( 182 'align' => true, 183 'dir' => true, 184 'lang' => true, 185 'xml:lang' => true, 186 ), 187 'form' => array( 188 'action' => true, 189 'accept' => true, 190 'accept-charset' => true, 191 'enctype' => true, 192 'method' => true, 193 'name' => true, 194 'target' => true, 195 ), 196 'h1' => array( 118 197 'align' => true, 119 198 ), 120 'cite' => array( 121 'dir' => true, 122 'lang' => true, 123 ), 124 'code' => array(), 125 'col' => array( 199 'h2' => array( 126 200 'align' => true, 127 'char' => true, 128 'charoff' => true, 129 'span' => true, 130 'dir' => true, 131 'valign' => true, 132 'width' => true, 133 ), 134 'colgroup' => array( 201 ), 202 'h3' => array( 135 203 'align' => true, 136 'char' => true, 137 'charoff' => true, 138 'span' => true, 139 'valign' => true, 140 'width' => true, 141 ), 142 'del' => array( 204 ), 205 'h4' => array( 206 'align' => true, 207 ), 208 'h5' => array( 209 'align' => true, 210 ), 211 'h6' => array( 212 'align' => true, 213 ), 214 'header' => array( 215 'align' => true, 216 'dir' => true, 217 'lang' => true, 218 'xml:lang' => true, 219 ), 220 'hgroup' => array( 221 'align' => true, 222 'dir' => true, 223 'lang' => true, 224 'xml:lang' => true, 225 ), 226 'hr' => array( 227 'align' => true, 228 'noshade' => true, 229 'size' => true, 230 'width' => true, 231 ), 232 'i' => array(), 233 'img' => array( 234 'alt' => true, 235 'align' => true, 236 'border' => true, 237 'height' => true, 238 'hspace' => true, 239 'longdesc' => true, 240 'vspace' => true, 241 'src' => true, 242 'usemap' => true, 243 'width' => true, 244 ), 245 'ins' => array( 143 246 'datetime' => true, 144 ), 145 'dd' => array(), 146 'dfn' => array(), 147 'details' => array( 247 'cite' => true, 248 ), 249 'kbd' => array(), 250 'label' => array( 251 'for' => true, 252 ), 253 'legend' => array( 148 254 'align' => true, 149 'dir' => true, 150 'lang' => true, 151 'open' => true, 152 'xml:lang' => true, 153 ), 154 'div' => array( 155 'align' => true, 156 'dir' => true, 157 'lang' => true, 158 'xml:lang' => true, 159 ), 160 'dl' => array(), 161 'dt' => array(), 162 'em' => array(), 163 'fieldset' => array(), 164 'figure' => array( 165 'align' => true, 166 'dir' => true, 167 'lang' => true, 168 'xml:lang' => true, 169 ), 170 'figcaption' => array( 171 'align' => true, 172 'dir' => true, 173 'lang' => true, 174 'xml:lang' => true, 175 ), 176 'font' => array( 177 'color' => true, 178 'face' => true, 179 'size' => true, 180 ), 181 'footer' => array( 182 'align' => true, 183 'dir' => true, 184 'lang' => true, 185 'xml:lang' => true, 186 ), 187 'form' => array( 188 'action' => true, 189 'accept' => true, 190 'accept-charset' => true, 191 'enctype' => true, 192 'method' => true, 193 'name' => true, 194 'target' => true, 195 ), 196 'h1' => array( 197 'align' => true, 198 ), 199 'h2' => array( 200 'align' => true, 201 ), 202 'h3' => array( 203 'align' => true, 204 ), 205 'h4' => array( 206 'align' => true, 207 ), 208 'h5' => array( 209 'align' => true, 210 ), 211 'h6' => array( 212 'align' => true, 213 ), 214 'header' => array( 215 'align' => true, 216 'dir' => true, 217 'lang' => true, 218 'xml:lang' => true, 219 ), 220 'hgroup' => array( 221 'align' => true, 222 'dir' => true, 223 'lang' => true, 224 'xml:lang' => true, 225 ), 226 'hr' => array( 227 'align' => true, 228 'noshade' => true, 229 'size' => true, 230 'width' => true, 231 ), 232 'i' => array(), 233 'img' => array( 234 'alt' => true, 235 'align' => true, 236 'border' => true, 237 'height' => true, 238 'hspace' => true, 239 'longdesc' => true, 240 'vspace' => true, 241 'src' => true, 242 'usemap' => true, 243 'width' => true, 244 ), 245 'ins' => array( 246 'datetime' => true, 247 'cite' => true, 248 ), 249 'kbd' => array(), 250 'label' => array( 251 'for' => true, 252 ), 253 'legend' => array( 254 'align' => true, 255 ), 256 'li' => array( 255 ), 256 'li' => array( 257 257 'align' => true, 258 258 'value' => true, 259 259 ), 260 'map' => array(260 'map' => array( 261 261 'name' => true, 262 262 ), 263 'mark' => array(),264 'menu' => array(263 'mark' => array(), 264 'menu' => array( 265 265 'type' => true, 266 266 ), 267 'nav' => array(268 'align' => true,269 'dir' => true,270 'lang' => true,267 'nav' => array( 268 'align' => true, 269 'dir' => true, 270 'lang' => true, 271 271 'xml:lang' => true, 272 272 ), 273 'p' => array(274 'align' => true,275 'dir' => true,276 'lang' => true,273 'p' => array( 274 'align' => true, 275 'dir' => true, 276 'lang' => true, 277 277 'xml:lang' => true, 278 278 ), 279 'pre' => array(279 'pre' => array( 280 280 'width' => true, 281 281 ), 282 'q' => array(282 'q' => array( 283 283 'cite' => true, 284 284 ), 285 's' => array(),286 'samp' => array(),287 'span' => array(288 'dir' => true,289 'align' => true,290 'lang' => true,285 's' => array(), 286 'samp' => array(), 287 'span' => array( 288 'dir' => true, 289 'align' => true, 290 'lang' => true, 291 291 'xml:lang' => true, 292 292 ), 293 'section' => array(294 'align' => true,295 'dir' => true,296 'lang' => true,293 'section' => array( 294 'align' => true, 295 'dir' => true, 296 'lang' => true, 297 297 'xml:lang' => true, 298 298 ), 299 'small' => array(),300 'strike' => array(),301 'strong' => array(),302 'sub' => array(),303 'summary' => array(304 'align' => true,305 'dir' => true,306 'lang' => true,299 'small' => array(), 300 'strike' => array(), 301 'strong' => array(), 302 'sub' => array(), 303 'summary' => array( 304 'align' => true, 305 'dir' => true, 306 'lang' => true, 307 307 'xml:lang' => true, 308 308 ), 309 'sup' => array(),310 'table' => array(311 'align' => true,312 'bgcolor' => true,313 'border' => true,309 'sup' => array(), 310 'table' => array( 311 'align' => true, 312 'bgcolor' => true, 313 'border' => true, 314 314 'cellpadding' => true, 315 315 'cellspacing' => true, 316 'dir' => true,317 'rules' => true,318 'summary' => true,319 'width' => true,320 ), 321 'tbody' => array(322 'align' => true,323 'char' => true,316 'dir' => true, 317 