Make WordPress Core

Changeset 44018


Ignore:
Timestamp:
12/13/2018 12:01:21 AM (6 years ago)
Author:
pento
Message:

KSES: Conditionally remove the <form> element from $allowedposttags.

To avoid backwards compatibility issues, <form> is re-added if a custom filter has added the <input> or <select> elements to $allowedposttags.

Merges [43994] to the 3.8 branch.

Location:
branches/3.8
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/3.8

  • branches/3.8/src/wp-includes/kses.php

    r33388 r44018  
    159159            'lang' => true,
    160160            'xml:lang' => true,
    161         ),
    162         'form' => array(
    163             'action' => true,
    164             'accept' => true,
    165             'accept-charset' => true,
    166             'enctype' => true,
    167             'method' => true,
    168             'name' => true,
    169             'target' => true,
    170161        ),
    171162        'h1' => array(
     
    567558 *
    568559 * @since 3.5.0
     560 * @since 5.0.1 `form` removed as allowable HTML tag.
    569561 *
    570562 * @param string $context The context for which to retrieve tags. Allowed values are
     
    580572    switch ( $context ) {
    581573        case 'post':
    582             return apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
     574            $tags = apply_filters( 'wp_kses_allowed_html', $allowedposttags, $context );
     575
     576            // 5.0.1 removed the `<form>` tag, allow it if a filter is allowing it's sub-elements `<input>` or `<select>`.
     577            if ( ! CUSTOM_TAGS && ! isset( $tags['form'] ) && ( isset( $tags['input'] ) || isset( $tags['select'] ) ) ) {
     578                $tags = $allowedposttags;
     579
     580                $tags['form'] = array(
     581                    'action' => true,
     582                    'accept' => true,
     583                    'accept-charset' => true,
     584                    'enctype' => true,
     585                    'method' => true,
     586                    'name' => true,
     587                    'target' => true,
     588                );
     589
     590                /** This filter is documented in wp-includes/kses.php */
     591                $tags = apply_filters( 'wp_kses_allowed_html', $tags, $context );
     592            }
     593
     594            return $tags;
    583595            break;
    584596        case 'user_description':
Note: See TracChangeset for help on using the changeset viewer.