Make WordPress Core

Changeset 44016 for branches/3.9


Ignore:
Timestamp:
12/12/2018 11:57:07 PM (5 years ago)
Author:
pento
Message:

KSES: Conditionally remove the <form> element from $allowedposttags.

To avoid backwards compatibility issues, <form> is re-added if a custom filter has added the <input> or <select> elements to $allowedposttags.

Merges [43994] to the 3.9 branch.

Location:
branches/3.9
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.9

  • branches/3.9/src/wp-includes/kses.php

    r33386 r44016  
    160160            'lang' => true,
    161161            'xml:lang' => true,
    162         ),
    163         'form' => array(
    164             'action' => true,
    165             'accept' => true,
    166             'accept-charset' => true,
    167             'enctype' => true,
    168             'method' => true,
    169             'name' => true,
    170             'target' => true,
    171162        ),
    172163        'h1' => array(
     
    570561 *
    571562 * @since 3.5.0
     563 * @since 5.0.1 `form` removed as allowable HTML tag.
    572564 *
    573565 * @param string $context The context for which to retrieve tags. Allowed values are
     
    594586        case 'post':
    595587            /** This filter is documented in wp-includes/kses.php */
    596             return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
    597             break;
     588            $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
     589
     590            // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
     591            if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
     592                $tags = $allowedposttags;
     593
     594                $tags['form'] = array(
     595                    'action' => true,
     596                    'accept' => true,
     597                    'accept-charset' => true,
     598                    'enctype' => true,
     599                    'method' => true,
     600                    'name' => true,
     601                    'target' => true,
     602                );
     603
     604                /** This filter is documented in wp-includes/kses.php */
     605                $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
     606            }
     607
     608            return $tags;
    598609        case 'user_description':
    599610        case 'pre_user_description':
Note: See TracChangeset for help on using the changeset viewer.