'rules' => true, 318 'summary' => true, 319 'width' => true, 320 ), 321 'tbody' => array( 322 'align' => true, 323 'char' => true, 324 324 'charoff' => true, 325 'valign' => true,326 ), 327 'td' => array(328 'abbr' => true,329 'align' => true,330 'axis' => true,325 'valign' => true, 326 ), 327 'td' => array( 328 'abbr' => true, 329 'align' => true, 330 'axis' => true, 331 331 'bgcolor' => true, 332 'char' => true,332 'char' => true, 333 333 'charoff' => true, 334 334 'colspan' => true, 335 'dir' => true,335 'dir' => true, 336 336 'headers' => true, 337 'height' => true,338 'nowrap' => true,337 'height' => true, 338 'nowrap' => true, 339 339 'rowspan' => true, 340 'scope' => true,341 'valign' => true,342 'width' => true,343 ), 344 'textarea' => array(345 'cols' => true,346 'rows' => true,340 'scope' => true, 341 'valign' => true, 342 'width' => true, 343 ), 344 'textarea' => array( 345 'cols' => true, 346 'rows' => true, 347 347 'disabled' => true, 348 'name' => true,348 'name' => true, 349 349 'readonly' => true, 350 350 ), 351 'tfoot' => array(352 'align' => true,353 'char' => true,351 'tfoot' => array( 352 'align' => true, 353 'char' => true, 354 354 'charoff' => true, 355 'valign' => true,356 ), 357 'th' => array(358 'abbr' => true,359 'align' => true,360 'axis' => true,355 'valign' => true, 356 ), 357 'th' => array( 358 'abbr' => true, 359 'align' => true, 360 'axis' => true, 361 361 'bgcolor' => true, 362 'char' => true,362 'char' => true, 363 363 'charoff' => true, 364 364 'colspan' => true, 365 365 'headers' => true, 366 'height' => true,367 'nowrap' => true,366 'height' => true, 367 'nowrap' => true, 368 368 'rowspan' => true, 369 'scope' => true,370 'valign' => true,371 'width' => true,372 ), 373 'thead' => array(374 'align' => true,375 'char' => true,369 'scope' => true, 370 'valign' => true, 371 'width' => true, 372 ), 373 'thead' => array( 374 'align' => true, 375 'char' => true, 376 376 'charoff' => true, 377 'valign' => true,378 ), 379 'title' => array(),380 'tr' => array(381 'align' => true,377 'valign' => true, 378 ), 379 'title' => array(), 380 'tr' => array( 381 'align' => true, 382 382 'bgcolor' => true, 383 'char' => true,383 'char' => true, 384 384 'charoff' => true, 385 'valign' => true,386 ), 387 'track' => array(385 'valign' => true, 386 ), 387 'track' => array( 388 388 'default' => true, 389 'kind' => true,390 'label' => true,391 'src' => true,389 'kind' => true, 390 'label' => true, 391 'src' => true, 392 392 'srclang' => true, 393 393 ), 394 'tt' => array(),395 'u' => array(),396 'ul' => array(394 'tt' => array(), 395 'u' => array(), 396 'ul' => array( 397 397 'type' => true, 398 398 ), 399 'ol' => array(400 'start' => true,401 'type' => true,399 'ol' => array( 400 'start' => true, 401 'type' => true, 402 402 'reversed' => true, 403 403 ), 404 'var' => array(),405 'video' => array(404 'var' => array(), 405 'video' => array( 406 406 'autoplay' => true, 407 407 'controls' => true, 408 'height' => true,409 'loop' => true,410 'muted' => true,411 'poster' => true,412 'preload' => true,413 'src' => true,414 'width' => true,408 'height' => true, 409 'loop' => true, 410 'muted' => true, 411 'poster' => true, 412 'preload' => true, 413 'src' => true, 414 'width' => true, 415 415 ), 416 416 ); … … 423 423 */ 424 424 $allowedtags = array( 425 'a' => array(426 'href' => true,425 'a' => array( 426 'href' => true, 427 427 'title' => true, 428 428 ), 429 'abbr' => array(429 'abbr' => array( 430 430 'title' => true, 431 431 ), 432 'acronym' => array(432 'acronym' => array( 433 433 'title' => true, 434 434 ), 435 'b' => array(),435 'b' => array(), 436 436 'blockquote' => array( 437 437 'cite' => true, 438 438 ), 439 'cite' => array(),440 'code' => array(),441 'del' => array(439 'cite' => array(), 440 'code' => array(), 441 'del' => array( 442 442 'datetime' => true, 443 443 ), 444 'em' => array(),445 'i' => array(),446 'q' => array(444 'em' => array(), 445 'i' => array(), 446 'q' => array( 447 447 'cite' => true, 448 448 ), 449 's' => array(),450 'strike' => array(),451 'strong' => array(),449 's' => array(), 450 'strike' => array(), 451 'strong' => array(), 452 452 ); 453 453 454 454 $allowedentitynames = array( 455 'nbsp', 'iexcl', 'cent', 'pound', 'curren', 'yen', 456 'brvbar', 'sect', 'uml', 'copy', 'ordf', 'laquo', 457 'not', 'shy', 'reg', 'macr', 'deg', 'plusmn', 458 'acute', 'micro', 'para', 'middot', 'cedil', 'ordm', 459 'raquo', 'iquest', 'Agrave', 'Aacute', 'Acirc', 'Atilde', 460 'Auml', 'Aring', 'AElig', 'Ccedil', 'Egrave', 'Eacute', 461 'Ecirc', 'Euml', 'Igrave', 'Iacute', 'Icirc', 'Iuml', 462 'ETH', 'Ntilde', 'Ograve', 'Oacute', 'Ocirc', 'Otilde', 463 'Ouml', 'times', 'Oslash', 'Ugrave', 'Uacute', 'Ucirc', 464 'Uuml', 'Yacute', 'THORN', 'szlig', 'agrave', 'aacute', 465 'acirc', 'atilde', 'auml', 'aring', 'aelig', 'ccedil', 466 'egrave', 'eacute', 'ecirc', 'euml', 'igrave', 'iacute', 467 'icirc', 'iuml', 'eth', 'ntilde', 'ograve', 'oacute', 468 'ocirc', 'otilde', 'ouml', 'divide', 'oslash', 'ugrave', 469 'uacute', 'ucirc', 'uuml', 'yacute', 'thorn', 'yuml', 470 'quot', 'amp', 'lt', 'gt', 'apos', 'OElig', 471 'oelig', 'Scaron', 'scaron', 'Yuml', 'circ', 'tilde', 472 'ensp', 'emsp', 'thinsp', 'zwnj', 'zwj', 'lrm', 473 'rlm', 'ndash', 'mdash', 'lsquo', 'rsquo', 'sbquo', 474 'ldquo', 'rdquo', 'bdquo', 'dagger', 'Dagger', 'permil', 475 'lsaquo', 'rsaquo', 'euro', 'fnof', 'Alpha', 'Beta', 476 'Gamma', 'Delta', 'Epsilon', 'Zeta', 'Eta', 'Theta', 477 'Iota', 'Kappa', 'Lambda', 'Mu', 'Nu', 'Xi', 478 'Omicron', 'Pi', 'Rho', 'Sigma', 'Tau', 'Upsilon', 479 'Phi', 'Chi', 'Psi', 'Omega', 'alpha', 'beta', 480 'gamma', 'delta', 'epsilon', 'zeta', 'eta', 'theta', 481 'iota', 'kappa', 'lambda', 'mu', 'nu', 'xi', 482 'omicron', 'pi', 'rho', 'sigmaf', 'sigma', 'tau', 483 'upsilon', 'phi', 'chi', 'psi', 'omega', 'thetasym', 484 'upsih', 'piv', 'bull', 'hellip', 'prime', 'Prime', 485 'oline', 'frasl', 'weierp', 'image', 'real', 'trade', 486 'alefsym', 'larr', 'uarr', 'rarr', 