WordPress.org

Make WordPress Core

Changeset 44013


Ignore:
Timestamp:
12/12/2018 11:51:06 PM (11 months ago)
Author:
pento
Message:

KSES: Conditionally remove the <form> element from $allowedposttags.

To avoid backwards compatibility issues, <form> is re-added if a custom filter has added the <input> or <select> elements to $allowedposttags.

Merges [43994] to the 4.1 branch.

Location:
branches/4.1
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.1

  • branches/4.1/src/wp-includes/kses.php

    r33380 r44013  
    180180            'lang' => true,
    181181            'xml:lang' => true,
    182         ),
    183         'form' => array(
    184             'action' => true,
    185             'accept' => true,
    186             'accept-charset' => true,
    187             'enctype' => true,
    188             'method' => true,
    189             'name' => true,
    190             'target' => true,
    191182        ),
    192183        'h1' => array(
     
    608599 *
    609600 * @since 3.5.0
     601 * @since 5.0.1 `form` removed as allowable HTML tag.
    610602 *
    611603 * @param string $context The context for which to retrieve tags. Allowed values are
     
    632624        case 'post':
    633625            /** This filter is documented in wp-includes/kses.php */
    634             return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
    635             break;
     626            $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
     627
     628            // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
     629            if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
     630                $tags = $allowedposttags;
     631
     632                $tags['form'] = array(
     633                    'action' => true,
     634                    'accept' => true,
     635                    'accept-charset' => true,
     636                    'enctype' => true,
     637                    'method' => true,
     638                    'name' => true,
     639                    'target' => true,
     640                );
     641
     642                /** This filter is documented in wp-includes/kses.php */
     643                $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
     644            }
     645
     646            return $tags;
    636647        case 'user_description':
    637648        case 'pre_user_description':
Note: See TracChangeset for help on using the changeset viewer.