Changeset 44136
- Timestamp:
- 12/14/2018 01:40:50 AM (6 years ago)
- Location:
- trunk
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk
- Property svn:mergeinfo changed
/branches/5.0 merged: 43781
- Property svn:mergeinfo changed
-
trunk/src/wp-includes/kses.php
r43984 r44136 1986 1986 $css = str_replace( array( "\n", "\r", "\t" ), '', $css ); 1987 1987 1988 if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) { // remove any inline css containing \ ( & } = or comments 1989 return ''; 1990 } 1988 $allowed_protocols = wp_allowed_protocols(); 1991 1989 1992 1990 $css_array = explode( ';', trim( $css ) ); … … 1999 1997 * @since 4.6.0 Added support for `list-style-type`. 2000 1998 * @since 5.0.0 Added support for `text-transform`. 1999 * @since 5.0.0 Added support for `background-image`. 2001 2000 * 2002 2001 * @param string[] $attr Array of allowed CSS attributes. … … 2007 2006 'background', 2008 2007 'background-color', 2008 'background-image', 2009 2009 2010 2010 'border', … … 2077 2077 ); 2078 2078 2079 /* 2080 * CSS attributes that accept URL data types. 2081 * 2082 * This is in accordance to the CSS spec and unrelated to 2083 * the sub-set of supported attributes above. 2084 * 2085 * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url 2086 */ 2087 $css_url_data_types = array( 2088 'background', 2089 'background-image', 2090 2091 'cursor', 2092 2093 'list-style', 2094 'list-style-image', 2095 ); 2096 2079 2097 if ( empty( $allowed_attr ) ) { 2080 2098 return $css; … … 2086 2104 continue; 2087 2105 } 2088 $css_item = trim( $css_item ); 2089 $found = false; 2106 2107 $css_item = trim( $css_item ); 2108 $css_test_string = $css_item; 2109 $found = false; 2110 $url_attr = false; 2111 2090 2112 if ( strpos( $css_item, ':' ) === false ) { 2091 2113 $found = true; 2092 2114 } else { 2093 $parts = explode( ':', $css_item ); 2094 if ( in_array( trim( $parts[0] ), $allowed_attr ) ) { 2095 $found = true; 2115 $parts = explode( ':', $css_item, 2 ); 2116 $css_selector = trim( $parts[0] ); 2117 2118 if ( in_array( $css_selector, $allowed_attr, true ) ) { 2119 $found = true; 2120 $url_attr = in_array( $css_selector, $css_url_data_types, true ); 2096 2121 } 2097 2122 } 2098 if ( $found ) { 2123 2124 if ( $found && $url_attr ) { 2125 // Simplified: matches the sequence `url(*)`. 2126 preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches ); 2127 2128 foreach ( $url_matches[0] as $url_match ) { 2129 // Clean up the URL from each of the matches above. 2130 preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces ); 2131 2132 if ( empty( $url_pieces[2] ) ) { 2133 $found = false; 2134 break; 2135 } 2136 2137 $url = trim( $url_pieces[2] ); 2138 2139 if ( empty( $url ) || $url !== wp_kses_bad_protocol( $url, $allowed_protocols ) ) { 2140 $found = false; 2141 break; 2142 } else { 2143 // Remove the whole `url(*)` bit that was matched above from the CSS. 2144 $css_test_string = str_replace( $url_match, '', $css_test_string ); 2145 } 2146 } 2147 } 2148 2149 // Remove any CSS containing containing \ ( & } = or comments, except for url() useage checked above. 2150 if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) { 2099 2151 if ( $css != '' ) { 2100 2152 $css .= ';'; 2101 2153 } 2154 2102 2155 $css .= $css_item; 2103 2156 } -
trunk/tests/phpunit/tests/kses.php