'darr', 'harr', 487 'crarr', 'lArr', 'uArr', 'rArr', 'dArr', 'hArr', 488 'forall', 'part', 'exist', 'empty', 'nabla', 'isin', 489 'notin', 'ni', 'prod', 'sum', 'minus', 'lowast', 490 'radic', 'prop', 'infin', 'ang', 'and', 'or', 491 'cap', 'cup', 'int', 'sim', 'cong', 'asymp', 492 'ne', 'equiv', 'le', 'ge', 'sub', 'sup', 493 'nsub', 'sube', 'supe', 'oplus', 'otimes', 'perp', 494 'sdot', 'lceil', 'rceil', 'lfloor', 'rfloor', 'lang', 495 'rang', 'loz', 'spades', 'clubs', 'hearts', 'diams', 496 'sup1', 'sup2', 'sup3', 'frac14', 'frac12', 'frac34', 455 'nbsp', 456 'iexcl', 457 'cent', 458 'pound', 459 'curren', 460 'yen', 461 'brvbar', 462 'sect', 463 'uml', 464 'copy', 465 'ordf', 466 'laquo', 467 'not', 468 'shy', 469 'reg', 470 'macr', 471 'deg', 472 'plusmn', 473 'acute', 474 'micro', 475 'para', 476 'middot', 477 'cedil', 478 'ordm', 479 'raquo', 480 'iquest', 481 'Agrave', 482 'Aacute', 483 'Acirc', 484 'Atilde', 485 'Auml', 486 'Aring', 487 'AElig', 488 'Ccedil', 489 'Egrave', 490 'Eacute', 491 'Ecirc', 492 'Euml', 493 'Igrave', 494 'Iacute', 495 'Icirc', 496 'Iuml', 497 'ETH', 498 'Ntilde', 499 'Ograve', 500 'Oacute', 501 'Ocirc', 502 'Otilde', 503 'Ouml', 504 'times', 505 'Oslash', 506 'Ugrave', 507 'Uacute', 508 'Ucirc', 509 'Uuml', 510 'Yacute', 511 'THORN', 512 'szlig', 513 'agrave', 514 'aacute', 515 'acirc', 516 'atilde', 517 'auml', 518 'aring', 519 'aelig', 520 'ccedil', 521 'egrave', 522 'eacute', 523 'ecirc', 524 'euml', 525 'igrave', 526 'iacute', 527 'icirc', 528 'iuml', 529 'eth', 530 'ntilde', 531 'ograve', 532 'oacute', 533 'ocirc', 534 'otilde', 535 'ouml', 536 'divide', 537 'oslash', 538 'ugrave', 539 'uacute', 540 'ucirc', 541 'uuml', 542 'yacute', 543 'thorn', 544 'yuml', 545 'quot', 546 'amp', 547 'lt', 548 'gt', 549 'apos', 550 'OElig', 551 'oelig', 552 'Scaron', 553 'scaron', 554 'Yuml', 555 'circ', 556 'tilde', 557 'ensp', 558 'emsp', 559 'thinsp', 560 'zwnj', 561 'zwj', 562 'lrm', 563 'rlm', 564 'ndash', 565 'mdash', 566 'lsquo', 567 'rsquo', 568 'sbquo', 569 'ldquo', 570 'rdquo', 571 'bdquo', 572 'dagger', 573 'Dagger', 574 'permil', 575 'lsaquo', 576 'rsaquo', 577 'euro', 578 'fnof', 579 'Alpha', 580 'Beta', 581 'Gamma', 582 'Delta', 583 'Epsilon', 584 'Zeta', 585 'Eta', 586 'Theta', 587 'Iota', 588 'Kappa', 589 'Lambda', 590 'Mu', 591 'Nu', 592 'Xi', 593 'Omicron', 594 'Pi', 595 'Rho', 596 'Sigma', 597 'Tau', 598 'Upsilon', 599 'Phi', 600 'Chi', 601 'Psi', 602 'Omega', 603 'alpha', 604 'beta', 605 'gamma', 606 'delta', 607 'epsilon', 608 'zeta', 609 'eta', 610 'theta', 611 'iota', 612 'kappa', 613 'lambda', 614 'mu', 615 'nu', 616 'xi', 617 'omicron', 618 'pi', 619 'rho', 620 'sigmaf', 621 'sigma', 622 'tau', 623 'upsilon', 624 'phi', 625 'chi', 626 'psi', 627 'omega', 628 'thetasym', 629 'upsih', 630 'piv', 631 'bull', 632 'hellip', 633 'prime', 634 'Prime', 635 'oline', 636 'frasl', 637 'weierp', 638 'image', 639 'real', 640 'trade', 641 'alefsym', 642 'larr', 643 'uarr', 644 'rarr', 645 'darr', 646 'harr', 647 'crarr', 648 'lArr', 649 'uArr', 650 'rArr', 651 'dArr', 652 'hArr', 653 'forall', 654 'part', 655 'exist', 656 'empty', 657 'nabla', 658 'isin', 659 'notin', 660 'ni', 661 'prod', 662 'sum', 663 'minus', 664 'lowast', 665 'radic', 666 'prop', 667 'infin', 668 'ang', 669 'and', 670 'or', 671 'cap', 672 'cup', 673 'int', 674 'sim', 675 'cong', 676 'asymp', 677 'ne', 678 'equiv', 679 'le', 680 'ge', 681 'sub', 682 'sup', 683 'nsub', 684 'sube', 685 'supe', 686 'oplus', 687 'otimes', 688 'perp', 689 'sdot', 690 'lceil', 691 'rceil', 692 'lfloor', 693 'rfloor', 694 'lang', 695 'rang', 696 'loz', 697 'spades', 698 'clubs', 699 'hearts', 700 'diams', 701 'sup1', 702 'sup2', 703 'sup3', 704 'frac14', 705 'frac12', 706 'frac34', 497 707 'there4', 498 708 ); … … 500 710 $allowedposttags = array_map( '_wp_add_global_attributes', $allowedposttags ); 501 711 } else { 502 $allowedtags = wp_kses_array_lc( $allowedtags );712 $allowedtags = wp_kses_array_lc( $allowedtags ); 503 713 $allowedposttags = wp_kses_array_lc( $allowedposttags ); 504 714 } … … 525 735 */ 526 736 function wp_kses( $string, $allowed_html, $allowed_protocols = array() ) { 527 if ( empty( $allowed_protocols ) ) 737 if ( empty( $allowed_protocols ) ) { 528 738 $allowed_protocols = wp_allowed_protocols(); 739 } 529 740 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 530 $string = wp_kses_normalize_entities( $string);531 $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols); // WP changed the order of these funcs and added args to wp_kses_hook532 return wp_kses_split( $string, $allowed_html, $allowed_protocols);741 $string = wp_kses_normalize_entities( $string ); 742 $string = wp_kses_hook( $string, $allowed_html, $allowed_protocols ); // WP changed the order of these funcs and added args to wp_kses_hook 743 return wp_kses_split( $string, $allowed_html, $allowed_protocols ); 533 744 } 534 745 … … 546 757 */ 547 758 function wp_kses_one_attr( $string, $element ) { 548 $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');549 $allowed_html = wp_kses_allowed_html( 'post' );759 $uris = array( 'xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action' ); 760 $allowed_html = wp_kses_allowed_html( 'post' ); 550 761 $allowed_protocols = wp_allowed_protocols(); 551 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) );552 762 $string = wp_kses_no_null( $string, array( 'slash_zero' => 'keep' ) ); 763 553 764 // Preserve leading and trailing whitespace. 554 765 $matches = array(); 555 preg_match( '/^\s*/', $string, $matches);766 preg_match( '/^\s*/', $string, $matches ); 556 767 $lead = $matches[0]; 557 preg_match( '/\s*$/', $string, $matches);768 preg_match( '/\s*$/', $string, $matches ); 558 769 $trail = $matches[0]; 559 770 if ( empty( $trail ) ) { … … 562 773 $string = substr( $string, strlen( $lead ), -strlen( $trail ) ); 563 774 } 564 775 565 776 // Parse attribute name and value from input. 