Changeset 44136 for trunk/src/wp-includes/kses.php

Timestamp:

12/14/2018 01:40:50 AM (7 years ago)

Author:

pento

Message:

KSES: Allow url() to be used in inline CSS.

The cover image block uses the url() function in its inline CSS, to show the cover image. KSES didn't allow this, causing the block to not save correctly for Author and Contributor users. As KSES does already check each attribute name against an allowed list, we're able to add an extra check for certain attributes to be able to use the url() function, too.

Merges [43781] from the 5.0 branch to core.

Props peterwilsoncc, azaozz, pento, dd32.
Fixes #45067.

Location:

trunk

Files:

• . (modified) (1 prop)
• src/wp-includes/kses.php (modified) (5 diffs)

trunk/src/wp-includes/kses.php

@@ -1986 +1986 @@
     $css = str_replace( array( "\n", "\r", "\t" ), '', $css );
 
-    if ( preg_match( '%[\\\\(&=}]|/\*%', $css ) ) { // remove any inline css containing \ ( & } = or comments
-        return '';
-    }
+    $allowed_protocols = wp_allowed_protocols();
 
     $css_array = explode( ';', trim( $css ) );
@@ -1999 +1997 @@
      * @since 4.6.0 Added support for `list-style-type`.
      * @since 5.0.0 Added support for `text-transform`.
+     * @since 5.0.0 Added support for `background-image`.
      *
      * @param string[] $attr Array of allowed CSS attributes.
@@ -2007 +2006 @@
             'background',
             'background-color',
+            'background-image',
 
             'border',
@@ -2077 +2077 @@
     );
 
+    /*
+     * CSS attributes that accept URL data types.
+     *
+     * This is in accordance to the CSS spec and unrelated to
+     * the sub-set of supported attributes above.
+     *
+     * See: https://developer.mozilla.org/en-US/docs/Web/CSS/url
+     */
+    $css_url_data_types = array(
+        'background',
+        'background-image',
+
+        'cursor',
+
+        'list-style',
+        'list-style-image',
+    );
+
     if ( empty( $allowed_attr ) ) {
         return $css;
@@ -2086 +2104 @@
             continue;
         }
-        $css_item = trim( $css_item );
-        $found    = false;
+
+        $css_item        = trim( $css_item );
+        $css_test_string = $css_item;
+        $found           = false;
+        $url_attr        = false;
+
         if ( strpos( $css_item, ':' ) === false ) {
             $found = true;
         } else {
-            $parts = explode( ':', $css_item );
-            if ( in_array( trim( $parts[0] ), $allowed_attr ) ) {
-                $found = true;
+            $parts        = explode( ':', $css_item, 2 );
+            $css_selector = trim( $parts[0] );
+
+            if ( in_array( $css_selector, $allowed_attr, true ) ) {
+                $found    = true;
+                $url_attr = in_array( $css_selector, $css_url_data_types, true );
             }
         }
-        if ( $found ) {
+
+        if ( $found && $url_attr ) {
+            // Simplified: matches the sequence `url(*)`.
+            preg_match_all( '/url\([^)]+\)/', $parts[1], $url_matches );
+
+            foreach ( $url_matches[0] as $url_match ) {
+                // Clean up the URL from each of the matches above.
+                preg_match( '/^url\(\s*([\'\"]?)(.*)(\g1)\s*\)$/', $url_match, $url_pieces );
+
+                if ( empty( $url_pieces[2] ) ) {
+                    $found = false;
+                    break;
+                }
+
+                $url = trim( $url_pieces[2] );
+
+                if ( empty( $url ) || $url !== wp_kses_bad_protocol( $url, $allowed_protocols ) ) {
+                    $found = false;
+                    break;
+                } else {
+                    // Remove the whole `url(*)` bit that was matched above from the CSS.
+                    $css_test_string = str_replace( $url_match, '', $css_test_string );
+                }
+            }
+        }
+
+        // Remove any CSS containing containing \ ( & } = or comments, except for url() useage checked above.
+        if ( $found && ! preg_match( '%[\\\(&=}]|/\*%', $css_test_string ) ) {
             if ( $css != '' ) {
                 $css .= ';';
             }
+
             $css .= $css_item;
         }