Make WordPress Core

Changeset 43813


Ignore:
Timestamp:
10/24/2018 01:18:38 AM (6 years ago)
Author:
pento
Message:

KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
See #44724.

Location:
branches/5.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/5.0/src/wp-includes/kses.php

    r43781 r43813  
    6767            'name' => true,
    6868            'target' => true,
     69            'download' => array(
     70                'valueless' => 'y',
     71            ),
    6972        ),
    7073        'abbr' => array(),
  • branches/5.0/tests/phpunit/tests/kses.php

    r43781 r43813  
    4747            'name' => 'name',
    4848            'target' => '_blank',
     49            'download' => '',
    4950        );
    5051
    5152        foreach ( $attributes as $name => $value ) {
    52             $string = "<a $name='$value'>I link this</a>";
    53             $expect_string = "<a $name='" . trim( $value, ';' ) . "'>I link this</a>";
     53            if ( $value ) {
     54                $attr = "$name='$value'";
     55                $expected_attr = "$name='" . trim( $value, ';' ) . "'";
     56            } else {
     57                $attr = $expected_attr = $name;
     58            }
     59            $string = "<a $attr>I link this</a>";
     60            $expect_string = "<a $expected_attr>I link this</a>";
    5461            $this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) );
    5562        }
Note: See TracChangeset for help on using the changeset viewer.