566 777 $split = preg_split( '/\s*=\s*/', $string, 2 ); 567 $name = $split[0];778 $name = $split[0]; 568 779 if ( count( $split ) == 2 ) { 569 780 $value = $split[1]; … … 594 805 595 806 $string = "$name=$quote$value$quote"; 596 $vless = 'n';807 $vless = 'n'; 597 808 } else { 598 809 $value = ''; 599 810 $vless = 'y'; 600 811 } 601 812 602 813 // Sanitize attribute by name. 603 814 wp_kses_attr_check( $name, $value, $string, $vless, $element, $allowed_html ); … … 643 854 case 'user_description': 644 855 case 'pre_user_description': 645 $tags = $allowedtags;856 $tags = $allowedtags; 646 857 $tags['a']['rel'] = true; 647 858 /** This filter is documented in wp-includes/kses.php */ … … 654 865 case 'entities': 655 866 /** This filter is documented in wp-includes/kses.php */ 656 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context );867 return apply_filters( 'wp_kses_allowed_html', $allowedentitynames, $context ); 657 868 658 869 case 'data': … … 717 928 function wp_kses_split( $string, $allowed_html, $allowed_protocols ) { 718 929 global $pass_allowed_html, $pass_allowed_protocols; 719 $pass_allowed_html = $allowed_html;930 $pass_allowed_html = $allowed_html; 720 931 $pass_allowed_protocols = $allowed_protocols; 721 932 return preg_replace_callback( '%(<!--.*?(-->|$))|(<[^>]*(>|$)|>)%', '_wp_kses_split_callback', $string ); … … 758 969 * @return string Fixed HTML element 759 970 */ 760 function wp_kses_split2( $string, $allowed_html, $allowed_protocols) {761 $string = wp_kses_stripslashes( $string);762 763 if ( substr($string, 0, 1) != '<')971 function wp_kses_split2( $string, $allowed_html, $allowed_protocols ) { 972 $string = wp_kses_stripslashes( $string ); 973 974 if ( substr( $string, 0, 1 ) != '<' ) { 764 975 return '>'; 976 } 765 977 // It matched a ">" character 766 978 767 979 if ( '<!--' == substr( $string, 0, 4 ) ) { 768 $string = str_replace( array( '<!--', '-->'), '', $string );769 while ( $string != ( $newstring = wp_kses($string, $allowed_html, $allowed_protocols)) )980 $string = str_replace( array( '<!--', '-->' ), '', $string ); 981 while ( $string != ( $newstring = wp_kses( $string, $allowed_html, $allowed_protocols ) ) ) { 770 982 $string = $newstring; 771 if ( $string == '' ) 983 } 984 if ( $string == '' ) { 772 985 return ''; 986 } 773 987 // prevent multiple dashes in comments 774 $string = preg_replace( '/--+/', '-', $string);988 $string = preg_replace( '/--+/', '-', $string ); 775 989 // prevent three dashes closing a comment 776 $string = preg_replace( '/-$/', '', $string);990 $string = preg_replace( '/-$/', '', $string ); 777 991 return "<!--{$string}-->"; 778 992 } 779 993 // Allow HTML comments 780 994 781 if ( !preg_match('%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches))995 if ( ! preg_match( '%^<\s*(/\s*)?([a-zA-Z0-9-]+)([^>]*)>?$%', $string, $matches ) ) { 782 996 return ''; 997 } 783 998 // It's seriously malformed 784 999 785 $slash = trim($matches[1]);786 $elem = $matches[2];1000 $slash = trim( $matches[1] ); 1001 $elem = $matches[2]; 787 1002 $attrlist = $matches[3]; 788 1003 789 if ( ! is_array( $allowed_html ) ) 1004 if ( ! is_array( $allowed_html ) ) { 790 1005 $allowed_html = wp_kses_allowed_html( $allowed_html ); 791 792 if ( ! isset($allowed_html[strtolower($elem)]) ) 1006 } 1007 1008 if ( ! isset( $allowed_html[ strtolower( $elem ) ] ) ) { 793 1009 return ''; 1010 } 794 1011 // They are using a not allowed HTML element 795 1012 796 if ( $slash != '')1013 if ( $slash != '' ) { 797 1014 return "</$elem>"; 1015 } 798 1016 // No attributes are allowed for closing elements 799 1017 … … 818 1036 * @return string Sanitized HTML element 819 1037 */ 820 function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols) {821 if ( ! is_array( $allowed_html ) ) 1038 function wp_kses_attr( $element, $attr, $allowed_html, $allowed_protocols ) { 1039 if ( ! is_array( $allowed_html ) ) { 822 1040 $allowed_html = wp_kses_allowed_html( $allowed_html ); 1041 } 823 1042 824 1043 // Is there a closing XHTML slash at the end of the attributes? 825 1044 $xhtml_slash = ''; 826 if ( preg_match('%\s*/\s*$%', $attr))1045 if ( preg_match( '%\s*/\s*$%', $attr ) ) { 827 1046 $xhtml_slash = ' /'; 1047 } 828 1048 829 1049 // Are any attributes allowed at all for this element? … … 833 1053 834 1054 // Split it 835 $attrarr = wp_kses_hair( $attr, $allowed_protocols);1055 $attrarr = wp_kses_hair( $attr, $allowed_protocols ); 836 1056 837 1057 // Go through $attrarr, and save the allowed attributes for this element … … 840 1060 foreach ( $attrarr as $arreach ) { 841 1061 if ( wp_kses_attr_check( $arreach['name'], $arreach['value'], $arreach['whole'], $arreach['vless'], $element, $allowed_html ) ) { 842 $attr2 .= ' ' .$arreach['whole'];1062 $attr2 .= ' ' . $arreach['whole']; 843 1063 } 844 1064 } 845 1065 846 1066 // Remove any "<" or ">" characters 847 $attr2 = preg_replace( '/[<>]/', '', $attr2);1067 $attr2 = preg_replace( '/[<>]/', '', $attr2 ); 848 1068 849 1069 return "<$element$attr2$xhtml_slash>"; … … 864 1084 */ 865 1085 function wp_kses_attr_check( &$name, &$value, &$whole, $vless, $element, $allowed_html ) { 866 $allowed_attr = $allowed_html[ strtolower( $element )];1086 $allowed_attr = $allowed_html[ strtolower( $element ) ]; 867 1087 868 1088 $name_low = strtolower( $name ); 869 if ( ! isset( $allowed_attr[ $name_low] ) || '' == $allowed_attr[$name_low] ) {1089 if ( ! isset( $allowed_attr[ $name_low ] ) || '' == $allowed_attr[ $name_low ] ) { 870 1090 $name = $value = $whole = ''; 871 1091 return false; … … 884 1104 } 885 1105 886 if ( is_array( $allowed_attr[ $name_low] ) ) {1106 if ( is_array( $allowed_attr[ $name_low ] ) ) { 887 1107 // there are some checks 888 foreach ( $allowed_attr[ $name_low] as $currkey => $currval ) {1108 foreach ( $allowed_attr[ $name_low ] as $currkey => $currval ) { 889 1109 if ( ! wp_kses_check_attr_val( $value, $vless, $currkey, $currval ) ) { 890 1110 $name = $value = $whole = ''; … … 914 1134 * @return array List of attributes after parsing 915 1135 */ 916 function wp_kses_hair( $attr, $allowed_protocols) {917 $attrarr = array();918 $mode = 0;1136 function wp_kses_hair( $attr, $allowed_protocols ) { 1137 $attrarr = array(); 1138 $mode = 0; 919 1139 $attrname = ''; 920 $uris = array('xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action');1140 $uris = array( 'xmlns', 'profile', 'href', 'src', 'cite', 'classid', 'codebase', 'data', 'usemap', 'longdesc', 'action' ); 921 1141 922 1142 // Loop through the whole attribute list 923 1143 924 while ( strlen($attr) != 0) {1144 while ( strlen( $attr ) != 0 ) { 925 1145 $working = 0; // Was the last operation successful? 