Changeset 44156 for trunk/src/wp-includes/kses.php

Timestamp:

12/14/2018 03:27:55 AM (7 years ago)

Author:

pento

Message:

KSES: Allow the download attribute on <a> tags.

To avoid this being a vector for bypassing the filetypes that are allowed to be uploaded, this attribute is only allowed to be added without a value.

Merges [43813] from the 5.0 branch to trunk.

Props kalpshit, arshidkv12, welcher, peterwilsoncc, marina_wp, pento.
Fixes #44724.

Location:

trunk

Files:

• . (modified) (1 prop)
• src/wp-includes/kses.php (modified) (1 diff)

trunk/src/wp-includes/kses.php

@@ -62 +62 @@
         'address'    => array(),
         'a'          => array(
-            'href'   => true,
-            'rel'    => true,
-            'rev'    => true,
-            'name'   => true,
-            'target' => true,
+            'href'     => true,
+            'rel'      => true,
+            'rev'      => true,
+            'name'     => true,
+            'target'   => true,
+            'download' => array(
+                'valueless' => 'y',
+            ),
         ),
         'abbr'       => array(),