r43981 r44136 819 819 'expected' => 'margin: 10px 20px;padding: 5px 10px', 820 820 ), 821 // Parenthesis ( is n't supported.821 // Parenthesis ( is supported for some attributes. 822 822 array( 823 823 'css' => 'background: green url("foo.jpg") no-repeat fixed center', 824 'expected' => ' ',824 'expected' => 'background: green url("foo.jpg") no-repeat fixed center', 825 825 ), 826 826 ); … … 921 921 ); 922 922 } 923 924 /** 925 * Test URL sanitization in the style tag. 926 * 927 * @dataProvider data_kses_style_attr_with_url 928 * 929 * @ticket 45067 930 * 931 * @param $input string The style attribute saved in the editor. 932 * @param $expected string The sanitized style attribute. 933 */ 934 function test_kses_style_attr_with_url( $input, $expected ) { 935 $actual = safecss_filter_attr( $input ); 936 937 $this->assertSame( $expected, $actual ); 938 } 939 940 /** 941 * Data provider testing style attribute sanitization. 942 * 943 * @return array Nested array of input, expected pairs. 944 */ 945 function data_kses_style_attr_with_url() { 946 return array( 947 /* 948 * Valid use cases. 949 */ 950 951 // Double quotes. 952 array( 953 'background-image: url( "http://example.com/valid.gif" );', 954 'background-image: url( "http://example.com/valid.gif" )', 955 ), 956 957 // Single quotes. 958 array( 959 "background-image: url( 'http://example.com/valid.gif' );", 960 "background-image: url( 'http://example.com/valid.gif' )", 961 ), 962 963 // No quotes. 964 array( 965 'background-image: url( http://example.com/valid.gif );', 966 'background-image: url( http://example.com/valid.gif )', 967 ), 968 969 // Single quotes, extra spaces. 970 array( 971 "background-image: url( ' http://example.com/valid.gif ' );", 972 "background-image: url( ' http://example.com/valid.gif ' )", 973 ), 974 975 // Line breaks, single quotes. 976 array( 977 "background-image: url(\n'http://example.com/valid.gif' );", 978 "background-image: url('http://example.com/valid.gif' )", 979 ), 980 981 // Tabs not spaces, single quotes. 982 array( 983 "background-image: url(\t'http://example.com/valid.gif'\t\t);", 984 "background-image: url('http://example.com/valid.gif')", 985 ), 986 987 // Single quotes, absolute path. 988 array( 989 "background: url('/valid.gif');", 990 "background: url('/valid.gif')", 991 ), 992 993 // Single quotes, relative path. 994 array( 995 "background: url('../wp-content/uploads/2018/10/valid.gif');", 996 "background: url('../wp-content/uploads/2018/10/valid.gif')", 997 ), 998 999 // Error check: valid property not containing a URL. 1000 array( 1001 'background: red', 1002 'background: red', 1003 ), 1004 1005 /* 1006 * Invalid use cases. 1007 */ 1008 1009 // Attribute doesn't support URL properties. 1010 array( 1011 'color: url( "http://example.com/invalid.gif" );', 1012 '', 1013 ), 1014 1015 // Mismatched quotes. 1016 array( 1017 'background-image: url( "http://example.com/valid.gif\' );', 1018 '', 1019 ), 1020 1021 // Bad protocol, double quotes. 1022 array( 1023 'background-image: url( "bad://example.com/invalid.gif" );', 1024 '', 1025 ), 1026 1027 // Bad protocol, single quotes. 1028 array( 1029 "background-image: url( 'bad://example.com/invalid.gif' );", 1030 '', 1031 ), 1032 1033 // Bad protocol, single quotes. 1034 array( 1035 "background-image: url( 'bad://example.com/invalid.gif' );", 1036 '', 1037 ), 1038 1039 // Bad protocol, single quotes, strange spacing. 1040 array( 1041 "background-image: url( ' \tbad://example.com/invalid.gif ' );", 1042 '', 1043 ), 1044 1045 // Bad protocol, no quotes. 1046 array( 1047 'background-image: url( bad://example.com/invalid.gif );', 1048 '', 1049 ), 1050 1051 // No URL inside url(). 1052 array( 1053 'background-image: url();', 1054 '', 1055 ), 1056 1057 // Malformed, no closing `)`. 1058 array( 1059 'background-image: url( "http://example.com" ;', 1060 '', 1061 ), 1062 1063 // Malformed, no closing `"`. 1064 array( 1065 'background-image: url( "http://example.com );', 1066 '', 1067 ), 1068 ); 1069 } 923 1070 } -
trunk/tests/phpunit/tests/shortcode.php
r43571 r44136 562 562 ), 563 563 array( 564 '<div style=" background:url([[gallery]])">',565 '<div style=" background:url([[gallery]])">',564 '<div style="selector:url([[gallery]])">', 565 '<div style="selector:url([[gallery]])">', 566 566 ), 567 567 array(
Note: See TracChangeset
for help on using the changeset viewer.