926 1146 927 switch ($mode) { 928 case 0 : // attribute name, href for instance 929 930 if ( preg_match('/^([-a-zA-Z:]+)/', $attr, $match ) ) { 1147 switch ( $mode ) { 1148 case 0: 1149 if ( preg_match( '/^([-a-zA-Z:]+)/', $attr, $match ) ) { 931 1150 $attrname = $match[1]; 932 $working = $mode = 1;933 $attr = preg_replace( '/^[-a-zA-Z:]+/', '', $attr );1151 $working = $mode = 1; 1152 $attr = preg_replace( '/^[-a-zA-Z:]+/', '', $attr ); 934 1153 } 935 1154 936 1155 break; 937 1156 938 case 1 : // equals sign or valueless ("selected") 939 940 if (preg_match('/^\s*=\s*/', $attr)) // equals sign 941 { 1157 case 1: 1158 if ( preg_match( '/^\s*=\s*/', $attr ) ) { // equals sign 942 1159 $working = 1; 943 $mode = 2;944 $attr = preg_replace('/^\s*=\s*/', '', $attr);1160 $mode = 2; 1161 $attr = preg_replace( '/^\s*=\s*/', '', $attr ); 945 1162 break; 946 1163 } 947 1164 948 if (preg_match('/^\s+/', $attr)) // valueless 949 { 1165 if ( preg_match( '/^\s+/', $attr ) ) { // valueless 950 1166 $working = 1; 951 $mode = 0; 952 if(false === array_key_exists($attrname, $attrarr)) { 953 $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); 1167 $mode = 0; 1168 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1169 $attrarr[ $attrname ] = array( 1170 'name' => $attrname, 1171 'value' => '', 1172 'whole' => $attrname, 1173 'vless' => 'y', 1174 ); 954 1175 } 955 $attr = preg_replace( '/^\s+/', '', $attr);1176 $attr = preg_replace( '/^\s+/', '', $attr ); 956 1177 } 957 1178 958 1179 break; 959 1180 960 case 2 : // attribute value, a URL after href= for instance 961 962 if (preg_match('%^"([^"]*)"(\s+|/?$)%', $attr, $match)) 1181 case 2: 1182 if ( preg_match( '%^"([^"]*)"(\s+|/?$)%', $attr, $match ) ) { 963 1183 // "value" 964 {965 1184 $thisval = $match[1]; 966 if ( in_array(strtolower($attrname), $uris) ) 967 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 968 969 if(false === array_key_exists($attrname, $attrarr)) { 970 $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); 1185 if ( in_array( strtolower( $attrname ), $uris ) ) { 1186 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1187 } 1188 1189 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1190 $attrarr[ $attrname ] = array( 1191 'name' => $attrname, 1192 'value' => $thisval, 1193 'whole' => "$attrname=\"$thisval\"", 1194 'vless' => 'n', 1195 ); 971 1196 } 972 1197 $working = 1; 973 $mode = 0;974 $attr = preg_replace('/^"[^"]*"(\s+|$)/', '', $attr);1198 $mode = 0; 1199 $attr = preg_replace( '/^"[^"]*"(\s+|$)/', '', $attr ); 975 1200 break; 976 1201 } 977 1202 978 if ( preg_match("%^'([^']*)'(\s+|/?$)%", $attr, $match))1203 if ( preg_match( "%^'([^']*)'(\s+|/?$)%", $attr, $match ) ) { 979 1204 // 'value' 980 {981 1205 $thisval = $match[1]; 982 if ( in_array(strtolower($attrname), $uris) ) 983 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 984 985 if(false === array_key_exists($attrname, $attrarr)) { 986 $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname='$thisval'", 'vless' => 'n'); 1206 if ( in_array( strtolower( $attrname ), $uris ) ) { 1207 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1208 } 1209 1210 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1211 $attrarr[ $attrname ] = array( 1212 'name' => $attrname, 1213 'value' => $thisval, 1214 'whole' => "$attrname='$thisval'", 1215 'vless' => 'n', 1216 ); 987 1217 } 988 1218 $working = 1; 989 $mode = 0;990 $attr = preg_replace("/^'[^']*'(\s+|$)/", '', $attr);1219 $mode = 0; 1220 $attr = preg_replace( "/^'[^']*'(\s+|$)/", '', $attr ); 991 1221 break; 992 1222 } 993 1223 994 if ( preg_match("%^([^\s\"']+)(\s+|/?$)%", $attr, $match))1224 if ( preg_match( "%^([^\s\"']+)(\s+|/?$)%", $attr, $match ) ) { 995 1225 // value 996 {997 1226 $thisval = $match[1]; 998 if ( in_array(strtolower($attrname), $uris) ) 999 $thisval = wp_kses_bad_protocol($thisval, $allowed_protocols); 1000 1001 if(false === array_key_exists($attrname, $attrarr)) { 1002 $attrarr[$attrname] = array ('name' => $attrname, 'value' => $thisval, 'whole' => "$attrname=\"$thisval\"", 'vless' => 'n'); 1227 if ( in_array( strtolower( $attrname ), $uris ) ) { 1228 $thisval = wp_kses_bad_protocol( $thisval, $allowed_protocols ); 1229 } 1230 1231 if ( false === array_key_exists( $attrname, $attrarr ) ) { 1232 $attrarr[ $attrname ] = array( 1233 'name' => $attrname, 1234 'value' => $thisval, 1235 'whole' => "$attrname=\"$thisval\"", 1236 'vless' => 'n', 1237 ); 1003 1238 } 1004 1239 // We add quotes to conform to W3C's HTML spec. 1005 1240 $working = 1; 1006 $mode = 0;1007 $attr = preg_replace("%^[^\s\"']+(\s+|$)%", '', $attr);1241 $mode = 0; 1242 $attr = preg_replace( "%^[^\s\"']+(\s+|$)%", '', $attr ); 1008 1243 } 1009 1244 … … 1011 1246 } // switch 1012 1247 1013 if ($working == 0) // not well formed, remove and try again 1014 { 1015 $attr = wp_kses_html_error($attr); 1248 if ( $working == 0 ) { // not well formed, remove and try again 1249 $attr = wp_kses_html_error( $attr ); 1016 1250 $mode = 0; 1017 1251 } 1018 1252 } // while 1019 1253 1020 if ( $mode == 1 && false === array_key_exists($attrname, $attrarr))1254 if ( $mode == 1 && false === array_key_exists( $attrname, $attrarr ) ) { 1021 1255 // special case, for when the attribute list ends with a valueless 1022 1256 // attribute like "selected" 1023 $attrarr[$attrname] = array ('name' => $attrname, 'value' => '', 'whole' => $attrname, 'vless' => 'y'); 1257 $attrarr[ $attrname ] = array( 1258 'name' => $attrname, 1259 'value' => '', 1260 'whole' => $attrname, 1261 'vless' => 'y', 1262 ); 1263 } 1024 1264 1025 1265 return $attrarr; … … 1039 1279 */ 1040 1280 function wp_kses_attr_parse( $element ) { 1041 $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches);1281 $valid = preg_match( '%^(<\s*)(/\s*)?([a-zA-Z0-9]+\s*)([^>]*)(>?)$%', $element, $matches ); 1042 1282 if ( 1 !== $valid ) { 1043 1283 return false; 1044 1284 } 1045 1285 1046 $begin =$matches[1];1047 $slash =$matches[2];1286 $begin = $matches[1]; 1287 $slash = $matches[2]; 1048 1288 $elname = $matches[3]; 1049 $attr =$matches[4];1050 $end =$matches[5];1289 $attr = $matches[4]; 1290 $end = $matches[5]; 1051 1291 1052 1292 if ( '' !== $slash ) { … … 1058 1298 if ( 1 === preg_match( '%\s*/\s*$%', $attr, $matches ) ) { 1059 1299 $xhtml_slash = $matches[0]; 1060 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) );1300 $attr = substr( $attr, 0, -strlen( $xhtml_slash ) ); 1061 1301 } else { 1062 1302 $xhtml_slash = ''; 1063 1303 } 1064 1304 1065 1305 // Split it 1066 1306 $attrarr = wp_kses_hair_parse( $attr ); … … 1072 1312 array_unshift( $attrarr, $begin . $slash . $elname ); 1073 1313 array_push( $attrarr, $xhtml_slash . $end ); 1074 1314 1075 1315 return $attrarr; 1076 1316 } … … 1145 1385 * @return bool Whether check passes 1146 1386 */ 1147 function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue) {1387 function wp_kses_check_attr_val( $value, $vless, $checkname, $checkvalue ) { 1148 1388 $ok = true; 1149 1389 1150 switch ( strtolower($checkname)) {1151 case 'maxlen' 1390 switch ( strtolower( $checkname ) ) { 1391 case 'maxlen': 1152 1392 // The maxlen check makes sure that the attribute value has a length not 1153 1393 // greater than the given value. This can be used to avoid Buffer Overflows 1154 1394 // in WWW clients and various Internet servers. 1155 1395 1156 if ( strlen($value) > $checkvalue)1396 if ( strlen( $value ) > $checkvalue ) { 1157 1397 $ok = false; 1398 } 1158 1399 break; 1159 1400 1160 case 'minlen' 1401 case 'minlen': 1161 1402 // The minlen check makes sure that the attribute value has a length not 1162 1403 // smaller than the given value. 1163 1404 1164 if ( strlen($value) < $checkvalue)1405 if ( strlen( $value ) < $checkvalue ) { 1165 1406 $ok = false; 1407 } 1166 1408 break; 1167 1409 1168 case 'maxval' 1410 case 'maxval': 1169 1411 // The maxval check does two things: it checks that the attribute value is 1170 1412 // an integer from 0 and up, without an excessive amount of zeroes or … … 1173 1415 // This check can be used to avoid Denial of Service attacks. 1174 1416 1175 if ( !preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))1417 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1176 1418 $ok = false; 1177 if ($value > $checkvalue) 1419 } 1420 if ( $value > $checkvalue ) { 1178 1421 $ok = false; 1422 } 1179 1423 break; 1180 1424 1181 case 'minval' 1425 case 'minval': 1182 1426 // The minval check makes sure that the attribute value is a positive integer, 1183 1427 // and that it is not smaller than the given value. 1184 1428 1185 if ( !preg_match('/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value))1429 if ( ! preg_match( '/^\s{0,6}[0-9]{1,6}\s{0,6}$/', $value ) ) { 1186 1430 $ok = false; 1187 if ($value < $checkvalue) 1431 } 1432 if ( $value < $checkvalue ) { 1188 1433 $ok = false; 1434 } 1189 1435 break; 1190 1436 1191 case 'valueless' 1437 case 'valueless': 1192 1438 // The valueless check makes sure if the attribute has a value 1193 1439 // (like <a href="blah">) or not (<option selected>). If the given value … … 1195 1441 // If the given value is an "n" or an "N", the attribute must have one. 1196 1442 1197 if ( strtolower($checkvalue) != $vless)1443 if ( strtolower( $checkvalue ) != $vless ) { 1198 1444 $ok = false; 1445 } 1199 1446 break; 1200 1447 } // switch … … 1217 1464 * @return string Filtered content 1218 1465 */ 1219 function wp_kses_bad_protocol( $string, $allowed_protocols) {1220 $string = wp_kses_no_null($string);1466 function wp_kses_bad_protocol( $string, $allowed_protocols ) { 1467 $string = wp_kses_no_null( $string ); 1221 1468 $iterations = 0; 1222 1469 1223 1470 do { 1224 1471 $original_string = $string; 1225 $string = wp_kses_bad_protocol_once($string, $allowed_protocols);1472 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols ); 1226 1473 } while ( $original_string != $string && ++$iterations < 6 ); 1227 1474 1228 if ( $original_string != $string ) 1475 if ( $original_string != $string ) { 1229 1476 return ''; 1477 } 1230 1478 1231 1479 return $string; … … 1268 1516 * @return string Fixed string with quoted slashes 1269 1517 */ 1270 function wp_kses_stripslashes( $string) {1271 return preg_replace( '%\\\\"%', '"', $string);1518 function wp_kses_stripslashes( $string ) { 1519 return preg_replace( '%\\\\"%', '"', $string ); 1272 1520 } 1273 1521 … … 1280 1528 * @return array Fixed array with all lowercase keys 1281 1529 */ 1282 function wp_kses_array_lc( $inarray) {1283 $outarray = array 1284 1285 foreach ( (array) $inarray as $inkey => $inval ) {1286 $outkey = strtolower($inkey);1287 $outarray[ $outkey] = array();1288 1289 foreach ( (array) $inval as $inkey2 => $inval2 ) {1290 $outkey2 = strtolower($inkey2);1291 $outarray[ $outkey][$outkey2] = $inval2;1530 function wp_kses_array_lc( $inarray ) { 1531 $outarray = array(); 1532 1533 foreach ( (array) $inarray as $inkey => $inval ) { 1534 $outkey = strtolower( $inkey ); 1535 $outarray[ $outkey ] = array(); 1536 1537 foreach ( (array) $inval as $inkey2 => $inval2 ) { 1538 $outkey2 = strtolower( $inkey2 ); 1539 $outarray[ $outkey ][ $outkey2 ] = $inval2; 1292 1540 } // foreach $inval 1293 1541 } // foreach $inarray … … 1307 1555 * @return string 1308 1556 */ 1309 function wp_kses_html_error( $string) {1310 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string);1557 function wp_kses_html_error( $string ) { 1558 return preg_replace( '/^("[^"]*("|$)|\'[^\']*(\'|$)|\S)*\s*/', '', $string ); 1311 1559 } 1312 1560 … … 1323 1571 * @return string Sanitized content 1324 1572 */ 1325 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) {1573 function wp_kses_bad_protocol_once( $string, $allowed_protocols, $count = 1 ) { 1326 1574 $string2 = preg_split( '/:|�*58;|�*3a;/i', $string, 2 ); 1327 if ( isset( $string2[1]) && ! preg_match('%/\?%', $string2[0]) ) {1328 $string = trim( $string2[1] );1575 if ( isset( $string2[1] ) && ! preg_match( '%/\?%', $string2[0] ) ) { 1576 $string = trim( $string2[1] ); 1329 1577 $protocol = wp_kses_bad_protocol_once2( $string2[0], $allowed_protocols ); 1330 1578 if ( 'feed:' == $protocol ) { 1331 if ( $count > 2 ) 1579 if ( $count > 2 ) { 1332 1580 return ''; 1581 } 1333 1582 $string = wp_kses_bad_protocol_once( $string, $allowed_protocols, ++$count ); 1334 if ( empty( $string ) ) 1583 if ( empty( $string ) ) { 1335 1584 return $string; 1585 } 1336 1586 } 1337 1587 $string = $protocol . $string; … … 1355 1605 */ 1356 1606 function wp_kses_bad_protocol_once2( $string, $allowed_protocols ) { 1357 $string2 = wp_kses_decode_entities( $string);1358 $string2 = preg_replace( '/\s/', '', $string2);1359 $string2 = wp_kses_no_null( $string2);1360 $string2 = strtolower( $string2);1607 $string2 = wp_kses_decode_entities( $string ); 1608 $string2 = preg_replace( '/\s/', '', $string2 ); 1609 $string2 = wp_kses_no_null( $string2 ); 1610 $string2 = strtolower( $string2 ); 1361 1611 1362 1612 $allowed = false; 1363 foreach ( (array) $allowed_protocols as $one_protocol ) 1364 if ( strtolower( $one_protocol) == $string2 ) {1613 foreach ( (array) $allowed_protocols as $one_protocol ) { 1614 if ( strtolower( $one_protocol ) == $string2 ) { 1365 1615 $allowed = true; 1366 1616 break; 1367 1617 } 1368 1369 if ($allowed) 1618 } 1619 1620 if ( $allowed ) { 1370 1621 return "$string2:"; 1371 else1622 } else { 1372 1623 return ''; 1624 } 1373 1625 } 1374 1626 … … 1384 1636 * @return string Content with normalized entities 1385 1637 */ 1386 function wp_kses_normalize_entities( $string) {1638 function wp_kses_normalize_entities( $string ) { 1387 1639 // Disarm all entities by converting & to & 1388 $string = str_replace( '&', '&', $string);1640 $string = str_replace( '&', '&', $string ); 1389 1641 1390 1642 // Change back the allowed entities in our entity whitelist 1391 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string);1392 $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string);1393 $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string);1643 $string = preg_replace_callback( '/&([A-Za-z]{2,8}[0-9]{0,2});/', 'wp_kses_named_entities', $string ); 1644 $string = preg_replace_callback( '/&#(0*[0-9]{1,7});/', 'wp_kses_normalize_entities2', $string ); 1645 $string = preg_replace_callback( '/&#[Xx](0*[0-9A-Fa-f]{1,6});/', 'wp_kses_normalize_entities3', $string ); 1394 1646 1395 1647 return $string; … … 1409 1661 * @return string Correctly encoded entity 1410 1662 */ 1411 function wp_kses_named_entities( $matches) {1663 function wp_kses_named_entities( $matches ) { 1412 1664 global $allowedentitynames; 1413 1665 1414 if ( empty( $matches[1]) )1666 if ( empty( $matches[1] ) ) { 1415 1667 return ''; 1668 } 1416 1669 1417 1670 $i = $matches[1]; … … 1431 1684 * @return string Correctly encoded entity 1432 1685 */ 1433 function wp_kses_normalize_entities2( $matches) {1434 if ( empty( $matches[1]) )1686 function wp_kses_normalize_entities2( $matches ) { 1687 if ( empty( $matches[1] ) ) { 1435 1688 return ''; 1689 } 1436 1690 1437 1691 $i = $matches[1]; 1438 if ( valid_unicode($i)) {1439 $i = str_pad( ltrim($i,'0'), 3, '0', STR_PAD_LEFT);1692 if ( valid_unicode( $i ) ) { 1693 $i = str_pad( ltrim( $i, '0' ), 3, '0', STR_PAD_LEFT ); 1440 1694 $i = "&#$i;"; 1441 1695 } else { … … 1458 1712 * @return string Correctly encoded entity 1459 1713 */ 1460 function wp_kses_normalize_entities3( $matches) {1461 if ( empty( $matches[1]) )1714 function wp_kses_normalize_entities3( $matches ) { 1715 if ( empty( $matches[1] ) ) { 1462 1716 return ''; 1717 } 1463 1718 1464 1719 $hexchars = $matches[1]; 1465 return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' .ltrim($hexchars,'0').';';1720 return ( ! valid_unicode( hexdec( $hexchars ) ) ) ? "&#x$hexchars;" : '&#x' . ltrim( $hexchars, '0' ) . ';'; 1466 1721 } 1467 1722 … … 1474 1729 * @return bool True if the value was a valid Unicode number 1475 1730 */ 1476 function valid_unicode( $i) {1731 function valid_unicode( $i ) { 1477 1732 return ( $i == 0x9 || $i == 0xa || $i == 0xd || 1478 ( $i >= 0x20 && $i <= 0xd7ff) ||1479 ( $i >= 0xe000 && $i <= 0xfffd) ||1480 ( $i >= 0x10000 && $i <= 0x10ffff) );1733 ( $i >= 0x20 && $i <= 0xd7ff ) || 1734 ( $i >= 0xe000 && $i <= 0xfffd ) || 1735 ( $i >= 0x10000 && $i <= 0x10ffff ) ); 1481 1736 } 1482 1737 … … 1493 1748 * @return string Content after decoded entities 1494 1749 */ 1495 function wp_kses_decode_entities( $string) {1496 $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string);1497 $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string);1750 function wp_kses_decode_entities( $string ) { 1751 $string = preg_replace_callback( '/&#([0-9]+);/', '_wp_kses_decode_entities_chr', $string ); 1752 $string = preg_replace_callback( '/&#[Xx]([0-9A-Fa-f]+);/', '_wp_kses_decode_entities_chr_hexdec', $string ); 1498 1753 1499 1754 return $string; … … 1618 1873 function kses_init_filters() { 1619 1874 // Normal filtering 1620 add_filter( 'title_save_pre', 'wp_filter_kses');1875 add_filter( 'title_save_pre', 'wp_filter_kses' ); 1621 1876 1622 1877 // Comment filtering 1623 if ( current_user_can( 'unfiltered_html' ) ) 1878 if ( current_user_can( 'unfiltered_html' ) ) { 1624 1879 add_filter( 'pre_comment_content', 'wp_filter_post_kses' ); 1625 else1880 } else { 1626 1881 add_filter( 'pre_comment_content', 'wp_filter_kses' ); 1882 } 1627 1883 1628 1884 // Post filtering 1629 add_filter( 'content_save_pre', 'wp_filter_post_kses');1630 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses');1631 add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses');1885 add_filter( 'content_save_pre', 'wp_filter_post_kses' ); 1886 add_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 1887 add_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 1632 1888 } 1633 1889 … … 1646 1902 function kses_remove_filters() { 1647 1903 // Normal filtering 1648 remove_filter( 'title_save_pre', 'wp_filter_kses');1904 remove_filter( 'title_save_pre', 'wp_filter_kses' ); 1649 1905 1650 1906 // Comment filtering … … 1653 1909 1654 1910 // Post filtering 1655 remove_filter( 'content_save_pre', 'wp_filter_post_kses');1656 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses');1657 remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses');1911 remove_filter( 'content_save_pre', 'wp_filter_post_kses' ); 1912 remove_filter( 'excerpt_save_pre', 'wp_filter_post_kses' ); 1913 remove_filter( 'content_filtered_save_pre', 'wp_filter_post_kses' ); 1658 1914 } 1659 1915 … … 1689 1945 */ 1690 1946 function safecss_filter_attr( $css, $deprecated = '' ) { 1691 if ( ! empty( $deprecated ) )1947 if ( ! empty( $deprecated ) ) { 1692 1948 _deprecated_argument( __FUNCTION__, '2.8.1' ); // Never implemented 1693 1694 $css = wp_kses_no_null($css); 1695 $css = str_replace(array("\n","\r","\t"), '', $css); 1696 1697 if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) // remove any inline css containing \ ( & } = or comments 1949 } 1950 1951 $css = wp_kses_no_null( $css ); 1952 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 1953 1954 if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) { // remove any inline css containing \ ( & } = or comments 1698 1955 return ''; 1956 } 1699 1957 1700 1958 $css_array = explode( ';', trim( $css ) ); … … 1709 1967 * @param array $attr List of allowed CSS attributes. 1710 1968 */ 1711 $allowed_attr = apply_filters( 'safe_style_css', array( 1712 'background', 1713 'background-color', 1714 1715 'border', 1716 'border-width', 1717 'border-color', 1718 'border-style', 1719 'border-right', 1720 'border-right-color', 1721 'border-right-style', 1722 'border-right-width', 1723 'border-bottom', 1724 'border-bottom-color', 1725 'border-bottom-style', 1726 'border-bottom-width', 1727 'border-left', 1728 'border-left-color', 1729 'border-left-style', 1730 'border-left-width', 1731 'border-top', 1732 'border-top-color', 1733 'border-top-style', 1734 'border-top-width', 1735 1736 'border-spacing', 1737 'border-collapse', 1738 'caption-side', 1739 1740 'color', 1741 'font', 1742 'font-family', 1743 'font-size', 1744 'font-style', 1745 'font-variant', 1746 'font-weight', 1747 'letter-spacing', 1748 'line-height', 1749 'text-decoration', 1750 'text-indent', 1751 'text-align', 1752 1753 'height', 1754 'min-height', 1755 'max-height', 1756 1757 'width', 1758 'min-width', 1759 'max-width', 1760 1761 'margin', 1762 'margin-right', 1763 'margin-bottom', 1764 'margin-left', 1765 'margin-top', 1766 1767 'padding', 1768 'padding-right', 1769 'padding-bottom', 1770 'padding-left', 1771 'padding-top', 1772 1773 'clear', 1774 'cursor', 1775 'direction', 1776 'float', 1777 'overflow', 1778 'vertical-align', 1779 'list-style-type', 1780 ) ); 1781 1782 if ( empty($allowed_attr) ) 1969 $allowed_attr = apply_filters( 1970 'safe_style_css', array( 1971 'background', 1972 'background-color', 1973 1974 'border', 1975 'border-width', 1976 'border-color', 1977 'border-style', 1978 'border-right', 1979 'border-right-color', 1980 'border-right-style', 1981 'border-right-width', 1982 'border-bottom', 1983 'border-bottom-color', 1984 'border-bottom-style', 1985 'border-bottom-width', 1986 'border-left', 1987 'border-left-color', 1988 'border-left-style', 1989 'border-left-width', 1990 'border-top', 1991 'border-top-color', 1992 'border-top-style', 1993 'border-top-width', 1994 1995 'border-spacing', 1996 'border-collapse', 1997 'caption-side', 1998 1999 'color', 2000 'font', 2001 'font-family', 2002 'font-size', 2003 'font-style', 2004 'font-variant', 2005 'font-weight', 2006 'letter-spacing', 2007 'line-height', 2008 'text-decoration', 2009 'text-indent', 2010 'text-align', 2011 2012 'height', 2013 'min-height', 2014 'max-height', 2015 2016 'width', 2017 'min-width', 2018 'max-width', 2019 2020 'margin', 2021 'margin-right', 2022 'margin-bottom', 2023 'margin-left', 2024 'margin-top', 2025 2026 'padding', 2027 'padding-right', 2028 'padding-bottom', 2029 'padding-left', 2030 'padding-top', 2031 2032 'clear', 2033 'cursor', 2034 'direction', 2035 'float', 2036 'overflow', 2037 'vertical-align', 2038 'list-style-type', 2039 ) 2040 ); 2041 2042 if ( empty( $allowed_attr ) ) { 1783 2043 return $css; 2044 } 1784 2045 1785 2046 $css = ''; 1786 2047 foreach ( $css_array as $css_item ) { 1787 if ( $css_item == '' ) 2048 if ( $css_item == '' ) { 1788 2049 continue; 2050 } 1789 2051 $css_item = trim( $css_item ); 1790 $found = false;2052 $found = false; 1791 2053 if ( strpos( $css_item, ':' ) === false ) { 1792 2054 $found = true; 1793 2055 } else { 1794 2056 $parts = explode( ':', $css_item ); 1795 if ( in_array( trim( $parts[0] ), $allowed_attr ) ) 2057 if ( in_array( trim( $parts[0] ), $allowed_attr ) ) { 1796 2058 $found = true; 2059 } 1797 2060 } 1798 2061 if ( $found ) { 1799 if ( $css != '' )2062 if ( $css != '' ) { 1800 2063 $css .= ';'; 2064 } 1801 2065 $css .= $css_item; 1802 2066 } … … 1818 2082 $global_attributes = array( 1819 2083 'class' => true, 1820 'id' => true,2084 'id' => true, 1821 2085 'style' => true, 1822 2086 'title' => true, 1823 'role' => true,2087 'role' => true, 1824 2088 ); 1825 2089 1826 if ( true === $value ) 2090 if ( true === $value ) { 1827 2091 $value = array(); 1828 1829 if ( is_array( $value ) ) 2092 } 2093 2094 if ( is_array( $value ) ) { 1830 2095 return array_merge( $value, $global_attributes ); 2096 } 1831 2097 1832 2098 return $value;
Note: See TracChangeset
for help on using the changeset viewer.